6

I use Python's urllib2.urlopen for talking with HTTPS servers, but I now learned on the documentation that "HTTPS requests [using urllib2.urlopen] do not do any verification of the server’s certificate."

This is a big problem for me, because it leaves my servers open to a MITM attack.

I want a drop-in replacement for urllib2.urlopen that does cert-verification, so I could bundle it with my code and replace all calls to urllib2.urlopen with calls to the modified urlopen function.

Because this is a security issue, I much prefer battle-tested security-audited code rather than some random recipe from the internet.

Ram Rachum
  • 84,019
  • 84
  • 236
  • 374

3 Answers3

2

The situation changed, fortunately. Certificate verification is by default enabled from Python 2.7.9 / 3.4.3 on. See https://www.python.org/dev/peps/pep-0476/ for further details.

Dr. Jan-Philip Gehrcke
  • 33,287
  • 14
  • 85
  • 130
1

Have a look at http://pycurl.sourceforge.net/. It uses libcurl which is certainly mature and well tested.

It isn't a "drop in" replacement though. The api is different.

Edit better still, look at the question linked to by @Sven in his comment (which also suggests pycurl as an option).

Rob Cowie
  • 22,259
  • 6
  • 62
  • 56
1

You might be interested in this library, although it's not a drop-in replacement. It uses ssl or OpenSSL, depending on the version of Python you're using, and httplib.

Bruno
  • 119,590
  • 31
  • 270
  • 376