Obtain Ceritificate Information from Invalid or Self-Signed Certificate in Python

dieter dieter at handshake.de
Tue Apr 4 01:23:33 EDT 2017

Kenneth Buckler <kenneth.buckler at gmail.com> writes:
> I'm working on a Python 2.7.13 (Win x64) script to verify SSL certificates,
> and alert for problems. Specifically, I'm looking to return the date the
> cert expires or did expire. However, I'm running into an issue where the
> script will return information only if the certificate is valid.

You may need to tell the Python socket library that you are
ready to accept any certificate - even expired ones.

I see below, that you already have tried that
("conn._https_verify_certificates(enable=False)") but it failed.
The reason: "_https_verify_certificates" is a function of the "ssl"
module, not a method of "SSLSocket" instances.
It is used to switch (globally) the behavior for verifying certificates,
not locally for a specific "SSLSocket".

Given the architecture of the "ssl" module (with the component
classes "socket", "SSLContext" and "SSLSocket"), the most likely
place to control the certificate verification is the "SSLContext".
And indeed, it has an attribute "verify_mode" to control this behaviour.

Likely, there is an alternative to disable certificate
verification in your case: the "ssl" module has the function
"get_server_certificate"; you could try to perform a normal
ssl connection and if this fails due to certificate problems,
you could fetch the certificate with the above function and analyse it.

> ...
> Per https://docs.python.org/2/library/ssl.html I tried to use
> conn._https_verify_certificates(enable=False) to disable certificate
> validation, but get an error that the attribute _https_verify_certificates
> doesn't exist.
> ...

More information about the Python-list mailing list