Skip to content

SSL

¥SSL

通过 HTTPS 发出请求时,HTTPX 需要验证被请求主机的身份。为此,它使用由受信任的证书颁发机构 (CA) 提供的一组 SSL 证书(也称为 CA 证书包)。

¥When making a request over HTTPS, HTTPX needs to verify the identity of the requested host. To do this, it uses a bundle of SSL certificates (a.k.a. CA bundle) delivered by a trusted certificate authority (CA).

启用和禁用验证

¥Enabling and disabling verification

默认情况下,httpx 将验证 HTTPS 连接,并对无效的 SSL 情况引发错误...

¥By default httpx will verify HTTPS connections, and raise an error for invalid SSL cases...

>>> httpx.get("https://expired.badssl.com/")
httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997)

您可以完全禁用 SSL 验证并允许不安全的请求...

¥You can disable SSL verification completely and allow insecure requests...

>>> httpx.get("https://expired.badssl.com/", verify=False)
<Response [200 OK]>

配置客户端实例

¥Configuring client instances

如果你使用Client()你应该通过任何verify=<...>实例化客户端时的配置。

¥If you're using a Client() instance you should pass any verify=<...> configuration when instantiating the client.

默认情况下认证CA包用于 SSL 验证。

¥By default the certifi CA bundle is used for SSL verification.

对于更复杂的配置,您可以传递SSL 上下文实例...

¥For more complex configurations you can pass an SSL Context instance...

import certifi
import httpx
import ssl

# This SSL context is equivelent to the default `verify=True`.
ctx = ssl.create_default_context(cafile=certifi.where())
client = httpx.Client(verify=ctx)

使用truststore包裹支持系统证书存储...

¥Using the truststore package to support system certificate stores...

import ssl
import truststore
import httpx

# Use system certificate stores.
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
client = httpx.Client(verify=ctx)

使用以下方式加载替代证书验证存储标准 SSL 上下文 API...

¥Loding an alternative certificate verification store using the standard SSL context API...

import httpx
import ssl

# Use an explicitly configured certificate store.
ctx = ssl.create_default_context(cafile="path/to/certs.pem")  # Either cafile or capath.
client = httpx.Client(verify=ctx)

客户端证书

¥Client side certificates

客户端证书允许远程服务器验证客户端。它们通常用于私人组织内部,以验证对远程服务器的请求。

¥Client side certificates allow a remote server to verify the client. They tend to be used within private organizations to authenticate requests to remote servers.

您可以使用.load_cert_chain()API...

¥You can specify client-side certificates, using the .load_cert_chain() API...

ctx = ssl.create_default_context()
ctx.load_cert_chain(certfile="path/to/client.pem")  # Optionally also keyfile or password.
client = httpx.Client(verify=ctx)

与……合作SSL_CERT_FILESSL_CERT_DIR

¥Working with SSL_CERT_FILE and SSL_CERT_DIR

不像requests, 这httpx包没有自动拉入环境变量SSL_CERT_FILE或者SSL_CERT_DIR。如果您想使用这些功能,则需要明确启用它们。

¥Unlike requests, the httpx package does not automatically pull in the environment variables SSL_CERT_FILE or SSL_CERT_DIR. If you want to use these they need to be enabled explicitly.

例如...

¥For example...

# Use `SSL_CERT_FILE` or `SSL_CERT_DIR` if configured.
# Otherwise default to certifi.
ctx = ssl.create_default_context(
    cafile=os.environ.get("SSL_CERT_FILE", certifi.where()),
    capath=os.environ.get("SSL_CERT_DIR"),
)
client = httpx.Client(verify=ctx)

向本地服务器发出 HTTPS 请求

¥Making HTTPS requests to a local server

当向本地服务器发出请求时,例如在localhost,您通常会使用未加密的 HTTP 连接。

¥When making requests to local servers, such as a development server running on localhost, you will typically be using unencrypted HTTP connections.

如果您确实需要与本地服务器建立 HTTPS 连接(例如,测试仅支持 HTTPS 的服务),则需要创建并使用自己的证书。以下是其中一种做法……

¥If you do need to make HTTPS connections to a local server, for example to test an HTTPS-only service, you will need to create and use your own certificates. Here's one way to do it...

  1. 使用相信我生成一对服务器密钥/证书文件和一个客户端证书文件。

    ¥Use trustme to generate a pair of server key/cert files, and a client cert file.

  2. 启动本地服务器时传递服务器密钥/证书文件。(这取决于您使用的特定 Web 服务器。例如,优维康提供--ssl-keyfile--ssl-certfile选项。)

    ¥Pass the server key/cert files when starting your local server. (This depends on the particular web server you're using. For example, Uvicorn provides the --ssl-keyfile and --ssl-certfile options.)

  3. 配置httpx使用存储在client.pem

    ¥Configure httpx to use the certificates stored in client.pem.

ctx = ssl.create_default_context(cafile="client.pem")
client = httpx.Client(verify=ctx)