问题
I use Python's urllib2.urlopen for talking with HTTPS servers, but I now learned on the documentation that "HTTPS requests [using urllib2.urlopen] do not do any verification of the server’s certificate."
This is a big problem for me, because it leaves my servers open to a MITM attack.
I want a drop-in replacement for urllib2.urlopen that does cert-verification, so I could bundle it with my code and replace all calls to urllib2.urlopen with calls to the modified urlopen function.
Because this is a security issue, I much prefer battle-tested security-audited code rather than some random recipe from the internet.
回答1:
The situation changed, fortunately. Certificate verification is by default enabled from Python 2.7.9 / 3.4.3 on. See https://www.python.org/dev/peps/pep-0476/ for further details.
回答2:
Have a look at http://pycurl.sourceforge.net/. It uses libcurl which is certainly mature and well tested.
It isn't a "drop in" replacement though. The api is different.
Edit better still, look at the question linked to by @Sven in his comment (which also suggests pycurl as an option).
回答3:
You might be interested in this library, although it's not a drop-in replacement. It uses ssl or OpenSSL, depending on the version of Python you're using, and httplib.
来源:https://stackoverflow.com/questions/6167148/drop-in-replacement-for-urllib2-urlopen-that-does-cert-verification