Today I faced one interesting issue.
I'm using the foursquare recommended python library httplib2 raise
SSLHandshakeError(SSLError(1, '_ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'),)
response, body = h.request(url, method, headers=headers, body=data)
If you know that the site you're trying to get is a "good guy", you can try creating your "opener" like this:
import httplib2 if __name__ == "__main__": h = httplib2.Http(".cache", disable_ssl_certificate_validation=True) resp, content = h.request("https://site/whose/certificate/is/bad/", "GET")
(the interesting part is
Seeing how this answer has been visited for more people than I expected, I'd like to explain a bit when disabling certificate validation would be useful.
First, a bit of light background on how these certificates work (there's quite a lot of information in the links provided above, but here it goes, anyway)
The SSL certificates need to be verified by a well known (at least, well known to your browser) Certificate Authority. You usually buy the whole certificate from one of those authorities (Symantec, GoDaddy...) Broadly speaking, the idea is: Those Certificate Authorities (CA) give you a certificate that also contains the CA information in it. Your browsers have a list of well known CAs, so when your browser receives a certificate, it can do something like "HmmmMMMmmm.... [the browser makes a supiciuous face here] ... I received a certificate, and it says it's verified by Symantec. Do I know that "Symantec" guy? [the browser then goes to its list of well known CAs and checks for Symantec] Oh, yeah! I do. Ok, the certificate is good!
You can see it yourself if you click on the little lock by the URL in your browser:
However, there are cases in which you just want to test the HTTPS, and you create your own Certificate Authority using a couple command line tools and you use that "custom" CA to sign a "custom" certificate that you just generated as well, right? In that case, your browser (which in this case is
httplib) is not going to have your "custom" CA among the list of trusted CAs, so it's going to say that the certificate is invalid. The information is still going to travel encrypted, but what the browser is telling you is that it doesn't fully trust that is traveling encrypted to the place you are supposing it's going.
Also, certificates expire. There's a chance you are working in a company which uses an internal site with SSL encryption. It works ok for a year, and then your browser starts complaining. You go to the person that is in charge of the security, and ask "Yo!! I get this warning here! What's happening?" And the answer could very well be "Oh boy!! I forgot to renew the certificate! It's ok, just accept it from now, until I fix that." (true story, although there were swearwords in the answer I received :-D )