python - Python SSL : CERTIFICATE_VERIFY_FAILED的系统级解决方案

Question

我们公司的 IT 安全团队使用中间证书 (ZScaler) 来验证 SSL 流量。这会导致任何使用 SSL 的实用程序或 API 包装器出现问题，例如httplib2、请求等

我找到了我的代码调用模块的解决方案，例如ssl_verify=False 等等，但问题是当在其他人代码的深处调用这些库时。

例如:

service = googleapiclient.discovery.build('vision', 'v1')

它抛出的错误:

---------------------------------------------------------------------------
SSLHandshakeError                         Traceback (most recent call last)
<ipython-input-4-70a8fbe53fc9> in <module>()
----> 1 service = googleapiclient.discovery.build('vision', 'v1')

/usr/local/anaconda/lib/python2.7/site-packages/oauth2client/_helpers.pyc in positional_wrapper(*args, **kwargs)
    131                 elif positional_parameters_enforcement == POSITIONAL_WARNING:
    132                     logger.warning(message)
--> 133             return wrapped(*args, **kwargs)
    134         return positional_wrapper
    135 

/usr/local/anaconda/lib/python2.7/site-packages/googleapiclient/discovery.pyc in build(serviceName, version, http, discoveryServiceUrl, developerKey, model, requestBuilder, credentials, cache_discovery, cache)
    226     try:
    227       content = _retrieve_discovery_doc(
--> 228         requested_url, discovery_http, cache_discovery, cache)
    229       return build_from_document(content, base=discovery_url, http=http,
    230           developerKey=developerKey, model=model, requestBuilder=requestBuilder,

/usr/local/anaconda/lib/python2.7/site-packages/googleapiclient/discovery.pyc in _retrieve_discovery_doc(url, http, cache_discovery, cache)
    273   logger.info('URL being requested: GET %s', actual_url)
    274 
--> 275   resp, content = http.request(actual_url)
    276 
    277   if resp.status >= 400:

/usr/local/anaconda/lib/python2.7/site-packages/httplib2/__init__.pyc in request(self, uri, method, body, headers, redirections, connection_type)
   1657                     content = ""
   1658                 else:
-> 1659                     (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
   1660         except Exception, e:
   1661             if self.force_exception_to_status_code:

/usr/local/anaconda/lib/python2.7/site-packages/httplib2/__init__.pyc in _request(self, conn, host, absolute_uri, request_uri, method, body, headers, redirections, cachekey)
   1397             auth.request(method, request_uri, headers, body)
   1398 
-> 1399         (response, content) = self._conn_request(conn, request_uri, method, body, headers)
   1400 
   1401         if auth:

/usr/local/anaconda/lib/python2.7/site-packages/httplib2/__init__.pyc in _conn_request(self, conn, request_uri, method, body, headers)
   1317             try:
   1318                 if hasattr(conn, 'sock') and conn.sock is None:
-> 1319                     conn.connect()
   1320                 conn.request(method, request_uri, body, headers)
   1321             except socket.timeout:

/usr/local/anaconda/lib/python2.7/site-packages/httplib2/__init__.pyc in connect(self)
   1090                 # something else (such as SSL protocol mismatch).
   1091                 if getattr(e, 'errno', None) == ssl.SSL_ERROR_SSL:
-> 1092                     raise SSLHandshakeError(e)
   1093                 else:
   1094                     raise

SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

是否有针对此类问题的系统范围或全局修复程序？

Answer 1

在构建 http 对象时，您是否尝试过指向您的公司/zscaler 证书？

查看此答案:https://stackoverflow.com/a/27856913

看起来 oauth2client 是导致错误的导入模块。

您需要在您使用的 oauth2client 函数中传递位置参数“http”。

例如，如果您使用 oauth2client.tools.run_flow，则需要构建您的 http 对象并将其作为参数传递给此函数:

http = httplib2.Http(disable_ssl_certificate_validation=True)
tools.run_flow(flow, store, flags, http=http)