3

TLS version

TLS 1.1

Time To Upgrade Your Python: TLS v1.2 Will Soon Be Mandatory

OS details

Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.2 LTS
Release:    12.04
Codename:    Precise Pangolin

Python version

Python 2.7.3

PIP version

pip 1.0 from /usr/lib/python2.7/dist-packages (python 2.7)

I know that there was an issue with pip SSL certificates, and I was able to overcome this by using the --index-url option for the past few months.

But now even that option is also not working. Following is the command I used to overcome SSL issue.

pip install --index-url=http://pypi.python.org/simple/ scapy

and

pip install --index-url=https://pypi.python.org/simple/ scapy

I get the following error for both of above commands:

Downloading/unpacking scapy
  Cannot fetch index base URL http://pypi.python.org/simple/
  Could not find any downloads that satisfy the requirement scapy
No distributions at all found for scapy
Storing complete log in /root/.pip/pip.log

Likewise I couldn't install any Python package!

How can I fix this issue?

When I tried to apply this solution as @phd suggested, I got the following error,

curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Vithulan
  • 300
  • 1
  • 11
  • Hav you try using the package manager? `sudo apt-get install python-scapy`, at least for scapy. [Reference](http://installion.co.uk/ubuntu/precise/universe/p/python-scapy/install/index.html) – TwistedSim Apr 20 '18 at 14:19
  • @TwistedSim Thanks for suggestion and yes it works, but scapy is not the only problem.. none of the python packages are getting installed. I'm working on a python project which needs multiple dependencies and scapy is one of them.. Eg, coloredlogs is not available in apt-get – Vithulan Apr 20 '18 at 14:27
  • Do you have the right website? this one work for me: `pip install --index-url=https://pypi.org/simple/ scapy`, but yours doesn't. It thibk it's just the `http` vs `https`. – TwistedSim Apr 20 '18 at 14:32
  • @TwistedSim No unfortunately it doesn't work for me, I'm getting the same `No distributions at all found for scapy` error. What is the pip and python version of yours? – Vithulan Apr 20 '18 at 14:37
  • I tested on python3 I must say, but since the website you use didn't work for me and the other one did, I thought I may have been your problem :). Also, do you have the most recent version of pip you can have on your system? – TwistedSim Apr 20 '18 at 14:43
  • @TwistedSim Uhm strange! Its not working for me. And yes it has the latest pip version `python-pip: Installed: 1.0-1build1 Candidate: 1.0-1build1 ` – Vithulan Apr 20 '18 at 14:50
  • Possible duplicate of [pip install fails for every package ("Could not find a version that satisfies the requirement")](https://stackoverflow.com/questions/49748063/pip-install-fails-for-every-package-could-not-find-a-version-that-satisfies-th) – phd Apr 20 '18 at 15:02
  • 1
    @phd I couldn't even do the curl command as mentioned in accepted answer. `curl https://bootstrap.pypa.io/get-pip.py | python ` to upgrade pip I get the following error - `error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version` – Vithulan Apr 20 '18 at 15:08
  • 1
    You need to upgrade everything related to SSL — OpenSSL, python, pip… – phd Apr 20 '18 at 15:42
  • have you tried Ubuntu 16.04? i think it runs smoother – killer May 06 '18 at 23:54
  • Possible duplicate of *[Not able to install Python packages \[SSL: TLSV1\_ALERT\_PROTOCOL\_VERSION\]](https://stackoverflow.com/questions/49768770/not-able-to-install-python-packages-ssl-tlsv1-alert-protocol-version)*. – Peter Mortensen May 21 '18 at 11:42

1 Answers1

1

Quick workaround: Ubuntu package utilities apt-cache and apt-get allow to search and install thousands of the common Python packages ($ sudo apt-get install python-<packagename>). They will be older than what comes from pip though, some may not be found in Ubuntu repositories.

The error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version can be reproduced by running pip with -v (for verbosity), along with SSLError, No distributions found, Max retries exceeded messages.

Python for Linux uses the system-supplied OpenSSL lib. curl and pip (and wget) also depend on the system OpenSSL for establishing SSL connections (use $ openssl version command). But TLS 1.1 support isn't enough for pip any more. TLS v1.2 requires OpenSSL 1.0.1 (or later) to function, but a minimum of OpenSSL 1.0.2 is generally recommended.

Curl's libcurl supports TLS 1.2 since curl version 7.34, but older curl versions should be able to connect only if you had OpenSSL version 1.0.2 (or later). So, both pip and the curl commands you've tried fail because the operating system's underlying OpenSSL library version is below 1.0.1 (see $ openssl version command) which does not support TLS 1.2 required. To see it in Python interpreter: 

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8o 01 Jun 2010'
>>> ssl.PROTOCOL_TLSv1_2
 AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

Another part of the problem is that Python < 2.7.9 (or <3.4 in Python3) itself has ssl module that doesn't support PROTOCOL_TLSv1_2, so pip cannot use it, even if openssl was up-to-date. In Ubuntu repositories, Python 2.7.9 first appeared in 15.04 (Vivid Vervet), and Python 3.4.2 in 14.10 (Utopic Unicorn), which means you cannot upgrade system Python safely without upgrading your whole OS components. Python versions 2.7.9+ and 3.4+ ship newer pip with them by default.

You are lucky in a sense that with Ubuntu 12.04 being a former LTS (long-term support) version, you always have an option to apt-get upgrade your whole OS and jump directly to the next LTS release which would upgrade everything from OpenSSL to Python and its system-wide modules. In your exact version of Ubuntu 12.04 (Precise Pangolin) repository, OpenSSL 1.0.1-4 is available (security updates backported), so you could try $ sudo apt-get update && sudo apt-get install openssl libssl-dev but it may lead to the system upgrade by dependencies, and makes no sense without Python upgrade anyway. Keeping your original Ubuntu-shipped Python version intact allows to avoid breaking dependencies because many OS components rely on OS-shipped Python version.

You could compile from sources your own non-system OpenSSL, then also your standalone non-system Python, linking it against the OpenSSL you have just compiled, but this approach requires more "-dev" debian packages to be installed, and may be unfeasible due to various limitations.

Fortunately, it all can be solved without compiling or upgrading Python (and the whole system), by installing several Python packages manually -- the detailed step-by-step guide is available here on Stackoverflow. The cryptography manylinux1 wheel ships the most recent statically-linked OpenSSL library that will enable pip (v10+) and allow you to continue to use Ubuntu 12.04 without major upgrading hassle.

stop.climatechange.now
  • 3,923
  • 18
  • 27
  • 1
    yes, this resolves my issue. I had to upgrade TLS version to 1.2 and that resolves the problem. Thanks. – Vithulan Apr 26 '18 at 05:41