SSL digest errors (on OSX and windows) #829
Comments
|
Can you paste the full log |
|
Same error here on OSX 10.6.8 . Seems to be SSL related. |
|
here's the full log: |
|
Can you run with -v so we get the actual SSL error? |
|
there's no more info to be had with here's the detail: just noticed vinay has some extra logic related to ssl versioning in distlib (@vsajip) |
|
Oops missed that. What version of openssl? ( |
|
fwiw, on a mac that's not failing: OpenSSL 0.9.8r 8 Feb 2011 |
|
to be clear, distlib's extra logic is related to python version and ssl protocol version. |
|
SSL v2 is known to be insecure, pretty sure PyPI itself disables it but for non PyPI indexes it might be useful for pip to do the same. Shouldn't be related to the issue at hand though. |
|
@dstufft Here is my openssl version: Here is the output with -v: Here is the complete log: |
|
@tba-apps I don't know much about the OSX macport, homebrew stuff, but can you try an openssl upgrade? |
|
I was using ActivePython 2.7.2.5 and getting the same error. I switched to a fully brew distribution and now it's working. It doesn't solve the bug, but solved my problem... And set these vars: Check your pip path with Then: Now I'm able to use pip again. |
|
I wonder if this is an ActivePython issue then. |
|
Probably. Before this setup Python was linked against OpenSSL 0.9.7l 28 Sep 2006 and now it's OpenSSL 1.0.1c 10 May 2012. I wasn't able to test against the native Mac OS Python though. |
|
Same problem here on Windows 7 with Python 2.7.3 while trying to install any package... I found this problem after upgrading to pip 1.3.1... |
|
@matino please can you include a log or a link to a gist of a log produced with a run with -v. |
|
Hi, here it is (result of pip install -Uv django) https://gist.github.com/matino/5143458 |
|
So your error is |
|
I can see that the problem may be with the network. On my company network I get the error, but when I switch to 3g it works... |
|
btw, our automated testing for windows includes py27 on 2008 server. |
|
I get this same error when I try to use the pip generated when I set up a virtualenv, but natively, pip works fine. My OpenSSL version is also OpenSSL 0.9.7l 28 Sep 2006. |
|
@tduskin, is your global pip actually an older version that doesn't use SSL? |
|
I'm using pip 1.3.1. pip 1.3.1 from /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages (python 2.7) |
|
Switching to brew Python as mentioned by @ulyssesv fixed the issue for me. |
|
Upgrading to Python 2.7.3 (available from http://www.python.org/download/releases/2.7.3/) solved this issue for me. I am now able to use pip in my virtualenv. |
|
I'm seeing this same issue on OS/X 10.8.2 with Python 2.6.6. The Python build is the OS/X framework one from python.org The OpenSSL version is In my case this is happening in a and pip log from the failure: |
|
The error is: But PyPI certificate (which is *.python.org) uses SHA1 as message digest. It's weird that anything would not support it, even if a few years old. I tried reproducing it with this setup:
And I cannot reproduce it. If I created a virtualenv with Python 2.6 (using It looks like the only difference is that you're using Python 2.6 from python.org. Can you please try whether using the system Python 2.6 fixes it? |
|
For what it's worth, I'm seeing the same error on
when I use the Python 2.7.3 that comes in EPD 7.3-2 in a virtualenv. I don't see the error using that same python outside of a virtualenv or using the system python 2.7.2. |
|
Same problem here, without virtualenv. My setting is a vanilla install from EPD. The steps to reproduce the error, on Mac OS X 10.8.2 are
You will get the same error as everyone else: |
|
Which linux distro's and mac sidekick distro's actually have a compliant Python 2.7.x binary in them? I can understand the need for security - but right now it is effectively broken for people who aren't downloading the build tools and recompiling their own python. It may seem lazy not to want to do so - but I've not needed to merely to use pip packaging before. |
|
It works fine with Homebew Python on OSX and Ubuntu 12.04 LTS. I don't have other distributions handy to take a look to build some compatibility matrix. I don't mean to be dismissive but if the distribution you're using provides a openssl that doesn't work with SSL certs w/ sha1 they are shipping an insecure openssl afaik. Using MD5 digests for SSL certificates are vulnerable to collision attacks. |
|
I'm going to close this ticket. There's no actionable item here. People with old versions of openssl that don't support sha1 SSL certificates need to upgrade or else they are insecure. If they wish to be insecure they can continue using pip 1.2. |
Python 2.6 binary installer on OSX now appears to be too old to use up-to-date pip for installing - it gives SSL certificate errors: pypa/pip#829 Remove Python 2.6 OSX binary builders.
|
This issue still happens.. even trying to access a https url with a valid ssl certificate, even with the new openssl version: Not really sure what's causing: |
|
@pedroteixeira could you open a new issue with information on your OS, python, and url you were trying to download? It seems a different OpenSSL issue than the original issue. |
|
it happens when using a wildcard ssl certificate + simple nginx index -- buts it's probably not a pip issue. I'll try to troubleshoot it better before posting. |
|
I have this issue and in my case I'm fairly certain it's due to my company's proxy (all HTTPS traffic is routed through it). I'd guess this is the same deal with many others who are unaware of such a proxy MIM setup. I need to add my co's root CA cert to whatever cert store python uses, but I'm new to Python and am unsure how this is done. I added the pem data to C:\Python34\Lib\site-packages\pip_vendor\requests\cacert.pem, but no go. I guess i'll decode the installer bin, extract it and see what args I might be able to pass in to disable validation or retrieve the libs from another (local) location. EDIT: N/M, found bootstrap below base64 blob and saw reference to PIP_CERT env var. I ran get-pip again using alternate pem and did not get the error, although, the output suggested it installed successfully in the prior runs: Requirement already up-to-date: pip in c:\python34\lib\site-packages |
2.6 build hit a problem with old pip and SSL: pypa/pip#829 Rather than struggle through, just remove that build.
|
This issue still happens with the latest version of python and pip on Windows 8.1. |
|
@adamjmendoza any detailed notes on what your actual error is? |
|
@Ivoz , |
|
@adamjmendoza , what happens when you try to update python? In my case [1] it was a point version that was off, eg I had 2.7 but the version of 2.7 was not sufficient. |
|
Having this issue on macOS 10.12.6. Trying to easy install pip and it won't use my --prefix path (still uses /Library/Python/2.7/site-packages/test-easy-install-28943.pth)
also fails with error: So how do I update OpenSSL? Should be easy enough to mention here? |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
added
the
auto-locked
and others
OSX and Windows users on pythons linked to an older openssl version (e.g. "OpenSSL 0.9.7l 28 Sep 2006" on OSX and "OpenSSL 0.9.8k 25 Mar 2009" on windows) get an error like the following when pip installs from pypi.
to determine your openssl version, run
python -c "import ssl; print ssl.OPENSSL_VERSION"there are currently no plans to offer a fix for this other than to recommend people to use a python that is linked to a more recent version of openssl.
The text was updated successfully, but these errors were encountered: