Can I turn off Python (PiP) SSL cert validation with an ENV variable?

Question

I have a really bad network that uses a MITM cert to snoop on everyone's convos. This means I need to turn it off, for example, in node I use export NODE_TLS_REJECT_UNAUTHORIZED="0".

Is there a similar way to do this in Python to get around this issue?

Pretend I am security deficient (which I am). In my example for node I just configure an environmental variable and be done. This has me using a pem file (which I have no idea where to get). I tried downloading the cert chain but couldn't get it to a pem file. Is there really no more straight forward way to accomplish this? Honestly the way the network is set up I don't think I can even import just one cert.

I tried using this...

pip3 install itsdangerous --proxy=http://proxy.me.com:80 --index-url=http://pypi.python.org/simple/

Getting page http://pypi.python.org/simple/
Could not fetch URL http://pypi.python.org/simple/: timed out
Will skip URL http://pypi.python.org/simple/ when looking for download links for itsdangerous
Cannot fetch index base URL http://pypi.python.org/simple/

Still confirming that this isn't a red herring thanks to our proxy.

Also I've tried adding HTTP_PROXY and HTTPS_PROXY instead of the command line option. Still get the following result...

  pip3 install itsdangerous --index-url=http://pypi.python.org/simple/
  ...
  Downloading/unpacking itsdangerous
  Getting page http://pypi.python.org/simple/itsdangerous/
  Could not fetch URL http://pypi.python.org/simple/itsdangerous/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
  Will skip URL http://pypi.python.org/simple/itsdangerous/ when looking for download links for itsdangerous
  Getting page http://pypi.python.org/simple/
  Could not fetch URL http://pypi.python.org/simple/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

Also might be important...

pip 1.5.4 from /usr/lib/python3/dist-packages (python 3.4)

A variety of options to either bypass SSL verification or work around this are in [the answers to this question](http://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi). — wkl, Jan 05 '16 at 15:56
Pretend I am security deficient (which I am). In my example for node I just configure an environmental variable and be done. This has me using a pem file (which I have no idea where to get). I tried downloading the cert chain but couldn't get it to a pem file. Is there really no more straight forward way to accomplish this? Honestly the way the network is set up I don't think I can even import just one cert — Jackie, Jan 05 '16 at 16:01
Do you need to go through the proxy? `--proxy` may not work for you, so you have to set the environment variables `http_proxy` and `https_proxy` like `export http_proxy=http://proxy.me.com:80` and `export https_proxy=http://proxy.me.com:80` and run `pip` again. — wkl, Jan 05 '16 at 16:11

score 14 · Accepted Answer · answered Aug 01 '17 at 19:40

14

I have the exact same issue on my network. I did this to install pillow:

pip install Pillow --trusted-host pypi.python.org --index-url=http://pypi.python.org/simple/

...and it worked great for me. Hope it helps.

answered Aug 01 '17 at 19:40

Wes Grant

829
7
13

using `--index-url=https://pypi.python.org/simple/` worked for me. I'm working on a corporate proxy server. – James Mertz Jan 03 '18 at 19:58
1

```--trusted-host pypi.org``` and ```--trusted-host files.pythonhosted.org```for me. Added ```-v``` to enable verbosity to reveal location. – danialk Dec 12 '19 at 14:25
I need to use `--trusted-host pypi.org` instead. Maybe the URL has changed – Yohanes Gultom Aug 18 '21 at 04:38

score -3 · Answer 2 · answered Jan 05 '16 at 16:05

When I need to ignore the certificate validation chains I have used the following code:

import ssl

        try:
            _create_verified_https_context = ssl._create_default_https_context
            _create_unverified_https_context = ssl._create_unverified_context
        except AttributeError:
            pass
        else:
            # Handle target environment that doesn't support HTTPS verification. Save
            # a reference to the previous method so it is still available if needed.
            ssl._create_default_https_context = _create_unverified_https_context
            if not hasattr(ssl, '_create_verified_https_context'):
                ssl._create_verified_https_context = _create_verified_https_context

The above code will tell your SSL instance in your python to ignore unverified errors. You can also modify your SSL.py file directly to change the behavior.

You may want to also take a look at: https://docs.python.org/3/library/ssl.html#ssl.SSLContext

Are you serious where the heck am I even supposed to put this, this is way more complex than what I am looking for sorry man. Hence the environmental variable requirement — Jackie, Jan 05 '16 at 16:08

Can I turn off Python (PiP) SSL cert validation with an ENV variable?

2 Answers2