Modifying SSL Parameters in Python

PKI Tutorials - Herong's Tutorial Examples

∟Python Scripts Communicating with HTTPS Servers

∟Modifying SSL Parameters in Python

This section provides a tutorial example on using the ssl module to modify HTTPS connection parameters.

If you want to control how an HTTPS connection gets created, you need to use the ssl module, which wraps the OpenSSL library to provide TLS/SSL services.

There are 3 steps to modify SSL parameters to an HTTPS connection using the ssl and http.client modules:

Create an SSLContext object by calling the ssl.create_default_context() method.
Modify SSL parameters associated with the SSLContext object.
Pass the modified SSLContext object to the http.client.HTTPSConnection() call.

Here is my example Python script showing you how to modify SSL parameters:

#- http-client-SSL-parameters.py
#- Copyright (c) 2025 HerongYang.com. All Rights Reserved.

import sys
host = sys.argv[1]
cert = sys.argv[2]
check = sys.argv[3]

import ssl
context = ssl.create_default_context()
context.load_verify_locations(cafile=cert)

if (check.lower()=="true"): 
  context.check_hostname = True
  context.verify_mode = ssl.CERT_REQUIRED
else:
  context.check_hostname = False
  context.verify_mode = ssl.CERT_NONE
 
import http.client
conn = http.client.HTTPSConnection(host, context=context)
conn.request("GET", "/")
res = conn.getresponse()

print(res.headers)
content = res.read(64)
print(content)

conn.close()

This script shows you how to modify 3 SSL parameters:

context.load_verify_locations(cafile=cert) - Specifies the certificate file that contains trusted root CA certificates.
context.verify_mode = ssl.CERT_REQUIRED | CERT_OPTIONAL | CERT_NONE - Specifies whether or not a valid certificate from the remote server is required or not.
context.check_hostname = True | False - Specifies whether or not the given host name must match the one in remote server's certificate.

This script also takes 3 arguments:

host - The host name of the remote HTTPS server.
cert - The root CA certificate file which is used by http.client module to verify the remote server certificate.
check - A Boolean flag to tell the ssl module to check the host name of the remote server with its certificate or not.

Test 1 - Make an HTTPS connection with the correct root CA certificate file.

herong$ python3 http-client-SSL-parameters.py \
  www.google.com /private/etc/ssl/cert.pem true

Date: Sat, 02 May 2026 00:34:09 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri ...
Accept-CH: Sec-CH-Prefers-Color-Scheme
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: __Secure-STRP=AEEP7gL0a5p8tl7r2F36zZkFzdbUaZJgq2bJvTdKx...
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

b'<!doctype html><html itemscope="" itemtype="http://schema.org/We'

As you can see from the output, my Python script successfully connected the Google HTTPS server without any errors.

Test 2 - Make an HTTPS connection with a fake root CA certificate file.

herong$ openssl x509 -in herongyang_com.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 646274 (0x9dc82)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert ... 
        Validity
            Not Before: Feb 27 17:49:27 2011 GMT
            Not After : Aug 26 17:49:27 2011 GMT
        Subject: CN=herongyang.com
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
...

herong$ python3 http-client-SSL-parameters.py \
  www.google.com herongyang_com.crt true

Traceback (most recent call last):
  File "http-client-HTTPS-test.py", line 23, in <module>
    conn.request("GET", "/")
  File ".../python3.8/http/client.py", line 1230, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File ".../python3.8/http/client.py", line 1276, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File ".../python3.8/http/client.py", line 1225, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File ".../python3.8/http/client.py", line 1004, in _send_output
    self.send(msg)
  File ".../python3.8/http/client.py", line 944, in send
    self.connect()
  File ".../python3.8/http/client.py", line 1399, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File ".../python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File ".../python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File ".../python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: unable to get local issuer certificate 
(_ssl.c:1108)

As you can see from the error message, my Python script could not find any root CA certificate to verify the remote server's certificate.

Test 3 - Make an HTTPS connection without remote host name verification:

herong$ python3 http-client-SSL-parameters.py \
  www.google.com /private/etc/ssl/cert.pem false

Date: Sat, 02 May 2026 11:43:42 GMT
Expires: -1
...

b'<!doctype html><html itemscope="" itemtype="http://schema.org/We'