pycurl and SSL cert

Question

I am trying to write a pycurl script to access a secured site (HTTPS).

c = pycurl.Curl()
c.setopt(pycurl.USERAGENT, \'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0)         


        

Answer 1

You are right, the way you are doing it subjects you to a man-in-the-middle attack, especially in light of the most recent SSL vulnerabilities. You can resolve it as follows:

import pycurl
curl = pycurl.Curl()
curl.setopt(pycurl.URL, "https://your-secure-website.com/")
curl.setopt(pycurl.SSL_VERIFYPEER, 1)
curl.setopt(pycurl.SSL_VERIFYHOST, 2)
curl.setopt(pycurl.CAINFO, "/path/to/updated-certificate-chain.crt")
curl.perform()

curl by default comes with an outdated certificate list. Whether you want to update it or just use your own certs for testing, make sure to place the updated-certificate-chain.crt file in an accessible location and use the pycurl.CAINFO option to point to it.

Also make sure pycurl.SSL_VERIFYHOST is set to 2, the highest security check setting.

Answer 2

Have you read the cURL documentation about SSL certificates? This seems to directly address your question...in particular, item 2:

 2. Get a CA certificate that can verify the remote server and use the proper
    option to point out this CA cert for verification when connecting. For
    libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);

It looks like the pycurl module contains the CAPATH option, so this should be simple to implement in your code.