I'm using requests to access a RESTful API. Everything seems to work. I can authenticate, pull back a session token and even unit test the methods in my class I wrote for the API. Then I tried to run my code.
First, here is the call I'm making. The headers are static session-related items that get set in init(). The body is build dynamically from data in a file and passed in to this function. All of the data is valid.
response = requests.post(url, headers=(Requestheader), data=json.dumps((Requestbody)))
When I run the code, it updates well over 100 records with the metadata I supply. Somewhere around item 150 I get the following:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: self signed certificate in certificate
chain (_ssl.c:1045)
My first step was to call the vendor and find out if ALL of their web servers had properly signed certs figuring they were load balancing me and I found a misconfigured server. They tell me this is not the case.
Then I Googled the message and found that there is a verify kwarg, so I tried:
response = requests.post(url, headers=Requestheader, data=json.dumps(Requestbody), verify=False)
I know this isn't ideal long-term, but I wanted to test it to see if The behavior is the same. It did the same thing. It ran for a while and threw the ssl error. I thought the idea of verify=False is that it wouldn't check.
The vendor suggested I check the url I'm using, but it's fine. I would think if there were a proxy server or real man-in-the-middle attack causing problems I wouldn't see success so many times before a failure. I thought maybe it is a session timeout, but that should throw a 401 status and my activity level is too high for an inactivity timeout.
I'm a python noob and not a security professional. Suggestions appreciated.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…