Im having issues with some older certs that are self generated by my routers. I believe it is because openssl no longer supports 3des encryption.
I would like to downgrade my ssl version in python to see if the problems go away.
Current Version:
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1t 3 May 2016'
>>>
I am using the docker image for python. and that runs:
# cat /etc/issue
Debian GNU/Linux 8 \n \l
Im not sure which version 3des was removed in, but I would need to use the version before that I think.
I'm using aiohttp which I believe uses urllib3 for requests and I haven't been able to get past the handshake failure currently, which I believe is because of 3des encryption?
Figure out the version of OpenSSL you want. Taking the example of version 1.0.0, use the following command:
sudo pip install 'pyOpenSSL==21.0.0' --force-reinstall
Full list of old pyOpenSSL released versions: https://pypi.org/project/pyOpenSSL/
Related
I follow the tutorial command on pytorch site, but such errors came out.
error: torch-1.0.0-cp27m-linux_x86_64.whl is not a valid wheel filename.
I used following commands for installation.
pip install https://download.pytorch.org/whl/cu80/torch-1.0.0-cp27-cp27m-linux_x86_64.whl
The wheel is a ZIP archive with the .whl extension that should have a specially formatted file name and contain a relocatable Python package to be recognized on your platform.
Please use your web browser such as Firefox to obtain manylinux1 wheels directly from PyPI website:
torch-1.0.1.post2-cp27-cp27m-manylinux1_x86_64.whl (582.6 MB)
torch-1.0.1.post2-cp27-cp27mu-manylinux1_x86_64.whl (582.5 MB) <= try this one
Please make sure to choose one appropriate for your specific OS/platform. In your case, the mu-manylinux1 is the most likely choice. You could use this shell command to ensure:
$ python -c "import sys; print 'UCS4/UTF-32: mu-manylinux1' if sys.maxunicode > 65535 else 'UCS2/UTF-16: m-manylinux1'"
Python 3 version:
$ python3 -c "import sys; print('UCS4/UTF-32: mu-manylinux1' if sys.maxunicode > 65535 else 'UCS2/UTF-16: m-manylinux1')"
mu is more common and means that your Python stores Unicode data in UCS-4 (UTF-32) format.
cp27 stands for Python 2.7; likewise cp36 is for Python 3.6
x86_64 is for 64-bit platform. Pytorch doesn't support 32-bit..
All manylinux1 wheels require pip v8.1 or later to be pip install'ed (you have v19.0.1 - ok).
Regarding the SSLError...sslv3 alert handshake failure you've mentioned in the comment, it's caused by the fact that pip doesn't use old SSL/TLS protocols to connect to PyPI since about a year ago, but your system's underlying OpenSSL library is outdated, and Python 2.7.6 ssl module doesn't support the required TLS 1.2 protocol anyway. I will address this issue in your another posting.
I'm trying to install requests library for Python (2.6.6 on CentOS6) as
sudo pip install requests[security]
I'm getting these error messages:
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Collecting requests[security]
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
I ensured all system libraries are in place
sudo yum install openssl-devel python-devel libffi-devel
and all is good there
so I tried
sudo pip install pyopenssl ndg-httpsclient pyasn1
and
sudo pip install --trusted-host pypi.python.org requests
and these fail as well.
Due to some old code I need to stick to Python 2.6
Any idea what is going wrong here and how to address it?
PS
I have decided to downgrade pip and it came up that errors came up with pip version 6.1+. Thoughts on that?
Indeed, as of 2019, quite a few people are still facing this issue, as they cannot upgrade their system Python (and system-supplied openssl) due to various limitations.
If you'd like to fix the InsecurePlatformWarning .. (Caused by SSLError .. SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'), the following solution can help someone using an old Linux distro:
Unable to install Python packages using pip in Ubuntu Linux: InsecurePlatformWarning, SSLError, tlsv1 alert protocol version
Python 2.6.6 on CentOS6
In your specific case, the last cryptography version to officially support Python 2.6 was cryptography-2.1.1, although a newer version might work.
The first manylinux1 cryptography package to include its own OpenSSL (1.1.0f) shared lib binding for Linux, regardless of what's on your platform, has appeared in cryptography-2.0 version. The last cryptography that still officially supported Centos 6.4 was version 1.8.2, while newer versions officially supported CentOS 7.x only: https://pypi.org/project/cryptography/#files
Note, cryptography versions<2.0 have no manylinux1 and didn't ship the openssl/ssllib with them, relying on the system-supplied one only (back then, they did so only for other OSes that had/have even bigger SSL problems). While the cryptography-2.0 (manylinux1) is still worth trying, you will probably have to compile the newer openssl version (1.0.1 - 1.1.0) locally on Centos 6.x, before compiling cryptography 1.8.2 to link against it:
https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-linux
https://cryptography.io/en/latest/installation/#rhel-centos
There is also an option to build your own statically-linked wheels that will work on your own systems:
https://cryptography.io/en/latest/installation/#static-wheels
That said,
if all you needed was just to install the requests lib (without solving the notorious SSLError), specifically in Python 2.6.6 on CentOS6, and you are not going to need TLS 1.2 protocol support from requests, you could simply use your Centos repo for that:
$ yum search requests
$ sudo yum install python26-requests
Or, you could get and install requests in a similar way as in the above-mentioned solution, from wheels or from tar.gz downloaded from:
https://pypi.org/project/requests/
Note, the latest requests on PyPI depends on the following Python packages:
urllib3, idna, chardet, certifi
Luckily, these four have no other dependencies and can be obtained from PyPI directly, in the same way - the "Download Files" section on PyPI:
https://pypi.org/project/urllib3/
https://pypi.org/project/idna/
https://pypi.org/project/chardet/
https://pypi.org/project/certifi/
You could download and try to install their latest versions, or use 'Release History' section to locate older versions, depending on your use-case and system-specific requirements.
Note, many web servers (including PyPI) nowadays require TLS 1.2 support, both in the client and server backend, to establish an HTTPS connection, so if you will need this type of connections, requests will not work without fixing the SSLError the way discussed above (or by compiling a newer Python 2.7.9+ against OpenSSL version 1.0.2+ that would have to be compiled as well in that case, before compiling new Python, to link ssl module with it).
Try this:
sudo pip install requests
[secure] is not necessary
From the description of Dtls library, it seems it's not available in python3. And when I want to install with pip install Dtls there's always an
Command "python setup.py egg_info" failed with error code 1 in
C:\Users\sun\AppData\Local\Temp\pip-build-c_46y9mt\Dtls\
Solution here doesn't help. I am using Python 3.6 on Win7.
Do I have another option for DTLS?
python3-dtls is the python3 version for dtls package.
If the library you want to use is not available for the version of your interpreter, then you simply cannot use that library without porting it yourself or waiting for others doing that for you. This is probably not what you want.
This means that Dtls library works only for Python2.7 and version 1.0.0 or higher of the OpenSSL library as mentioned on the website, although it's tested on several plattforms (including yours):
At the time of initial release, PyDTLS 0.1.0 has been tested on Ubuntu 12.04.1 LTS 32-bit and 64-bit, as well as Microsoft Windows 7 32-bit and 64-bit, using CPython 2.7.3. Patches with additional platform ports are welcome.
As of release 1.2.0, PyDTLS is tested on Ubuntu 16.04 LTS as well as Microsoft Windows 10, using CPython 2.7.13.
You can use other libraries if you have to use Python3.x, e.g. standard ssl library or maybe also pyOpenSSL library:
pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.7 through 3.5 and PyPy.
Dtls is a library which simplifies implementation but you are not dependent on it.
Just as a side note: For pyOpenSSL you can also get an idea how to implement it by reading this post.
Our devops recently turned on SSL on our in-house ElasticSearch servers, while our Ubuntu dev boxes are connecting to it fine, but it's causing SSLError on Mac dev boxes (running Django).
SSLError at /search
ConnectionError(EOF occurred in violation of protocol (_ssl.c:590)) caused by: SSLError(EOF occurred in violation of protocol (_ssl.c:590))
What I know so far:
Not limited to El Capitan, also breaks on earlier version
We can connect to other ES service over https, our devops told me our ES service has higher https requirements
Openssl v0.9.8 has handshake problem on the ES service
Openssl v1.0.1 works fine on the ES service
There are many posts online around this problem but none helped.
I have tried:
brew link --force openssl (but EL Capitan is stopping it), none of the solutions worked from Homebrew refusing to link OpenSSL
adding /usr/local/opt/openssl/lib to DYLD_LIBRARY_PATH
upgrading python from 2.7.10 to 2.7.12
rebuilding virtualenv
None of the above worked...
Questions:
Is it due to OpenSSL version?
Is it due to Python version due to _ssl.c?
How do I fix this?
Finally nailed it, basically you will have to install Python that has updated openssl
check in Python cmd
import ssl
print ssl.OPENSSL_VERSION
It should print 0.9.x
Now to update:
brew install openssl, don't worry about the linking if it rejects, make sure it's >=1.x.x
'brew install python --with-brewed-openssl`
recreate virtualenv by specifying the brewed version of Python, eg. mkvirtualenv --python=/usr/.../Cellar/python/bin/python <project>
I'm trying to implement the answer found at Python Paste SSL server with TLSv1.2 and Forward Secrecy.
How do I use context.set_tmp_ecdh()? That method is not defined on either my Linux or Windows machines. It is in the pyOpenSSL docs, and various examples I've seen. I'm using Python 2.6.6 (or 2.7) and pyOpenSSL v 0.13 (specifically CentOS package pyOpenSSL-0.13.1-2.el6.x86_64.rpm). Is there a specific version or additional dependency, etc. that I'm missing?
Support for ecdh was added in pyOpenSSL 0.15, so you can't use it with your installed version of pyOpenSSL.
You'll have to install a newer version.