Geek Answers Handbook

How to use pip (with SSL) safely in Ubuntu Trusty?

The question is, how to safely install packages using pip on Ubuntu Trusty? Of course, I need to clarify why I think this is unsafe.

urllib3 provides InsecurePlatformWarning if you make an https request without several additional python libraries related to openssl before Python 2.7.9. This is a well-asked question and answer:

InsecurePlatformWarning: A true SSLContext is not available. This prevents urllib3 from properly configuring SSL

The problem is that if you install pip version 6 or so, it starts giving you this very warning, as you are installing something. From the official answer to the question:

https://urllib3.readthedocs.org/en/latest/security.html#pyopenssl

it looks like the problem is the Python ssl library. Did Pip just switch to the Python ssl library from openssl in the latest version? My assumption (possibly a bad assumption) is that pip used the Python library before, it just used an older version of urllib that didn't even give a warning. So it was unsafe all the time (although the particular concern seems to be somewhat recent).

Well, if that is the case, then the Ubuntu stock version is unsafe. I cannot use it to safely install material, to make it safe. No matter, I can just install the same things from the Ubuntu repository, which checks packages with GPG:

http://packages.ubuntu.com/search?keywords=python-ndg-httpsclient

Except as described above, available only in Utopic. On Trusty, I seem stuck.

So what is the deal? Do I need to roll the dice and install these things unsafe once, and then safely use pip only after that? Or am I misunderstanding the situation?

+7
python pip ssl ubuntu
source share
2 answers

pip uses the standard default ssl library module (unless you install additional libraries that you mentioned). Prior to Python 2.7.9 and Python 3.2 (ish, I believe it was 3.2, maybe there was 3.1), the ssl module inside the standard library was not able to control certain settings related to ssl.

Some of these settings:

  • You cannot disable SSLv3 without explicit binding to TLSv1.0 (and you cannot connect to TLSv1.1 or TLSv1.2).
  • You cannot disable TLS compression.
  • You cannot use SNI, forcing every host you are trying to talk to not use SNI (or you need to disable TLS checking for these hosts).
  • You cannot say that OpenSSL prefers a shorter, but still trusted chain that was explicitly passed to it by the server. This means that some servers that might otherwise be verified will fail if the underlying certificate store removes weak 1024-bit root certificates.
  • On even older Pythons (2.6), you also cannot install ciphers, which means that you are stuck with any of the default OpenSSLs (often leading to unsafe or less optimal options).

How much you should do this is really up to you. If you install from PyPI, many of these things are simply not important, because we disable them on the server side, rather than relying on clients to implement them. However, requests (the base library pip uses to access the repository) raise these warnings (and the pip does not shut them down), because PyPI is often not the only place you are going to connect to, and these additional places may or may not take the same precautions as PyPI.

Source: I am a kernel developer and PyPI administrator.

+6
source share

I read the existing discussion and thought well, what should I do now?

Then I realized that the main problem that I encountered was that I was on Ubuntu 14.04, and the python version that it sends is erroneous. Therefore, I updated to 04/15.

0
source share

More articles:


All Articles