python - Windows 上的 Python 3.6：包括自定义 CA 文件不起作用

问题描述

在 Windows 10 中使用 python 3.6 (Anaconda) 添加自定义 CA 不起作用。我做了什么：

创建了2个环境变量：

SSL_CERT_DIR=C:\_Data\Certs <-- This alone should do the trick
SSL_CERT_FILE=C:\_Data\Certs\burp

我在本地主机上运行 Burp。我已将 CA 证书导出到c:\_Data\Certs\burp. 尝试过 PEM 和 DER，两者都应该工作。

我的程序：

import aiohttp
import ssl
import asyncio

async def main():
    session = aiohttp.ClientSession()
    print(ssl.get_default_verify_paths()) # to verify that my environment variable is working
    f = open('C:\\_Data\\Certs\\burp', 'r') # To check I don't have a permission problem
    f.close()
    aiohttp_proxy = 'http://127.0.0.1:8080'
    async with session.get('https://www.whatismyip.com', proxy=aiohttp_proxy) as response:
        print(await response.text())
    await session.close()

if __name__ == "__main__":
    loop = asyncio.get_event_loop()
    loop.run_until_complete(main())

输出：

DefaultVerifyPaths(cafile='C:\\_Data\\Certs\\burp', capath='C:\\_Data\\Certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
Traceback (most recent call last):
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 802, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 828, in _create_connection_transport
    yield from waiter
  File "C:\ProgramData\Anaconda3\Lib\asyncio\sslproto.py", line 503, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "C:\ProgramData\Anaconda3\Lib\ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:/Users/defaultuser/PycharmProjects/testproject/_test/test_cert.py", line 20, in <module>
    loop.run_until_complete(main())
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 466, in run_until_complete
    return future.result()
  File "C:/Users/defaultuser/PycharmProjects/testproject/_test/test_cert.py", line 14, in main
    async with session.get('https://www.whatismyip.com', proxy=aiohttp_proxy) as response:
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\client.py", line 843, in __aenter__
    self._resp = await self._coro
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\client.py", line 366, in _request
    timeout=timeout
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 754, in _create_connection
    req, traces, timeout)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 960, in _create_proxy_connection
    req=req)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 827, in _wrap_create_connection
    raise ClientConnectorSSLError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host www.whatismyip.com:443 ssl:None [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)]
Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x000001C3E504F278>

Process finished with exit code 1

我通过打开 CA 文件并验证它是否与将常规浏览器指向在 localhost 上运行的代理并在访问 HTTPS 网站后验证 CA 详细信息时的相同来仔细检查 CA 文件是否正确。

为什么它不起作用？

标签： pythonsslaiohttp