238
votes

Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it's the latest version. I'm running on Debian Wheezy.

I've used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.

The error mentions urllib3, but I don't have that installed. I did install it to check if it resolved the error, but it didn't.

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and 
may cause certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest  
/security.html#insecureplatformwarning.

Any ideas as to why I'm getting this? I've checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.

16

16 Answers

392
votes

Use the somewhat hidden security feature:

pip install requests[security] or pip install pyOpenSSL ndg-httpsclient pyasn1

Both commands install following extra packages:

  • pyOpenSSL
  • cryptography
  • idna

Please note that this is not required for python-2.7.9+.

If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution's package manager:

  • Debian/Ubuntu - python-dev libffi-dev libssl-dev packages.

  • Fedora - openssl-devel python-devel libffi-devel packages.

Distro list above is incomplete.

Workaround (see the original answer by @TomDotTom):

In case you cannot install some of the required development packages, there's also an option to disable that warning:

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.

68
votes

Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.

Assuming you can't upgrade to a newer version of python, this will install more up-to-date python SSL libraries:

pip install --upgrade ndg-httpsclient 

HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:

apt-get install python-dev libffi-dev libssl-dev
18
votes

I don't use this in production, just some test runners. And to reiterate the urllib3 documentation

If you know what you are doing and would like to disable this and other warnings

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

Edit / Update:

The following should also work:

import logging
import requests

# turn down requests log verbosity
logging.getLogger('requests').setLevel(logging.CRITICAL)
8
votes

In fact, you can try this.

requests.post("https://www.google.com", verify=False)

you can read the code for requests.

"C:\Python27\Lib\site-packages\requests\sessions.py"

class Session(SessionRedirectMixin):
......
 def request(self, method, url,
    params=None,
    data=None,
    headers=None,
    cookies=None,
    files=None,
    auth=None,
    timeout=None,
    allow_redirects=True,
    proxies=None,
    hooks=None,
    stream=None,
    verify=None,  # <========
    cert=None):
    """
    ...
    :param verify: (optional) if True, the SSL cert will be verified.
         A CA_BUNDLE path can also be provided.
    ...
    """
7
votes

If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,

you can downgrade your 'requests' version to 2.5.3:

sudo pip install requests==2.5.3

About version: http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html

5
votes

All of the solutions given here haven't helped (I'm constrained to python 2.6.6). I've found the answer in a simple switch to pass to pip:

$ sudo pip install --trusted-host pypi.python.org <module_name>

This tells pip that it's OK to grab the module from pypi.python.org.

For me, the issue is my company's proxy behind it's firewall that makes it look like a malicious client to some servers. Hooray security.


Update: See @Alex 's answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I'd copy/paste here, but his answer, so +1 him)

3
votes

This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:

InsecurePlatformWarning /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

You can disable it by adding the following line to your python code:

requests.packages.urllib3.disable_warnings()

1
votes

I had to go to bash (from ZSH) first. Then

sudo -H pip install 'requests[security]' --upgrade

fixed the problem.

1
votes

This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.

Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.

To fix the error, all I needed to do was become root (with su's --login switch) and let certbot-auto upgrade itself. I.e:

sudo su --login
/usr/local/bin/certbot-auto renew 
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...

instead of what normally runs from root's crontab:

5 7 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

After that, letsencrypt renwals ran normally once again.

0
votes

For me no work i need upgrade pip....

Debian/Ubuntu

install dependencies

sudo apt-get install libpython-dev libssl-dev libffi-dev

upgrade pip and install packages

sudo pip install -U pip
sudo pip install -U pyopenssl ndg-httpsclient pyasn1

If you want remove dependencies

sudo apt-get remove --purge libpython-dev libssl-dev libffi-dev
sudo apt-get autoremove
0
votes

I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn't an option on this server right now.

Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.

Specifically, 'pip install requests[security]' was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.

To solve the OPs original issue I did:

1) pip install 'cryptography<1.3.5,>1.3.0'.  

This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.

2) pip install 'requests[security]'

This command now installs because it doesn't try to install cryptography > 1.4.0.

Note that on Centos 5 I also needed to:

yum install openssl-devel

To allow cryptography to build

0
votes

Below is how it's working for me on Python 3.6:

import requests
import urllib3

# Suppress InsecureRequestWarning: Unverified HTTPS
urllib3.disable_warnings()
0
votes

Dont install pyOpenSSL as it shall soon be deprecated. Current best approach is-

import requests
requests.packages.urllib3.disable_warnings()
0
votes

if you just want to stopping insecure warning like:

/usr/lib/python3/dist-packages/urllib3/connectionpool.py:794: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)

do:

requests.METHOD("https://www.google.com", verify=False)

verify=False

is the key, followings are not good at it:

requests.packages.urllib3.disable_warnings()

or

urllib3.disable_warnings()

but, you HAVE TO know, that might cause potential security risks.

0
votes

I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me.
Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package

0
votes

In my case working on an old ubuntu trusty image and trying to install python dateutil. I had first to upgrade python to 2.7.12 with the following:

add-apt-repository -y ppa:fkrull/deadsnakes-python2.7
apt-get -y update
apt install -y --force-yes python2.7-minimal
pip install python-dateutil