HTTPS certificate verification using corporate Certification Authority in Python

Question

I need to make a HTTPS call to a server with a certificate signed by our corporate authority. How do I configure python to trust this certificate authority?

Answer 1

By default (assuming you're using httplib.HTTPSConnection), you don't have to do anything, this httplib doesn't do any certificate verification (the same applies to urllib).

Of course, this is not a good this and you should verify the server certificate. There are various solutions to this (see this question).

In short, you may have to extend httplib.HTTPConnection to turn the socket into an SSL socket via ssl.wrap_socket manually, so as to be able to insert the verification callbacks (you'll need to verify both the host name and the certificates).

Alternatively, if you're not constrained to httplib, using PycURL would certainly make this cleaner. You can configure CA_INFO (or CA_PATH) to point to your internal CA certificate. In addition, it usually doesn't come with a pre-defined list of CAs, but you can get one from here (converted from the Mozilla list) and add these certificates to the list of CAs you trust if you need it.

Answer 2

If you're looking for sample code to solve this, here it is in PycURL:

import pycurl
curl = pycurl.Curl()
curl.setopt(pycurl.URL, "https://your-secure-website.com/")
curl.setopt(pycurl.SSL_VERIFYPEER, 1)
curl.setopt(pycurl.SSL_VERIFYHOST, 2)
curl.setopt(pycurl.CAINFO, "/path/to/your-corporate-certificate-chain.crt")
curl.perform()

Make sure to place the your-corporate-certificate-chain.crt file in an accessible location and use the pycurl.CAINFO option to point to it.