Why does Python requests ignore the verify parameter?

by

Certificate validation did not fail, so the verify argument doesn’t apply here. What failed is the cipher negotiation; none of the ciphers requests is willing to use match those the server is willing to use.

If you run your curl command with the -v switch you’ll see what cipher suite was negotiated by curl for the successful connection:

$ curl -v -I https://service.isracard.co.il/I_logon.jsp
* Hostname was NOT found in DNS cache
*   Trying 192.118.12.8...
* Connected to service.isracard.co.il (192.118.12.8) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_RC4_128_SHA
[ .... ]

That’s the RC4-SHA cipher, which has some rather troublesome securty issues and should not really be used; it offers no forward secrecy for example. The urllib3 package (bundled with requests) by default excludes that cipher from the default ciphers. You can add it back with:

import requests

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':RC4-SHA'
try:
    requests.packages.urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST += ':RC4-SHA'
except AttributeError:
    # no pyopenssl support used / needed / available
    pass

and your request works:

>>> import requests
>>> requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':RC4-SHA'
>>> requests.get('https://service.isracard.co.il/I_logon.jsp')
<Response [200]>

I didn’t install the pyOpenSSL package so I didn’t bother with the try..except guarded part.

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. Installation SSL in wamp server: Error in httpd-ssl.conf
  3. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  4. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  5. using requests with TLS doesn’t give SNI support
  6. Docker container SSL certificates
  7. Python requests SSL error – certificate verify failed
  8. How do I restore a missing IIS Express SSL Certificate?
  9. Third-Party Signed SSL Certificate for localhost or 127.0.0.1?
  10. Use self signed certificate with cURL?
  11. Python Requests getting SSLerror
  12. How to install OpenSSL in windows 10?
  13. SSL error with Python requests despite up-to-date dependencies
  14. How to add subject alernative name to ssl certs?
  15. Difference between self-signed CA and self-signed certificate [closed]
  16. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  17. Generating client side certificates in browser and signing on server
  18. Are HTTPS URLs encrypted?
  19. How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?
  20. Requests (Caused by SSLError(“Can’t connect to HTTPS URL because the SSL module is not available.”) Error in PyCharm requesting website
  21. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  22. Within a web browser, is it possible for JavaScript to obtain information about the HTTPS Certificate being used for the current page?
  23. How to get around python requests SSL and proxy error?
  24. Webpack Dev Server running on HTTPS/Web Sockets Secure
  25. Two-way SSL clarification
  26. Programmatically Configure SSL for Jetty 9 embedded
  27. SSL Certificate add failed when binding to port
  28. How to connect to database with SSL in google apps script?
  29. What is CA certificate, and why do we need it?
  30. Using SSL and SslStream for peer to peer authentication?

Leave a Comment