336

Tried to perform REST GET through python requests with the following code and I got error.

Code snip:

import requests
header = {'Authorization': 'Bearer...'}
url = az_base_url + az_subscription_id + '/resourcegroups/Default-Networking/resources?' + az_api_version
r = requests.get(url, headers=header)

Error:

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: 
          InsecurePlatformWarning: A true SSLContext object is not available. 
          This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. 
          For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning

My python version is 2.7.3. I tried to install urllib3 and requests[security] as some other thread suggests, I still got the same error.

Wonder if anyone can provide some tips?

Serenity
  • 35,289
  • 20
  • 120
  • 115
user4525298
  • 3,369
  • 3
  • 11
  • 3
  • 12
    Did you read the link (https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning)? It gives two suggestions: either upgrade to at least Python 2.7.9 or use pyOpenSSL. – Ned Deily Mar 18 '15 at 23:25
  • 1
    Thanks for your comments. I tried to install pyOpenSSL but failed. Let me try to upgrade to 2.7.9 and see if that fix the problem. – user4525298 Mar 19 '15 at 20:10
  • @user4525298 did by updgrading 2.7.9 solve your problem? – bohr Feb 09 '16 at 09:11
  • @NedDeily: the link is now broken – Sheena Jul 04 '16 at 06:44
  • @Sheena: thanks. https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification-in-python-2 – Ned Deily Jul 05 '16 at 14:33

2 Answers2

552

The docs give a fair indicator of what's required., however requests allow us to skip a few steps:

You only need to install the security package extras (thanks @admdrew for pointing it out)

$ pip install requests[security]

or, install them directly:

$ pip install pyopenssl ndg-httpsclient pyasn1

Requests will then automatically inject pyopenssl into urllib3

If you're on ubuntu, you may run into trouble installing pyopenssl, you'll need these dependencies:

$ apt-get install libffi-dev libssl-dev
nathan-m
  • 8,875
  • 2
  • 18
  • 29
  • 26
    You can also `pip install requests[security]` and only `import requests`. – admdrew Mar 26 '15 at 19:59
  • 3
    the answer above is detailed, however @admdrew provides perhaps the simplest solution with least amount of headache. – Chrispy Apr 08 '15 at 04:17
  • 9
    Don't forget the `--upgrade` option or you may not actually install anything. And if you want your system environment to be secure you want to sudo the install. So `sudo pip install --upgrade pyopenssl ndg-httpsclient pyasn1 pip` worked for me on Fedora 20 despite the deprecation warning for uninstalling and upgrading the distutils-installed `pyopenssl` package. – hobs Apr 15 '15 at 22:13
  • On CentOS6 at least "pip install requests[security]" requires that "gcc" is already installed. Is there any other workaround for getting the latest requests (since answer below mentions 2.5.3 has security bug) and getting rid of that warning and not requiring gcc? – jamshid Jun 30 '15 at 22:14
  • @jamshid It might be possible to pre-compile them on a separate CentOs6 machine, then copy them to your "live"machine. -- https://vilimpoc.org/blog/2012/11/23/bundling-up-distributable-python-package-libraries-using-pip-and-zip/ -- Probably best to create a new question if your run into trouble – nathan-m Jul 01 '15 at 00:32
  • Thanks this works on Yosemite 10.10.4 – Rizky Ariestiyansyah Jul 30 '15 at 08:08
  • 3
    @hobs Regarding `sudo pip install`, e.g. http://stackoverflow.com/questions/29310688/sudo-pip-install-vs-pip-install-user As a general, but not unbreakable, rule, you should either use `pip install --user` or preferably use virtualenv to keep everything contained and pinned. – knickum Sep 14 '15 at 16:54
  • @knickum, yea that's a really good rule... except for security-related patches that you want to apply to all users and have the OS itself to use the newest versions. – hobs Sep 15 '15 at 18:13
  • I try the above and it just get worse under ubuntu 12.04... – Richard Oct 14 '15 at 16:11
  • what if there is no pip on the machine? – Timofey Oct 27 '15 at 19:55
  • cffi installed failed .... – zx1986 Nov 22 '15 at 06:50
  • On CentOS 7, this required `yum -y install libffi-devel openssl-devel` – TrinitronX Dec 03 '15 at 01:46
  • 1
    Also, if you're having trouble installing the Ubuntu dependencies (I was), there's a bit more complete description here: http://stackoverflow.com/questions/22073516/failed-to-install-python-cryptography-package-with-pip-and-setup-py (answer is quite far down) – dpb Dec 18 '15 at 07:15
  • For Debian I also needed to install python-dev. – returneax Apr 19 '16 at 12:35
  • 1
    On Ubuntu 14.04, running Python 2.7.6, the suggested `pip install requests[security]` failed with `error code 1 in /tmp/pip-build-YTQm4B/cryptography/` – Derek May 21 '16 at 12:14
  • On Raspberry Pi, I had to manually install the required utilities like cffi, enum34, ipaddress, idna, pycparser, cryptography due to the problems described here: https://github.com/pyca/cryptography/issues/1981 – Sujay Phadke Oct 04 '16 at 05:03
  • Saved my server filling the error.log file and causing my server disk to be out of space. Thanks! – softvar Dec 02 '17 at 20:50
72

If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,

you can downgrade your 'requests' version to 2.5.3:

pip install requests==2.5.3

Bugfix disclosure / Warning introduced in 2.6.0

raittes
  • 5,271
  • 3
  • 30
  • 27
  • 51
    While this *works*, this probably isn't the *best* answer. – admdrew Mar 26 '15 at 19:58
  • 24
    That diff hides the fact that 2.6.0 contains a *security fix*; downgrading leaves you exposed. – Martijn Pieters Mar 29 '15 at 16:04
  • 7
    admdrew's comment on the answer above is a much better and simple solution. Simply `pip install requests[security]` – jjj Apr 08 '15 at 15:23
  • 3
    The above answers might be better for most scenarios, but this one is the only one that works on a shared host with native libraries you don't control. `requests[security]` didn't work, but the older version did. – Jordan Mar 16 '17 at 18:04
  • This did not work for me. I get the same InsecurePlatformWarning and it won't download the older version of requests. – Brian Minton Nov 26 '18 at 19:15
  • 3
    If **pip itself** is affected by `InsecurePlatformWarning` and cannot install anything from PyPI, it can be fixed with [this step-by-step guide](https://stackoverflow.com/a/54582701/9575715) -- handy for older linux systems.. @Brian – stop.climatechange.now Feb 10 '19 at 16:37