SSL InsecurePlatform error when using Requests package
Question:
Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it’s the latest version. I’m running on Debian Wheezy.
I’ve used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.
The error mentions urllib3, but I don’t have that installed. I did install it to check if it resolved the error, but it didn’t.
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and
may cause certain SSL connections to fail. For more information, see
https://urllib3.readthedocs.org/en/latest
/security.html#insecureplatformwarning.
Any ideas as to why I’m getting this? I’ve checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.
Answers:
Use the somewhat hidden security feature:
pip install requests[security]
or
pip install pyOpenSSL ndg-httpsclient pyasn1
Both commands install following extra packages:
- pyOpenSSL
- cryptography
- idna
Please note that this is not required for python-2.7.9+.
If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution’s package manager:
-
Debian/Ubuntu – python-dev libffi-dev libssl-dev packages.
-
Fedora – openssl-devel python-devel libffi-devel packages.
Distro list above is incomplete.
Workaround (see the original answer by @TomDotTom):
In case you cannot install some of the required development packages, there’s also an option to disable that warning:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.
If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,
you can downgrade your ‘requests’ version to 2.5.3:
sudo pip install requests==2.5.3
About version:
http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html
Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.
Assuming you can’t upgrade to a newer version of python, this will install more up-to-date python SSL libraries:
pip install --upgrade ndg-httpsclient
HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:
apt-get install python-dev libffi-dev libssl-dev
In fact, you can try this.
requests.post("https://www.google.com", verify=False)
you can read the code for requests.
"C:Python27Libsite-packagesrequestssessions.py"
class Session(SessionRedirectMixin):
......
def request(self, method, url,
params=None,
data=None,
headers=None,
cookies=None,
files=None,
auth=None,
timeout=None,
allow_redirects=True,
proxies=None,
hooks=None,
stream=None,
verify=None, # <========
cert=None):
"""
...
:param verify: (optional) if True, the SSL cert will be verified.
A CA_BUNDLE path can also be provided.
...
"""
I don’t use this in production, just some test runners. And to reiterate the urllib3 documentation
If you know what you are doing and would like to disable this and
other warnings
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
Edit / Update:
The following should also work:
import logging
import requests
# turn down requests log verbosity
logging.getLogger('requests').setLevel(logging.CRITICAL)
This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:
InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You can disable it by adding the following line to your python code:
requests.packages.urllib3.disable_warnings()
For me no work i need upgrade pip….
Debian/Ubuntu
install dependencies
sudo apt-get install libpython-dev libssl-dev libffi-dev
upgrade pip and install packages
sudo pip install -U pip
sudo pip install -U pyopenssl ndg-httpsclient pyasn1
If you want remove dependencies
sudo apt-get remove --purge libpython-dev libssl-dev libffi-dev
sudo apt-get autoremove
I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn’t an option on this server right now.
Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.
Specifically, ‘pip install requests[security]’ was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.
To solve the OPs original issue I did:
1) pip install 'cryptography<1.3.5,>1.3.0'.
This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.
2) pip install 'requests[security]'
This command now installs because it doesn’t try to install cryptography > 1.4.0.
Note that on Centos 5 I also needed to:
yum install openssl-devel
To allow cryptography to build
All of the solutions given here haven’t helped (I’m constrained to python 2.6.6). I’ve found the answer in a simple switch to pass to pip:
$ sudo pip install --trusted-host pypi.python.org <module_name>
This tells pip that it’s OK to grab the module from pypi.python.org.
For me, the issue is my company’s proxy behind it’s firewall that makes it look like a malicious client to some servers. Hooray security.
Update: See @Alex ‘s
answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I’d copy/paste here, but his answer, so +1 him)
I had to go to bash (from ZSH) first. Then
sudo -H pip install 'requests[security]' --upgrade
fixed the problem.
Below is how it’s working for me on Python 3.6:
import requests
import urllib3
# Suppress InsecureRequestWarning: Unverified HTTPS
urllib3.disable_warnings()
Dont install pyOpenSSL as it shall soon be deprecated. Current best approach is-
import requests
requests.packages.urllib3.disable_warnings()
This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.
Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.
To fix the error, all I needed to do was become root (with su‘s --login switch) and let certbot-auto upgrade itself. I.e:
sudo su --login
/usr/local/bin/certbot-auto renew
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...
instead of what normally runs from root’s crontab:
5 7 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade
After that, letsencrypt renwals ran normally once again.
if you just want to stopping insecure warning like:
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:794:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
do:
requests.METHOD("https://www.google.com", verify=False)
verify=False
is the key, followings are not good at it:
requests.packages.urllib3.disable_warnings()
or
urllib3.disable_warnings()
but, you HAVE TO know, that might cause potential security risks.
I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me.
Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package
In my case working on an old ubuntu trusty image and trying to install python dateutil. I had first to upgrade python to 2.7.12 with the following:
add-apt-repository -y ppa:fkrull/deadsnakes-python2.7
apt-get -y update
apt install -y --force-yes python2.7-minimal
pip install python-dateutil
Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it’s the latest version. I’m running on Debian Wheezy.
I’ve used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.
The error mentions urllib3, but I don’t have that installed. I did install it to check if it resolved the error, but it didn’t.
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and
may cause certain SSL connections to fail. For more information, see
https://urllib3.readthedocs.org/en/latest
/security.html#insecureplatformwarning.
Any ideas as to why I’m getting this? I’ve checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.
Use the somewhat hidden security feature:
pip install requests[security]
or
pip install pyOpenSSL ndg-httpsclient pyasn1
Both commands install following extra packages:
- pyOpenSSL
- cryptography
- idna
Please note that this is not required for python-2.7.9+.
If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution’s package manager:
-
Debian/Ubuntu –
python-devlibffi-devlibssl-devpackages. -
Fedora –
openssl-develpython-devellibffi-develpackages.
Distro list above is incomplete.
Workaround (see the original answer by @TomDotTom):
In case you cannot install some of the required development packages, there’s also an option to disable that warning:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.
If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,
you can downgrade your ‘requests’ version to 2.5.3:
sudo pip install requests==2.5.3
About version:
http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html
Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.
Assuming you can’t upgrade to a newer version of python, this will install more up-to-date python SSL libraries:
pip install --upgrade ndg-httpsclient
HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:
apt-get install python-dev libffi-dev libssl-dev
In fact, you can try this.
requests.post("https://www.google.com", verify=False)
you can read the code for requests.
"C:Python27Libsite-packagesrequestssessions.py"
class Session(SessionRedirectMixin):
......
def request(self, method, url,
params=None,
data=None,
headers=None,
cookies=None,
files=None,
auth=None,
timeout=None,
allow_redirects=True,
proxies=None,
hooks=None,
stream=None,
verify=None, # <========
cert=None):
"""
...
:param verify: (optional) if True, the SSL cert will be verified.
A CA_BUNDLE path can also be provided.
...
"""
I don’t use this in production, just some test runners. And to reiterate the urllib3 documentation
If you know what you are doing and would like to disable this and
other warnings
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
Edit / Update:
The following should also work:
import logging
import requests
# turn down requests log verbosity
logging.getLogger('requests').setLevel(logging.CRITICAL)
This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:
InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You can disable it by adding the following line to your python code:
requests.packages.urllib3.disable_warnings()
For me no work i need upgrade pip….
Debian/Ubuntu
install dependencies
sudo apt-get install libpython-dev libssl-dev libffi-dev
upgrade pip and install packages
sudo pip install -U pip
sudo pip install -U pyopenssl ndg-httpsclient pyasn1
If you want remove dependencies
sudo apt-get remove --purge libpython-dev libssl-dev libffi-dev
sudo apt-get autoremove
I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn’t an option on this server right now.
Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.
Specifically, ‘pip install requests[security]’ was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.
To solve the OPs original issue I did:
1) pip install 'cryptography<1.3.5,>1.3.0'.
This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.
2) pip install 'requests[security]'
This command now installs because it doesn’t try to install cryptography > 1.4.0.
Note that on Centos 5 I also needed to:
yum install openssl-devel
To allow cryptography to build
All of the solutions given here haven’t helped (I’m constrained to python 2.6.6). I’ve found the answer in a simple switch to pass to pip:
$ sudo pip install --trusted-host pypi.python.org <module_name>
This tells pip that it’s OK to grab the module from pypi.python.org.
For me, the issue is my company’s proxy behind it’s firewall that makes it look like a malicious client to some servers. Hooray security.
Update: See @Alex ‘s
answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I’d copy/paste here, but his answer, so +1 him)
I had to go to bash (from ZSH) first. Then
sudo -H pip install 'requests[security]' --upgrade
fixed the problem.
Below is how it’s working for me on Python 3.6:
import requests
import urllib3
# Suppress InsecureRequestWarning: Unverified HTTPS
urllib3.disable_warnings()
Dont install pyOpenSSL as it shall soon be deprecated. Current best approach is-
import requests
requests.packages.urllib3.disable_warnings()
This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.
Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.
To fix the error, all I needed to do was become root (with su‘s --login switch) and let certbot-auto upgrade itself. I.e:
sudo su --login
/usr/local/bin/certbot-auto renew
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...
instead of what normally runs from root’s crontab:
5 7 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade
After that, letsencrypt renwals ran normally once again.
if you just want to stopping insecure warning like:
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:794:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
do:
requests.METHOD("https://www.google.com", verify=False)
verify=False
is the key, followings are not good at it:
requests.packages.urllib3.disable_warnings()
or
urllib3.disable_warnings()
but, you HAVE TO know, that might cause potential security risks.
I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me.
Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package
In my case working on an old ubuntu trusty image and trying to install python dateutil. I had first to upgrade python to 2.7.12 with the following:
add-apt-repository -y ppa:fkrull/deadsnakes-python2.7
apt-get -y update
apt install -y --force-yes python2.7-minimal
pip install python-dateutil