m-click / requests_pkcs12

Add PKCS#12 support to the Python requests library in a clean way, without monkey patching or temporary files
ISC License
124 stars 33 forks source link

403 Forbidden error when using requests_pkcs12 to send POST request with valid certificate #54

Closed ihemnta closed 5 months ago

ihemnta commented 6 months ago

Issue Summary: I am encountering a 403 Forbidden error when attempting to send a POST request using the "requests_pkcs12" library, despite having a valid certificate and successfully receiving a 200 response when using curl request.

I am using 'requests_pkcs12' Version:-1.24

`import requests_pkcs12 cert_path = "./SSLRequests/carefi_tu_uat_p12_cert.p12" cert_password = "hello.*@101" url = "https://****.com/acquire/credit-assessment/v1/consumer-cir-cv" header = {} payload={}

response = requests_pkcs12.post( url, headers=header, data=payload, pkcs12_filename=cert_path, pkcs12_password=cert_password ) The response.__dict__ is as following:- {'_content': b'{"message":"Forbidden. You don\'t have permission to view this. Please contact your system administrator.","status_code":403,"aud":"d4a*e1f449b5968gjk68995vhj688d9d2d**0","ray_id":"8876**4a7","ip_address":"12.*.14.*","is_warp":false,"is_gateway":false,"mtls_status":"NONE"}', '_content_consumed': True, '_next': None, 'status_code': 403, 'headers': {'Date': 'Tue, 21 May 2024 18:30:17 GMT', 'Content-Type': 'application/json; charset=utf-8', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'CF-Access-Aud': 'd4a5bbbbb9d9ee1f44757*****f8d9d2dc1f68946b0', 'CF-Access-Domain': '', 'CF-RAY': '8876-BOM', 'cf-version': '1701-77418d4', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Server': 'cloudflare', 'Vary': 'Accept-Encoding', 'Content-Encoding': 'gzip'}, 'raw': <urllib3.response.HTTPResponse at 0x7f88eb53d480>, 'url': 'https://************.com/acquire/credit-assessment/v1/consumer-cir-cv', 'encoding': 'utf-8', 'history': [], 'reason': 'Forbidden', 'cookies': <RequestsCookieJar[]>, 'elapsed': datetime.timedelta(microseconds=115372), 'request': <PreparedRequest [POST]>, 'connection': <requests_pkcs12.Pkcs12Adapter at 0x7f88f06ba540>}`

asjohnston-asf commented 6 months ago

I observed a similar error after upgrading to requests v2.32.0, released yesterday. Downgrading to requests v2.31.0 resolved the issue in the short term.

https://github.com/asfadmin/grfn-ingest/issues/496

pieeri commented 6 months ago

Issue summary: When upgrading from requests v2.31.0 to v2.32.*, standard connection (GET) throws authentification error (401) when using the requests_pkcs12.Pkcs12Adapter.

Short-term fix: Pin temporarily requests to lower than v2.32.0.

Would it be possible to have some background of the potential root cause of the error, as no deprecation warning nor further available information is accessible via the Python stack trace? Many thanks!

vog commented 6 months ago

Since downgrading the requests library helps, it is very likely that this is an issue with the "requests" library and not "requests_pkcs12".

To further verify this assumption, I recommend that you create a pure-requests test case that doesn't involve requests_pkcs12 at all. This should be possible by simply converting your PKCS#12 certificates to PEM (using your PKCS#12 password), then providing this via the normal "cert=..." parameters the requests library.

If that code shows the same error, you have a good minimal test case to report an issue at the "requests" library. In that case, please drop us a note with a link to your issue opened at the "requests" project, as a comment here in this issue, because it might be helpful to others.)

ihemnta commented 6 months ago

Thanks @vog, Downgrading to requests v2.31.0 resolved my issue.