Suppress InsecureRequestWarning: Unverified HTTPS request is being made in Python2.6
Question:
I am writing scripts in Python2.6 with use of pyVmomi and while using one of the connection methods:
service_instance = connect.SmartConnect(host=args.ip,
user=args.user,
pwd=args.password)
I get the following warning:
/usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
What’s interesting is that I do not have urllib3 installed with pip (but it’s there in /usr/lib/python2.6/site-packages/requests/packages/urllib3/).
I have tried as suggested here
import urllib3
...
urllib3.disable_warnings()
but that didn’t change anything.
Answers:
You can disable any Python warnings via the PYTHONWARNINGS environment variable. In this case, you want:
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
To disable using Python code (requests >= 2.16.0):
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
For requests < 2.16.0, see original answer below.
Original answer
The reason doing urllib3.disable_warnings() didn’t work for you is because it looks like you’re using a separate instance of urllib3 vendored inside of requests.
I gather this based on the path here: /usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py
To disable warnings in requests’ vendored urllib3, you’ll need to import that specific instance of the module:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
The HTTPS certificate verification security measure isn’t something to be discarded light-heartedly. The Man-in-the-middle attack that it prevents safeguards you from a third party e.g. sipping a virus in or tampering with or stealing your data.
Even if you only intend to do that in a test environment, you can easily forget to undo it when moving elsewhere.
Instead, read the relevant section on the provided link and do as it says. The way specific for requests (which bundles with its own copy of urllib3), as per CA Certificates — Advanced Usage — Requests 2.8.1 documentation:
requests ships with its own certificate bundle (but it can only be updated together with the module)- it will use (since
requests v2.4.0) the certifi package instead if it’s installed
- In a test environment, you can easily slip a test certificate into
certifi as per how do I update root certificates of certifi? . E.g. if you replace its bundle with just your test certificate, you will immediately see it if you forget to undo that when moving to production.
Finally, with today’s government-backed global hacking operations like Tailored Access Operations and the Great Firewall of China that target network infrastructure, falling under a MITM attack is more probable than you think.
I had a similar issue with PyVmomi Client. With Python Version 2.7.9, I have solved this issue with the following line of code:
default_sslContext = ssl._create_unverified_context()
self.client =
Client(<vcenterip>, username=<username>, password=<passwd>,
sslContext=default_sslContext )
Note that, for this to work, you need Python 2.7.9 atleast.
This is the answer in 2017. urllib3 not a part of requests anymore
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Per this github comment, one can disable urllib3 request warnings via requests in a 1-liner:
requests.packages.urllib3.disable_warnings()
This will suppress all warnings though, not just InsecureRequest (ie it will also suppress InsecurePlatform etc). In cases where we just want stuff to work, I find the conciseness handy.
Why not using pyvmomi original function SmartConnectNoSSL.
They added this function on June 14, 2016 and named it ConnectNoSSL, one day after they changed the name to SmartConnectNoSSL, use that instead of by passing the warning with unnecessary lines of code in your project?
Provides a standard method for connecting to a specified server without SSL
verification. Useful when connecting to servers with self-signed certificates
or when you wish to ignore SSL altogether
service_instance = connect.SmartConnectNoSSL(host=args.ip,
user=args.user,
pwd=args.password)
For impatient, a quick way to disable python unverified HTTPS warning:
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
For Python 2.7
Add the environment variable PYTHONWARNINGS as key and the corresponding value to be ignored like:
os.environ['PYTHONWARNINGS']="ignore:Unverified HTTPS request"
The accepted answer doesn’t work if some package vendors it’s own copy of urllib3, in which case this will still work:
import warnings
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
That’s probably useful for someone, who uses unittest, if imported modules use request library.
To suppress warnings in requests’ vendored urllib3, add
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
to setUp method in your testclass, i.e:
import unittest, warnings
class MyTests(unittest.TestCase):
def setUp(self):
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
(all test methods here)
Suppress logs using standard python library ‘logging‘
Place this code on the top of your existing code
import logging
urllib3_logger = logging.getLogger('urllib3')
urllib3_logger.setLevel(logging.CRITICAL)
Warning message
~/venv/lib/python3.4/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
In Debian 8 these steps fixed the issue.
- In python3 code
import urllib3
urllib3.disable_warnings()
- Install two packages on Debian
libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb
libssl-dev_1.0.2l-1_bpo8+1_amd64.deb
debian mirror
After download above deb packages install with apt.
apt install ./libssl-dev_1.0.2l-1_bpo8+1_amd64.deb
apt install ./libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb
To build dependencies with new library
- Create new venv for python project
python3 -m venv .venv
source .venv/bin/activate
Clean Install modules under python project inside virtual environment by
python3 -m pip install -e .
For Python 3.7.9 and requests 2.11.1, this is the only way it worked to suppress the specific Exception in the OP:
import requests
requests.packages.urllib3.disable_warnings(
requests.packages.urllib3.exceptions.InsecureRequestWarning)
Not sure why the above worked and this one did not:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Here is a simplification of the working version:
from requests.packages import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
… it would appear that the import of urllib3 directly does not contain the same namespace as the one loaded by requests and thus the disable_warnings does not mutate the data structure touched by requests.
If you want to disable the warnings, but do not want to silence warnings from other packages, or other parts of your application, here is how to disable them per call.
Step 1, create a context manager.
from contextlib import contextmanager
@contextmanager
def disable_ssl_warnings():
import warnings
import urllib3
with warnings.catch_warnings():
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
yield None
Step 2, wrap your calls:
with disable_ssl_warnings():
requests.get('https://example.com')
The warning will only be silenced for that call.
(As per @shazow’s answer, this works with requests >= 2.16.0)
One liner, if you made the import requests before :
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
I am writing scripts in Python2.6 with use of pyVmomi and while using one of the connection methods:
service_instance = connect.SmartConnect(host=args.ip,
user=args.user,
pwd=args.password)
I get the following warning:
/usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
What’s interesting is that I do not have urllib3 installed with pip (but it’s there in /usr/lib/python2.6/site-packages/requests/packages/urllib3/).
I have tried as suggested here
import urllib3
...
urllib3.disable_warnings()
but that didn’t change anything.
You can disable any Python warnings via the PYTHONWARNINGS environment variable. In this case, you want:
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
To disable using Python code (requests >= 2.16.0):
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
For requests < 2.16.0, see original answer below.
Original answer
The reason doing urllib3.disable_warnings() didn’t work for you is because it looks like you’re using a separate instance of urllib3 vendored inside of requests.
I gather this based on the path here: /usr/lib/python2.6/site-packages/requests/packages/urllib3/connectionpool.py
To disable warnings in requests’ vendored urllib3, you’ll need to import that specific instance of the module:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
The HTTPS certificate verification security measure isn’t something to be discarded light-heartedly. The Man-in-the-middle attack that it prevents safeguards you from a third party e.g. sipping a virus in or tampering with or stealing your data.
Even if you only intend to do that in a test environment, you can easily forget to undo it when moving elsewhere.
Instead, read the relevant section on the provided link and do as it says. The way specific for requests (which bundles with its own copy of urllib3), as per CA Certificates — Advanced Usage — Requests 2.8.1 documentation:
requestsships with its own certificate bundle (but it can only be updated together with the module)- it will use (since
requestsv2.4.0) thecertifipackage instead if it’s installed - In a test environment, you can easily slip a test certificate into
certifias per how do I update root certificates of certifi? . E.g. if you replace its bundle with just your test certificate, you will immediately see it if you forget to undo that when moving to production.
Finally, with today’s government-backed global hacking operations like Tailored Access Operations and the Great Firewall of China that target network infrastructure, falling under a MITM attack is more probable than you think.
I had a similar issue with PyVmomi Client. With Python Version 2.7.9, I have solved this issue with the following line of code:
default_sslContext = ssl._create_unverified_context()
self.client =
Client(<vcenterip>, username=<username>, password=<passwd>,
sslContext=default_sslContext )
Note that, for this to work, you need Python 2.7.9 atleast.
This is the answer in 2017. urllib3 not a part of requests anymore
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Per this github comment, one can disable urllib3 request warnings via requests in a 1-liner:
requests.packages.urllib3.disable_warnings()
This will suppress all warnings though, not just InsecureRequest (ie it will also suppress InsecurePlatform etc). In cases where we just want stuff to work, I find the conciseness handy.
Why not using pyvmomi original function SmartConnectNoSSL.
They added this function on June 14, 2016 and named it ConnectNoSSL, one day after they changed the name to SmartConnectNoSSL, use that instead of by passing the warning with unnecessary lines of code in your project?
Provides a standard method for connecting to a specified server without SSL
verification. Useful when connecting to servers with self-signed certificates
or when you wish to ignore SSL altogether
service_instance = connect.SmartConnectNoSSL(host=args.ip,
user=args.user,
pwd=args.password)
For impatient, a quick way to disable python unverified HTTPS warning:
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
For Python 2.7
Add the environment variable PYTHONWARNINGS as key and the corresponding value to be ignored like:
os.environ['PYTHONWARNINGS']="ignore:Unverified HTTPS request"
The accepted answer doesn’t work if some package vendors it’s own copy of urllib3, in which case this will still work:
import warnings
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
That’s probably useful for someone, who uses unittest, if imported modules use request library.
To suppress warnings in requests’ vendored urllib3, add
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
to setUp method in your testclass, i.e:
import unittest, warnings
class MyTests(unittest.TestCase):
def setUp(self):
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
(all test methods here)
Suppress logs using standard python library ‘logging‘
Place this code on the top of your existing code
import logging
urllib3_logger = logging.getLogger('urllib3')
urllib3_logger.setLevel(logging.CRITICAL)
Warning message
~/venv/lib/python3.4/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
In Debian 8 these steps fixed the issue.
- In python3 code
import urllib3
urllib3.disable_warnings()
- Install two packages on Debian
libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb
libssl-dev_1.0.2l-1_bpo8+1_amd64.deb
debian mirror
After download above deb packages install with apt.
apt install ./libssl-dev_1.0.2l-1_bpo8+1_amd64.deb
apt install ./libssl1.0.0_1.0.2l-1_bpo8+1_amd64.deb
To build dependencies with new library
- Create new venv for python project
python3 -m venv .venv
source .venv/bin/activate
Clean Install modules under python project inside virtual environment by
python3 -m pip install -e .
For Python 3.7.9 and requests 2.11.1, this is the only way it worked to suppress the specific Exception in the OP:
import requests
requests.packages.urllib3.disable_warnings(
requests.packages.urllib3.exceptions.InsecureRequestWarning)
Not sure why the above worked and this one did not:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Here is a simplification of the working version:
from requests.packages import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
… it would appear that the import of urllib3 directly does not contain the same namespace as the one loaded by requests and thus the disable_warnings does not mutate the data structure touched by requests.
If you want to disable the warnings, but do not want to silence warnings from other packages, or other parts of your application, here is how to disable them per call.
Step 1, create a context manager.
from contextlib import contextmanager
@contextmanager
def disable_ssl_warnings():
import warnings
import urllib3
with warnings.catch_warnings():
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
yield None
Step 2, wrap your calls:
with disable_ssl_warnings():
requests.get('https://example.com')
The warning will only be silenced for that call.
(As per @shazow’s answer, this works with requests >= 2.16.0)
One liner, if you made the import requests before :
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)