Python Requests: Disable SSL validation

Introduction

In this tutorial we will learn how to disable SSL validation using Python Requests library.

SSL validation is of extreme importance due to security reasons and it should be done in real application scenarios. Nonetheless, during the developments, it is very common that we want to send requests against a testing server that might have a self a signed certificate. Thus, it is useful to be able to disable this validation for such use cases.

To avoid having to setup a testing server, we will use of of the examples from the badssl website. In particular, we will do a GET request to this endpoint, that has a self signed certificate.

If you don’t have the requests library installed yet, it can be easily done using pip, just by sending the following command:

pip install requests

This tutorial was tested on Python 3.7.2 with version 2.23.0 of the Requests library.

The code

We will start by importing the requests module.

import requests

Then, to do the request, we simply need to call the request method. As first input we will pass a string with the HTTP method (“GET”) and as second input the endpoint to which we want to send the request.

Then we will pass an optional parameter called verify with the value False. This will allow to skip the SSL validation.

Note that, as output, this method returns an object of class Response, which we will store in a variable.

response = requests.request("GET", "https://self-signed.badssl.com/", verify = False)

To finalize, we will print the response from the server, which can be obtained in the text property of the Response object.

print(response.text)

The full code can be seen below.

import requests

response = requests.request("GET", "https://self-signed.badssl.com/", verify = False)
print(response.text)

For comparison, we will also do the same request without skipping the SSL validation (when not specified, the parameter verify is set to True).

import requests

response = requests.request("GET", "https://self-signed.badssl.com/")
print(response.text)

Testing the code

To test the previous code, we will start by running the example where we keep the SSL validation. I’ll be using IDLE, a Python IDE.

You can check the result in figure 1. As can be seen, an exception is thrown, indicating that the certificate is self signed.

Exception thrown by the Requests library when the request is done with SSL validation active.
Figure 1 – Exception thrown when the request is done with SSL validation enabled.

Now we will run the example where we disable the SSL validation. The result can be checked below in figure 2.

As can be seen, we can now perform the request and get the response. Note however that a warning is sent to the shell indicating that “certificate validation is strongly advised“. This helps emphasize that, in real application scenarios, such validation should be performed and thus the approach we are seeing here should only be followed for controlled testing scenarios.

Result of the request after SSL validation is disabled.
Figure 2 – Result of the request after SSL validation is disabled.

Leave a Reply