3

I trying to access a SOAP server with python requests lib and I found this problem

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

Everything is right, using the same url, certificate, and header used in similar application wrote in PHP, which works fine, except by in python I didn't set SSL version, I would like to know what could be wrong in my code

header = {
    'Content-Type': 'application/soap+xml;charset=utf-8',
    'SOAPAction': '"nfeConsultaNF2"',
    'Content-length': len(requisicao)
}    
chave = "43160189823918000144550020000200401010200408"
requisicao = '<?xml version="1.0" encoding="utf-8"?><soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"><soap12:Header><nfeCabecMsg xmlns="http://www.portalfiscal.inf.br/nfe/wsdl/NfeConsulta2"><cUF>43</cUF><versaoDados>3.10</versaoDados></nfeCabecMsg></soap12:Header><soap12:Body><nfeDadosMsg xmlns="http://www.portalfiscal.inf.br/nfe/wsdl/NfeConsulta2"><consSitNFe xmlns="http://www.portalfiscal.inf.br/nfe" versao="3.10"><tpAmb>1</tpAmb><xServ>CONSULTAR</xServ><chNFe>'+chave+'</chNFe></consSitNFe></nfeDadosMsg></soap12:Body></soap12:Envelope>';

s = requests.session()
s.mount(url.web_url,Ssl3HttpAdapter())

response = s.post(
    "https://nfe.sefazrs.rs.gov.br/ws/NfeConsulta/NfeConsulta2.asmx",
    data=requisicao,
    headers=header,
    cert=("C:\\xampp\htdocs\consultar\cert.pem","C:\\xampp\htdocs\consultar\priv.pem")
)

Ssl3Adapter is defined by this class

class Ssl3HttpAdapter(HTTPAdapter):
""""Transport adapter" that allows us to use SSLv3."""

def init_poolmanager(self, connections, maxsize, block=False):
    self.poolmanager = PoolManager(num_pools=connections,
                                   maxsize=maxsize,
                                   block=block,
                                   ssl_version=ssl.PROTOCOL_SSLv3)

Any advise? ps. I cannot provide my certificate

Improve this question
2
  • Is there a reason you have to use SSLv3? If it's not an absolute requirement, you should move to TLS, as SSLv3 is no longer considered secure. And this may be causing your problem as well. See disablessl3.com for information on why you shouldn't use SSLv3. Commented Jan 21, 2016 at 17:44
  • The main reason it's needed for this web service, at least in PHP I cannot consume it without define curl_setopt($oCurl, CURLOPT_SSLVERSION, 3); I believe I have to do it in python too... and without this adapter I have the same error Commented Jan 21, 2016 at 17:48

1 Answer 1

Reset to default
1

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

The certificate can not be verified by python and it can not be verified by others, as you can see in this report from SSLLabs.

PHP, which works fine, ..

Either the certificate or its issuer where explicitly trusted by PHP or you are using an older version of PHP which simply does not verify the certificate by default and thus the verification will not fail.

ssl_version=ssl.PROTOCOL_SSLv3)

This server is actually supporting TLS 1.0 (but not TLS 1.1 or TLS 1.2) as you can see from the report by SSLLabs. Thus there should be no need to restrict the version to SSL 3.0.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I got it, but is possible be something wrong with my .pem files? How can I set my certificate for do the request if python cant verify it?
@MatheusHernandes: The verify error has nothing to do with the (client) certificate you specify but with the verification of the servers certificate. See docs.python-requests.org/en/latest/user/advanced/… for how to add a CA or certificate as trusted.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.