pip: SNIMissingWarning / InsecurePlatformWarning not fixable with pip 9.0 / 9.0.1

  • Pip version: 9.0 and 9.0.1
  • Python version: 2.7.6
  • Operating System: Ubuntu

Description:

For various reasons we can’t upgrade to Python 2.7.9 or higher. With pip 8.1.2, we (quite understandably) got the SNIMissingWarning / InsecurePlatformWarning errors when trying to install something. These were fixable by installing various security packages.

However, pip 9.0 and 9.0.1 are not fixed by running the same command.

What I’ve run:

The following log is from a fresh Ubuntu install, after a sudo apt-get update, a sudo apt-get upgrade, and a reboot.

ubuntu@ip-10-37-151-252:~$ python --version
Python 2.7.6
ubuntu@ip-10-37-151-252:~$ uname -a
Linux ip-10-37-151-252 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-10-37-151-252:~$ wget https://bootstrap.pypa.io/get-pip.py
--2016-11-07 14:10:19--  https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)... 151.101.32.175
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.32.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1595408 (1.5M) [text/x-python]
Saving to: ‘get-pip.py’

100%[====================================================================================================>] 1,595,408   --.-K/s   in 0.03s   

2016-11-07 14:10:19 (56.7 MB/s) - ‘get-pip.py’ saved [1595408/1595408]

ubuntu@ip-10-37-151-252:~$ sudo python get-pip.py 
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    100% |████████████████████████████████| 1.3MB 597kB/s 
Collecting setuptools
  Downloading setuptools-28.8.0-py2.py3-none-any.whl (472kB)
    100% |████████████████████████████████| 481kB 1.6MB/s 
Collecting wheel
  Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
    100% |████████████████████████████████| 71kB 7.0MB/s 
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-9.0.1 setuptools-28.8.0 wheel-0.29.0
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
ubuntu@ip-10-37-151-252:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting aafigure
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading aafigure-0.5.tar.gz (49kB)
    100% |████████████████████████████████| 51kB 3.5MB/s 
Installing collected packages: aafigure
  Running setup.py install for aafigure ... done
Successfully installed aafigure-0.5
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$ sudo apt-get install build-essential python-dev libffi-dev libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:

[snip]

Setting up manpages-dev (3.54-1ubuntu1) ...
Setting up python2.7-dev (2.7.6-8ubuntu0.2) ...
Setting up python-dev (2.7.5-5ubuntu3) ...
Setting up libffi-dev:amd64 (3.1~rc1+r3.0.13-12ubuntu0.1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ip-10-37-151-252:~$ sudo pip install urllib3[secure] pyOpenSSL cryptography idna certifi ndg-httpsclient pyasn1
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: urllib3[secure] in /usr/lib/python2.7/dist-packages
  urllib3 1.7.1 does not provide the extra 'secure'
Requirement already satisfied: pyOpenSSL in /usr/lib/python2.7/dist-packages
Collecting cryptography
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading cryptography-1.5.3.tar.gz (400kB)
    100% |████████████████████████████████| 409kB 1.7MB/s 
Collecting idna
  Downloading idna-2.1-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 5.9MB/s 
Collecting certifi
  Downloading certifi-2016.9.26-py2.py3-none-any.whl (377kB)
    100% |████████████████████████████████| 378kB 1.9MB/s 
Collecting ndg-httpsclient
  Downloading ndg_httpsclient-0.4.2.tar.gz
Collecting pyasn1
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Requirement already satisfied: six>=1.4.1 in /usr/lib/python2.7/dist-packages (from cryptography)
Requirement already satisfied: setuptools>=11.3 in /usr/local/lib/python2.7/dist-packages (from cryptography)
Collecting enum34 (from cryptography)
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting ipaddress (from cryptography)
  Downloading ipaddress-1.0.17-py2-none-any.whl
Collecting cffi>=1.4.1 (from cryptography)
  Downloading cffi-1.8.3-cp27-cp27mu-manylinux1_x86_64.whl (386kB)
    100% |████████████████████████████████| 389kB 1.8MB/s 
Collecting pycparser (from cffi>=1.4.1->cryptography)
  Downloading pycparser-2.17.tar.gz (231kB)
    100% |████████████████████████████████| 235kB 3.3MB/s 
Installing collected packages: idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, certifi, ndg-httpsclient
  Running setup.py install for pycparser ... done
  Running setup.py install for cryptography ... done
  Running setup.py install for ndg-httpsclient ... done
Successfully installed certifi-2016.9.26 cffi-1.8.3 cryptography-1.5.3 enum34-1.1.6 idna-2.1 ipaddress-1.0.17 ndg-httpsclient-0.4.2 pyasn1-0.1.9 pycparser-2.17
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: aafigure in /usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 3
  • Comments: 17 (10 by maintainers)

Most upvoted comments

One thing I would definitely suggest, though, if you don’t disable the warnings completely, is that you change them. Right now pip is printing out (thanks to urllib3) messages like

/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

…which is telling people to go to a page that tells them to install something, and installing that thing doesn’t fix the problem. That’s bound to lead to confusion.

+13
gpjt on Nov 7, 2016

any updates?

+3
rlam3 on Mar 19, 2017

To help other folks hitting this same issue, I thought I was going crazy since we are indeed pinning pip==8.1.2 on the host OS (ubuntu). I only just discovered that creating a virtualenv doesn’t attempt to match the version of pip that is on the host but goes ahead and uses the newest version of pip available (currently 9.0.1), thus reintroducing what had been a solved issue. I’m not suggesting this part in particular is anything the pip maintainers need to address, just a heads up for others trying to debug their setups.

+2
mattlong on Nov 29, 2016
Read more comments on GitHub
← pip: Skipping page https://pypi.org/simple/idna/ because of Content-Type: unknown
pip: Sorting TypeError in move_wheel_files() during install (e.g. Poetry) →