Drop-in replacement for `urllib2.urlopen` that does cert verification
Asked Answered
G

3

6

I use Python's urllib2.urlopen for talking with HTTPS servers, but I now learned on the documentation that "HTTPS requests [using urllib2.urlopen] do not do any verification of the server’s certificate."

This is a big problem for me, because it leaves my servers open to a MITM attack.

I want a drop-in replacement for urllib2.urlopen that does cert-verification, so I could bundle it with my code and replace all calls to urllib2.urlopen with calls to the modified urlopen function.

Because this is a security issue, I much prefer battle-tested security-audited code rather than some random recipe from the internet.

Glomerulus answered 29/5, 2011 at 10:18 Comment(4)
possible duplicate of Validate SSL certificates with PythonBanjo
The above linked-to question has a drop-in urllib2 component in one of the answers.Rounce
urllib2_ssl.py allows you to enable cert verification for urllib2.urlopen()Backbite
Cert verification is performed from Python 2.7.9 / 3.4.3 on, by default. See python.org/dev/peps/pep-0476Mali
M
2

The situation changed, fortunately. Certificate verification is by default enabled from Python 2.7.9 / 3.4.3 on. See https://www.python.org/dev/peps/pep-0476/ for further details.

Mali answered 4/2, 2015 at 15:52 Comment(0)
G
1

Have a look at http://pycurl.sourceforge.net/. It uses libcurl which is certainly mature and well tested.

It isn't a "drop in" replacement though. The api is different.

Edit better still, look at the question linked to by @Sven in his comment (which also suggests pycurl as an option).

Gobbledygook answered 29/5, 2011 at 10:25 Comment(0)
H
1

You might be interested in this library, although it's not a drop-in replacement. It uses ssl or OpenSSL, depending on the version of Python you're using, and httplib.

Highborn answered 29/5, 2011 at 11:31 Comment(1)
httpclient looks great. Definitely worth a lookGobbledygook

© 2022 - 2024 — McMap. All rights reserved.