pip install egenix-mx-base fails with SSL: UNSUPPORTED_PROTOCOL on debian 10 even with --trusted-hosts

[jamshid]

Environment

• pip version:
  apt-get install python-pip
  pip 18.1 from /usr/lib/python2.7/dist-packages/pip (python 2.7)
• Python version:
  2.7.16
• OS:
  debian:10

Description
A pip install that works on debian:9 fails on debian:10, apparently because a server somewhere uses an old TLS. Also I'd expect --trusted-host to workaround this but it does not.

Expected behavior

This is a good example of an error that could be surfaced better (#6959) so that the user knows who to blame.

How to Reproduce

1. Start with a fresh debian 10 (buster) and install python-pip and build-essential.
2. pip install egenix-mx-base fails.
3. Btw since it seems to be an SSL issue I'd expect --trusted-host to help but it does not.

Output

$ docker run -ti debian:10 bash

root@be34350b0936:/# apt-get update && apt-get install -y python-pip curl build-essential

root@be34350b0936:/# pip install egenix-mx-base

Collecting egenix-mx-base
  Downloading https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip (74kB)
    100% |################################| 81kB 1.2MB/s 
    Complete output from command python setup.py egg_info:
    web installer could not download the package https://downloads.egenix.com/python/egenix-mx-base-3.2.9-py2.7_ucs4-linux-x86_64-prebuilt.zip#md5=1e98d2daccd22c33103980a520a6c53d&sha1=5a94a58f1c6bcd9b8cfa671de93b3aa81555169c&sha256=6797559de9d103a35f4d134a18db7b7c4764ce562053a2142ec2d34b79d59da5&size=4739155: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)>
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-Gl0hfJ/egenix-mx-base/setup.py", line 12, in <module>
        landmarks=('mx', 'PREBUILT'))
      File "mxSetup.py", line 5790, in run_web_installer
        return web_installer.run()
      File "mxSetup.py", line 5670, in run
        self.install_package_from_url(url)
      File "mxSetup.py", line 5636, in install_package_from_url
        (url, reason))
    distutils.errors.DistutilsError: web installer could not download the package https://downloads.egenix.com/python/egenix-mx-base-3.2.9-py2.7_ucs4-linux-x86_64-prebuilt.zip#md5=1e98d2daccd22c33103980a520a6c53d&sha1=5a94a58f1c6bcd9b8cfa671de93b3aa81555169c&sha256=6797559de9d103a35f4d134a18db7b7c4764ce562053a2142ec2d34b79d59da5&size=4739155: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)>
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-Gl0hfJ/egenix-mx-base/

root@be34350b0936:/# pip install --verbose --trusted-host files.pythonhosted.org --trusted-host downloads.egenix.com egenix-mx-base

Created temporary directory: /tmp/pip-ephem-wheel-cache-h7ZQn8
Created temporary directory: /tmp/pip-req-tracker-RNx2qw
Created requirements tracker '/tmp/pip-req-tracker-RNx2qw'
Created temporary directory: /tmp/pip-install-vEVND8
Collecting egenix-mx-base
  1 location(s) to search for versions of egenix-mx-base:
  * https://pypi.org/simple/egenix-mx-base/
  Getting page https://pypi.org/simple/egenix-mx-base/
  Looking up "https://pypi.org/simple/egenix-mx-base/" in the cache
  No cache entry available
  Starting new HTTPS connection (1): pypi.org:443
  https://pypi.org:443 "GET /simple/egenix-mx-base/ HTTP/1.1" 200 392
  Updating cache with response from "https://pypi.org/simple/egenix-mx-base/"
  Caching due to etag
  Analyzing links from page https://pypi.org/simple/egenix-mx-base/
    Found link https://files.pythonhosted.org/packages/39/01/f47c4f8b2a58ad580e124272d5e2213371551cefabf20ef9fbffa93af1b9/egenix-mx-base-3.2.8.zip#sha256=517971586f785265d30487fb0ebba170d3f684a167114db10c32c2f0d1e5a06d (from https://pypi.org/simple/egenix-mx-base/), version: 3.2.8
    Found link https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip#sha256=1844adcc137834724c1aca825dc9e1cbd8d81710f208231ea4bdb6d8b3006a95 (from https://pypi.org/simple/egenix-mx-base/), version: 3.2.9
  Using version 3.2.9 (newest of versions: 3.2.8, 3.2.9)
  Created temporary directory: /tmp/pip-unpack-ERCpcE
  Starting new HTTPS connection (1): files.pythonhosted.org:443
/usr/share/python-wheels/urllib3-1.24.1-py2.py3-none-any.whl/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  https://files.pythonhosted.org:443 "GET /packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip HTTP/1.1" 200 74677
  Downloading https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip (74kB)
  Downloading from URL https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip#sha256=1844adcc137834724c1aca825dc9e1cbd8d81710f208231ea4bdb6d8b3006a95 (from https://pypi.org/simple/egenix-mx-base/)
    100% |################################| 81kB 3.8MB/s 
  Added egenix-mx-base from https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip#sha256=1844adcc137834724c1aca825dc9e1cbd8d81710f208231ea4bdb6d8b3006a95 to build tracker '/tmp/pip-req-tracker-RNx2qw'
  Running setup.py (path:/tmp/pip-install-vEVND8/egenix-mx-base/setup.py) egg_info for package egenix-mx-base
    Running command python setup.py egg_info
    web installer could not download the package https://downloads.egenix.com/python/egenix-mx-base-3.2.9-py2.7_ucs4-linux-x86_64-prebuilt.zip#md5=1e98d2daccd22c33103980a520a6c53d&sha1=5a94a58f1c6bcd9b8cfa671de93b3aa81555169c&sha256=6797559de9d103a35f4d134a18db7b7c4764ce562053a2142ec2d34b79d59da5&size=4739155: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)>
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-vEVND8/egenix-mx-base/setup.py", line 12, in <module>
        landmarks=('mx', 'PREBUILT'))
      File "mxSetup.py", line 5790, in run_web_installer
        return web_installer.run()
      File "mxSetup.py", line 5670, in run
        self.install_package_from_url(url)
      File "mxSetup.py", line 5636, in install_package_from_url
        (url, reason))
    distutils.errors.DistutilsError: web installer could not download the package https://downloads.egenix.com/python/egenix-mx-base-3.2.9-py2.7_ucs4-linux-x86_64-prebuilt.zip#md5=1e98d2daccd22c33103980a520a6c53d&sha1=5a94a58f1c6bcd9b8cfa671de93b3aa81555169c&sha256=6797559de9d103a35f4d134a18db7b7c4764ce562053a2142ec2d34b79d59da5&size=4739155: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)>
Cleaning up...
  Removing source in /tmp/pip-install-vEVND8/egenix-mx-base
Removed egenix-mx-base from https://files.pythonhosted.org/packages/66/e6/e0709aedeb4a5c92a1aeb8c47ab50e9506eafc865806801bd3f01d72b671/egenix-mx-base-3.2.9.zip#sha256=1844adcc137834724c1aca825dc9e1cbd8d81710f208231ea4bdb6d8b3006a95 from build tracker '/tmp/pip-req-tracker-RNx2qw'
Removed build tracker '/tmp/pip-req-tracker-RNx2qw'
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-vEVND8/egenix-mx-base/
Exception information:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/_internal/cli/base_command.py", line 143, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/_internal/commands/install.py", line 338, in run
    resolver.resolve(requirement_set)
  File "/usr/lib/python2.7/dist-packages/pip/_internal/resolve.py", line 102, in resolve
    self._resolve_one(requirement_set, req)
  File "/usr/lib/python2.7/dist-packages/pip/_internal/resolve.py", line 256, in _resolve_one
    abstract_dist = self._get_abstract_dist_for(req_to_install)
  File "/usr/lib/python2.7/dist-packages/pip/_internal/resolve.py", line 209, in _get_abstract_dist_for
    self.require_hashes
  File "/usr/lib/python2.7/dist-packages/pip/_internal/operations/prepare.py", line 298, in prepare_linked_requirement
    abstract_dist.prep_for_dist(finder, self.build_isolation)
  File "/usr/lib/python2.7/dist-packages/pip/_internal/operations/prepare.py", line 126, in prep_for_dist
    self.req.run_egg_info()
  File "/usr/lib/python2.7/dist-packages/pip/_internal/req/req_install.py", line 473, in run_egg_info
    command_desc='python setup.py egg_info')
  File "/usr/lib/python2.7/dist-packages/pip/_internal/utils/misc.py", line 723, in call_subprocess
    % (command_desc, proc.returncode, cwd))
InstallationError: Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-vEVND8/egenix-mx-base/

Workaround
Thanks @chrahunt, a workaround you mention below allows the above pip install to succeed on debian 10!
#6609 (comment)

sed -i 's/TLSv1.2/TLSv1.0/g' /etc/ssl/openssl.cnf

[chrahunt]

You were right to link #6959 - this is unrelated to pip behavior (and so --trusted-hosts has no impact). Everything here is related to the egenix-mx-base package, but specifically the server that the package is trying to download from only speaks TLSv1.0 but that is disabled by default in the openssl provided by Debian Buster (maybe before that).

[chrahunt]

You might try emailing their support to get them to update the server software to support more recent versions of TLS.

[chrahunt]

Hi @jamshid. I hope the above helped. I'll close this issue since it doesn't look like a problem with pip. Thanks!