pycurl and SSL cert

It happened to me using python 3 in windows, getting this error :

(60, 'SSL certificate problem: unable to get local issuer certificate')

The final two solutions :

1 - adding a certificate, curl.setopt(pycurl.CAINFO, "c:\certs\ssl.cert")

OR

2 - ignoring the ssl verification using :
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.SSL_VERIFYHOST, 0)

@ for all python users in windows.


Have you read the cURL documentation about SSL certificates? This seems to directly address your question...in particular, item 2:

 2. Get a CA certificate that can verify the remote server and use the proper
    option to point out this CA cert for verification when connecting. For
    libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);

It looks like the pycurl module contains the CAPATH option, so this should be simple to implement in your code.


You are right, the way you are doing it subjects you to a man-in-the-middle attack, especially in light of the most recent SSL vulnerabilities. You can resolve it as follows:

import pycurl
curl = pycurl.Curl()
curl.setopt(pycurl.URL, "https://your-secure-website.com/")
curl.setopt(pycurl.SSL_VERIFYPEER, 1)
curl.setopt(pycurl.SSL_VERIFYHOST, 2)
curl.setopt(pycurl.CAINFO, "/path/to/updated-certificate-chain.crt")
curl.perform()

curl by default comes with an outdated certificate list. Whether you want to update it or just use your own certs for testing, make sure to place the updated-certificate-chain.crt file in an accessible location and use the pycurl.CAINFO option to point to it.

Also make sure pycurl.SSL_VERIFYHOST is set to 2, the highest security check setting.

Tags:

Python

Ssl

Pycurl