When making HTTP requests in Python using the Requests library, SSL certificate verification is enabled by default for HTTPS requests. However, there might be situations where you need to control the verification process or provide a custom certificate. Here's how you can manage SSL certificate verification with the Requests library:
Verifying SSL Certificates
By default, whenever you make a request to a secure (HTTPS) website, Requests will check the SSL certificate returned by the server against a set of trusted CA certificates to ensure authenticity:
import requests
response = requests.get('https://example.com')
In the snippet above, if the SSL certificate cannot be verified or is invalid, Requests will raise an SSLError.
Disabling SSL Certificate Verification
To turn off SSL verification, you can set the verify parameter to False. However, doing this is strongly discouraged as it makes the request vulnerable to man-in-the-middle attacks:
import requests
response = requests.get('https://example.com', verify=False)
Using a Custom CA Bundle
If you need to verify against a custom set of certificates, you can provide the path to a CA bundle file using the verify parameter:
import requests
response = requests.get('https://example.com', verify='/path/to/custom/cabundle.pem')
Custom Client Certificates
There may also be cases where the server requires a client certificate for mutual SSL authentication. You can provide your client certificate with the cert parameter:
import requests
response = requests.get('https://example.com', cert=('/path/to/client.cert', '/path/to/client.key'))
Here, client.cert is the path to the client certificate, and client.key is the path to the private key.
Troubleshooting SSL Errors
If you encounter SSL-related errors, here are a few steps you may consider:
- Make sure the server's SSL certificate is valid and trusted by a CA in the default Requests CA bundle or your provided CA bundle.
- Ensure that the system time and date are correct. SSL certificate validation can fail if your system's clock is significantly off.
- Verify that you are using the latest version of Requests and its dependencies (like
certifi) to have an up-to-date list of CA certificates.
Summary
- SSL verification is on by default in Requests.
- Turning off SSL verification is not recommended due to security concerns.
- You can provide a custom CA bundle or client certificates if necessary.
Remember, always exercise caution when dealing with SSL certificates and only disable verification or use custom certificates when you fully understand the security implications.
