Forums

InsecurePlatformWarning is annoying me

I'm getting this warning using PIP..

According to their webpage: https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning

Its easily fixed by using Python => than 2.7.9.

When I ran mkvirtualenv is installed 2.7.6.

Is this something I can really fix?

Hi there,

Pip and requests just went through a bunch of updates that is causing these new warning messages. I believe that we have actually upgraded our standard python libraries and installed extra libraries to fix that. However, if you are using a virtualenv, this may mean that you will need to manually update your own python libraries.

As per your link, these may be the libraries that are missing or need to be upgraded within your virtualenv.

pip install urllib3[secure] pyopenssl ndg-httpsclient pyasn1

You may also need to upgrade pip using pip install --upgrade pip

Conrad

Thanks for the speedy response!

This fixed those warnings!!

I added --upgrade to your suggested pip line because some of those packages were already installed.

I created this virtual env a few days ago. If thats not good enough to get the latest stuff, I suggest adding your reply to the virtual env setup notes for Python 2.7

Rich.

FYI.. This is still happening and it took me a while to find this thread. I think Rich's idea of adding the reply to the virtual env setup notes for python 2.7. This would be hugely helpful. Thanks!!

Yes- I think pip upgrades very frequently nowadays, so it's very easy to fall behind on the versions. Do you mean we should add a suggestion to upgrade pip to this page?

No sorry, I didn't explain that very well. I meant for people using virtualenv with python 2.7, the default python that is downloaded from your system is python 2.7.6, but python 2.7.6 is missing some some key libraries when it comes to SSL and will generate InsecurePlatformWarnings and/or SNIMissingWarnings. The SNIMissingWarning is really annoying because on the Django Apps that I have created and hosted on PythonAnywhere, with Python 2.7.6, the server present an invalid TLS certificate and you can't use https on the site at all, not to mention you get a connection warning.

I think the best solution is to serve a Python version of 2.7.9 or greater when someone is using virtualenv with python 2.7. Then the correct libraries for proper TLS certificate validation will exist. If you guys are going to leave it at Python 2.7.6, then I think adding this line to the page that you referenced will be hugely helpful:

pip install urllib3[secure] pyopenssl ndg-httpsclient pyasn1

Hopefully that makes more sense. Thanks again for all your hard work on this product!

You're completely right, we need to upgrade the Python 2.7 version. The reason we haven't done that so far is that everyone shares the same system image, and so we'd have to upgrade it for everyone -- but unfortunately virtualenvs, when they're created, have symlinks that go to the specific point version of Python. So if we upgraded, we'd break every existing virtualenv on the system, which would be bad...

The fix, of course, is to have different system images for different users (with the option to switch to an upgraded one at a time of the user's choosing) -- and that's the direction we're going in, but it'll take a while.

I've updated the help page, anyway, so hopefully that'll help in the meantime.

Ha! This annoyance is baaaaack!

This time, to fix it, I followed this link:

https://urllib3.readthedocs.io/en/latest/user-guide.html#ssl-py2

Which, all told, had me do this:

(py27dj110) 20:56 ~ $ pip install --upgrade urllib3[secure] pyOpenSSL ndg-httpsclient pyasn1 certifi cffi cryptography

(py27dj110) 20:56 ~ $ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3.contrib.pyopenssl
>>> urllib3.contrib.pyopenssl.inject_into_urllib3()
>>> import certifi
>>> import urllib3
>>> 
>>> 
>>> http = urllib3.PoolManager(
...     cert_reqs='CERT_REQUIRED',
...     ca_certs=certifi.where())
>>> 
>>> CTRL-D

(py27dj110) 21:00 ~ $
(py27dj110) 21:00 ~ $ pip install --upgrade pytz
Requirement already up-to-date: pytz in ./.virtualenvs/py27dj110/lib/python2.7/site-packages
(py27dj110) 21:00 ~ $

And now I don't get those annoying messages!

It's a [bug in pip 9.0 and 9.0.1] (a fix may be coming) -- you can no longer get rid of the annoying messages when you're using those versions, and creating a new virtualenv upgrades pip to the latest version.

If you downgrade pip to 8.1.2 then it should get rid of the warnings.

Hey Giles. hope all is well. I was wondering if you guys were still thinking about upgrading python 2.76? Seems like I have to go through this each time I create a new account for a client and everytime it's a little different. Not a big deal but just thought I'd ask. Thanks man!

We are still thinking about it, but it's really complicated unfortunately. Running two different point versions of Python alongside each other on the same system is hard, and running two different operating system sandbox images is also really hard. Will update as and when we have news...

There's also this way to bypass the warnings. Not optimal, but it worked for me:

'...Making unverified HTTPS requests is strongly discouraged, however, if you understand the risks and wish to disable these warnings, you can use disable_warnings():

>>> import urllib3
>>> urllib3.disable_warnings()

https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Right -- I'd recommend sticking to pip 8.1.2 and installing the extra Python modules if you're using a virtualenv:

pip install urllib3[secure] pyopenssl ndg-httpsclient pyasn1