237

Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it's the latest version. I'm running on Debian Wheezy.

I've used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.

The error mentions urllib3, but I don't have that installed. I did install it to check if it resolved the error, but it didn't.

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and 
may cause certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest  
/security.html#insecureplatformwarning.

Any ideas as to why I'm getting this? I've checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.

plaes
  • 31,788
  • 11
  • 91
  • 89
Luke Peckham
  • 2,375
  • 2
  • 11
  • 11

16 Answers16

392

Use the somewhat hidden security feature:

pip install requests[security] or pip install pyOpenSSL ndg-httpsclient pyasn1

Both commands install following extra packages:

  • pyOpenSSL
  • cryptography
  • idna

Please note that this is not required for python-2.7.9+.

If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution's package manager:

  • Debian/Ubuntu - python-dev libffi-dev libssl-dev packages.

  • Fedora - openssl-devel python-devel libffi-devel packages.

Distro list above is incomplete.

Workaround (see the original answer by @TomDotTom):

In case you cannot install some of the required development packages, there's also an option to disable that warning:

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
plaes
  • 31,788
  • 11
  • 91
  • 89
  • 3
    I have requests[security], new terminal, Python 2.7.3 and still getting this error – Josh Nankin Mar 19 '15 at 19:03
  • @JoshNankin Did you find out what caused the issue? – plaes Mar 24 '15 at 08:06
  • Don't forget that you might need to install the libffi-dev package in your system, so that "pip install cryptography" is able to compile. – ferdy Mar 24 '15 at 10:01
  • I just downgraded to 2.5.3 for now. I mainly need requests for some fabric scripts on my dev machine, so I'm not so worried about the cookie handling issue at this time. – Josh Nankin Mar 24 '15 at 15:41
  • Btw, I already had libffi-dev installed when I installed requests[security], still no dice. – Josh Nankin Mar 24 '15 at 15:43
  • Any tips on how to add the 'security' package-index-option to a puppet package specification for requests? – Donal Lafferty Apr 07 '15 at 14:50
  • @DonalLafferty Just install `pyOpenSSL`, `ndg-httpsclient` and `pyasn1` with `requests`. Should work. – plaes Apr 08 '15 at 04:34
  • 46
    you also need to install additional libraries on system for Ubuntu/Debian: `sudo apt-get install python-dev libffi-dev libssl-dev` – therealmarv Apr 08 '15 at 15:02
  • 2
    Is it ok that "pip" itself (staring from v6.1) gives the same security warning? – jmster Apr 13 '15 at 17:22
  • 5
    depending on your shell, you may need to type `pip install 'requests[security]'` – C. Reed Jun 21 '15 at 21:55
  • 1
    Depending on your python installation (anaconda vs not), you may need to `conda install cryptography` before you `pip install requests[security]`: https://github.com/pyca/pyopenssl/issues/290 – Chris P Jul 03 '15 at 21:47
  • 1
    I had to manually install the 3 packages with the --upgrade flag. Then things started working. – Josh Nankin Jul 13 '15 at 21:10
  • This has helped me solve my problem. But I am worried if there are any disadvantages of using this rather than normal `pip install requests` .Should I have to take care of certain other things? and how is this different from the actual `pip install requests`? Please somebody help! – Ymartin Aug 04 '15 at 14:01
  • 5
    in zshell, you need to say: pip install requests\\[security\\] – Amir Katz Oct 11 '15 at 09:28
  • On a Fedora system, to install the required dependencies: `sudo yum install openssl-devel python-devel libffi-devel` – Robert Muil Nov 03 '15 at 20:30
  • 1
    had to pip install pyOpenSSL, ndg-httpsclient, pyasn1 separately. Then worked! – Ishtiaque Khan Jan 14 '16 at 08:35
67

Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.

Assuming you can't upgrade to a newer version of python, this will install more up-to-date python SSL libraries:

pip install --upgrade ndg-httpsclient

HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:

apt-get install python-dev libffi-dev libssl-dev
Jessica Gadling
  • 739
  • 5
  • 3
19

I don't use this in production, just some test runners. And to reiterate the urllib3 documentation

If you know what you are doing and would like to disable this and other warnings

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

Edit / Update:

The following should also work:

import logging
import requests

# turn down requests log verbosity
logging.getLogger('requests').setLevel(logging.CRITICAL)
TomDotTom
  • 6,238
  • 3
  • 41
  • 39
  • 1
    The problem with this solution is that it simply suppresses and ignores the actual problem. Furthermore, this won't work when using pip to install or upgrade packages. – Jason Parham Mar 28 '16 at 16:07
  • 1
    The only solution that works for me on a ubuntu 1404/ Python 2.7.6. Thanks – Ignacio Vazquez Apr 28 '16 at 20:53
8

In fact, you can try this.

requests.post("https://www.google.com", verify=False)

you can read the code for requests.

"C:\Python27\Lib\site-packages\requests\sessions.py"

class Session(SessionRedirectMixin):
......
 def request(self, method, url,
    params=None,
    data=None,
    headers=None,
    cookies=None,
    files=None,
    auth=None,
    timeout=None,
    allow_redirects=True,
    proxies=None,
    hooks=None,
    stream=None,
    verify=None,  # <========
    cert=None):
    """
    ...
    :param verify: (optional) if True, the SSL cert will be verified.
         A CA_BUNDLE path can also be provided.
    ...
    """
juliomalegria
  • 24,229
  • 14
  • 73
  • 89
zzzz zzzz
  • 307
  • 2
  • 13
  • 2
    Be *very* careful doing this, not verifying certs can be dangerous! – jaapz May 20 '15 at 09:01
  • Of course, not verifying certs will be dangerous. But sometimes, this is a last resort. Ex: easy_install, apt-get, yum or pip...do not ran, Or do a little Web Crawler... – zzzz zzzz May 28 '15 at 05:13
  • 1
    I'm on a shared hosting environment so I can't upgrade python to 2.7.9 and I can't install the libffi.pc with apt-get, which is required by pip install requests[security] and the other pip install variants above. So this answer was the one that worked for me. As long as you understand the important caveat that without https verification the page contents could be changed/spoofed, I think this answer is fine. – Chirael Jun 14 '15 at 19:11
6

If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,

you can downgrade your 'requests' version to 2.5.3:

sudo pip install requests==2.5.3

About version: http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html

raittes
  • 5,271
  • 3
  • 30
  • 27
5

All of the solutions given here haven't helped (I'm constrained to python 2.6.6). I've found the answer in a simple switch to pass to pip:

$ sudo pip install --trusted-host pypi.python.org <module_name>

This tells pip that it's OK to grab the module from pypi.python.org.

For me, the issue is my company's proxy behind it's firewall that makes it look like a malicious client to some servers. Hooray security.

Update: See @Alex 's answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I'd copy/paste here, but his answer, so +1 him)

PfunnyGuy
  • 750
  • 9
  • 22
4

This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:

InsecurePlatformWarning /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

You can disable it by adding the following line to your python code:

requests.packages.urllib3.disable_warnings()

daemonsl
  • 442
  • 4
  • 6
  • Thanks for this. None of the other answers worked for me. I'm blown away that such a verbose annoying message would be put in by default. – Dan Mar 03 '17 at 00:38
1

I had to go to bash (from ZSH) first. Then

sudo -H pip install 'requests[security]' --upgrade

fixed the problem.

Martin Thoma
  • 124,992
  • 159
  • 614
  • 958
1

This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.

Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.

To fix the error, all I needed to do was become root (with su's --login switch) and let certbot-auto upgrade itself. I.e: 

sudo su --login
/usr/local/bin/certbot-auto renew 
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...

instead of what normally runs from root's crontab: 

5 7 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

After that, letsencrypt renwals ran normally once again.

Dale C. Anderson
  • 2,280
  • 1
  • 24
  • 24
  • I got the same issue described here. warnings: /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning I just type the command: sudo apt-get dist-upgrade The error was fixed. – Didierh Apr 06 '19 at 06:16
0

For me no work i need upgrade pip....

Debian/Ubuntu

install dependencies

sudo apt-get install libpython-dev libssl-dev libffi-dev

upgrade pip and install packages

sudo pip install -U pip
sudo pip install -U pyopenssl ndg-httpsclient pyasn1

If you want remove dependencies

sudo apt-get remove --purge libpython-dev libssl-dev libffi-dev
sudo apt-get autoremove
Thedemon007
  • 21
  • 3
0

I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn't an option on this server right now.

Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.

Specifically, 'pip install requests[security]' was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.

To solve the OPs original issue I did:

1) pip install 'cryptography<1.3.5,>1.3.0'.

This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.

2) pip install 'requests[security]'

This command now installs because it doesn't try to install cryptography > 1.4.0.

Note that on Centos 5 I also needed to:

yum install openssl-devel

To allow cryptography to build

DavidG
  • 399
  • 2
  • 10
0

Below is how it's working for me on Python 3.6:

import requests
import urllib3

# Suppress InsecureRequestWarning: Unverified HTTPS
urllib3.disable_warnings()
Luiz Vaz
  • 1,669
  • 1
  • 19
  • 32
0

Dont install pyOpenSSL as it shall soon be deprecated. Current best approach is-

import requests
requests.packages.urllib3.disable_warnings()
Mohammad Shahid Siddiqui
  • 3,730
  • 2
  • 27
  • 12
0

if you just want to stopping insecure warning like:

/usr/lib/python3/dist-packages/urllib3/connectionpool.py:794: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)

do:

requests.METHOD("https://www.google.com", verify=False)

verify=False

is the key, followings are not good at it:

requests.packages.urllib3.disable_warnings()

or

urllib3.disable_warnings()

but, you HAVE TO know, that might cause potential security risks.

J.Z
  • 927
  • 6
  • 4
0

I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me.
Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package

GPopat
  • 445
  • 4
  • 14
0

In my case working on an old ubuntu trusty image and trying to install python dateutil. I had first to upgrade python to 2.7.12 with the following:

add-apt-repository -y ppa:fkrull/deadsnakes-python2.7
apt-get -y update
apt install -y --force-yes python2.7-minimal
pip install python-dateutil
Mathieu Barbot
  • 149
  • 4