TLSV1_ALERT_PROTOCOL_VERSION for files.pythonhosted.org on Mac OS python 2.7 #3293
Comments
|
@stromnet thanks for your report. Our CDN provider is deprecating support for TLS protocols 1.0 and 1.1 on June 30, 2018. In preparation for that, the new CDN endpoint for pypi.org only has support for TLSv1.2. What is interesting here is that the initial requests to pypi.org succeeded... It's not clear to me why subsequent requests to files.pythonhosted.org are failing. cc @dstufft |
|
I am experiencing the same problem on Python 2.7, 3.4, and 3.5. Working on Python 3.6. Can I ask how long this testing period is going to last for? |
|
We're just over an hour in, so we'll probably back it off now. Thanks for confirming the report @pauldmccarthy |
|
Determination on cause of issue: Although pypi.org and files.pythonhosted.org share a fastly service, files.pythonhosted.org is terminated by a separate TLS endpoint which does not have TLSv1.0/TLSv1.1 enabled due to being on the shared certificate provided by our CDN. |
|
There is a new version of pip out which should resolve this issue for macOS users. |
|
It's working again now, so cannot verify with updated pip, but indeed it looks like 9.0.2 has related changes: https://pip.pypa.io/en/stable/news/ |
|
I'm writing a note to post to https://mail.python.org/mailman/listinfo/pythonmac-sig about this, to spur users of pre-10.12 macOS versions to upgrade to pip 9.0.3. Is this accurate? Mac users: If you are running macOS/OS X version 10.12 or older, you need to upgrade to the latest pip (9.0.3) to connect to the Python Package Index securely: Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ Context: As PSF blogged last year https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html , on June 30, 2018, Python.org sites are going to entirely stop supporting TLS versions 1.0 and 1.1, because our CDN provider is deprecating support for those versions. We are launching the new PyPI (in beta at https://pypi.org) this month and replacing the legacy PyPI (https://pypi.python.org). Here's the beta announcement for the new PyPI: https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html Warehouse, the codebase for the new PyPI, does not support TLS 1.0 or 1.1. We're warning our users early with this message. Also, as of late March, the Python Package Index has started doing brownouts of the deprecated TLS versions. For some portion of each hour, anyone attempting to access PyPI with TLSv1.0 or TLSv1.1 will get a 403 response with an informative error. As we get closer to the deadline, we will be ramping up the amount of time the endpoint is down for the deprecated TLS versions. The ultimate goal is to have it be 100% unavailable on and after April 8th, prior to the final deadline (because we can give a good error message -- once June 30th hits, it will just be an uninformative OpenSSL error). More info:
Thank you. Please publicize this. |
Might be worthwhile to mention that this is due to our CDN provider deprecating support for 1.0 & 1.1. |
|
@brainwane Looks good to me. @dstufft knows the details better than I do, but I think this covers the key points |
|
Got an ok from Donald, touched up the prose a bit, and posted to distutils-sig and a few other places. |
|
I have a question of clarification. What should users of MacOS 10.13 or newer do? Is pip 9.0.1 safe there, do they all have pip 9.0.3, or should they lose all hope? |
|
@gvanrossum System Python on macOS 10.13 should be unaffected, since Apple upgraded the OpenSSL it links against. I think it's theoretically possible on macOS 10.13 to have virtualenvs with Pythons created under 10.12; in those cases you should either destroy and recreate the virtualenv, or upgrade pip to 9.0.3 |
|
Also I guess if one installed any Python version from python.org one would be affected on 10.13 right? Or do I misunderstand how this works? I noticed ensurepip in 2.7.14 still has the pip 9.0.1 bundle (though the git repo was updated). Does this require a 2.7.15 release then? (And 3.{5,6} release too?) |
|
I've forgotten what we do about OpenSSL for python.org installers. The
short answer is that versions that use the system OpenSSL are ok on either
macOS 10.13+ or pip 9.0.3+; versions that bundle their own OpenSSL are fine
on any macOS.
…On Tue, Apr 3, 2018 at 6:57 PM, Guido van Rossum ***@***.***> wrote:
Also I guess if one installed any Python version from python.org one
would be affected on 10.13 right? Or do I misunderstand how this works?
I noticed ensurepip in 2.7.14 still has the pip 9.0.1 bundle (though the
git repo was updated). Does this require a 2.7.15 release then? (And
3.{5,6} release too?)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3293 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAADBJud2sV8XrcDhWgUx8aJTBm2Yxuxks5tk_5DgaJpZM4St9U7>
.
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
|
|
Who should I ask then?
|
|
Ned Deily may know off hand which versions of Python use which OpenSSL
packaging strategy.
…On Tue, Apr 3, 2018 at 7:01 PM, Guido van Rossum ***@***.***> wrote:
Who should I ask then?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3293 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAADBJtuGF8PMsX9o5Kwk978TpQKPAG_ks5tk_84gaJpZM4St9U7>
.
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
|
|
tl;dr [UPDATE 2018-05-02: Python 2.7.15 is now released so all current python.org macOS installers now include up-to-date versions of OpenSSL. If you are using a python.org macOS Python 2.7.14 or earlier, please download and install Python 2.7.15. This should resolve any issues with using pip to download from PyPI. If for some reason, you cannot upgrade read on.] The versions of pip bundled with recent python.org macOS installers will continue to be usable with PyPI / Warehouse except for the 2.7.14 (and earlier) 10.6+ 64-bit/32-bit variant which needs to be updated to pip 9.0.3 or 10.x. To update pip for 2.7.14, you may need to manually download and install it from PyPI; for example: Details:
Recently superseded versions with a bundled pip:
Prior to the release of Python 2.7.15, the only problematic current python.org macOS was the 2.7 10.6+ 64-bit/32-bit variant (currently 2.7.14, released in 2017-09). For legacy compatibility reasons, that one still dynamically links with the deprecated Apple-supplied system OpenSSL libraries (0.9.8 series) and so the bundled (By the way, in macOS 10.13+ (and perhaps earlier) Apple ships both the old 0.9.8+ OpenSSL and newer LibreSSL 2.2.7 libraries since they are not ABI-compatibile. The Apple-supplied system Python (2.7.10) now links with the LibreSSL version. Apple also does not ship a version of pip; they do ship setuptools / easy_install, currently 18.5). |
|
You can execute |
|
One problem with |
For people in this camp, if you fail to upgrade to the latest pip (e.g. in some virtualenv), will it connect to the Python Package Index insecurely in a silent fashion, or will it fail (or at least warn you)? |
|
It will fail. |
|
And, alas, it fails without a very useful warning (see the example script above), unless you enable verbose. |
|
So, to be clear, this: is how it fails. Not very clear indeed, alas. |
|
Yes, with |
|
So just to clarify some more: In the course of normal usage, if someone types something like-- Will they see something more like this, or something else? (note ansible in place of pip) And then if they follow the instructions in the message, they will get this? (With the examples others provided, it's a little confusing what parts are due to installing pip as opposed to installing whatever random package is being installed.) |
|
The error will change once we can disable TLSv1.0 and TLSv1.1, I believe it'll give a SSL error at that point, but I'm not 100% sure, I only have a macOS 10.13 machine. |
|
If someone has a non TLSv1.2 supporting Python, they could try |
|
|
Ok, so that's the error that'll happen after April 8th. |
|
Thank you all! Downloading & installing pip manually as described in #3293 (comment) solved the issue. As there is a proper solution for this, I'll close this ticket! |
|
Same here, downloading & installing pip manually as described in #3293 (comment) solved the issue. Thank you! |
|
[FTR, I've updated the detailed python.org macOS information in my 2018-04-03 comment earlier in this thread to reflect the release of Python 2.7.15. If you are using python.org macOS installers for 2.7.x, upgrading to 2.7.15 should eliminate download problems.] |
|
Using the python.org Python 3.5.4 macOS installer (which does not support TLS 1.2, even on macOS 10.14) but with a recent pip (with TLS 1.2 support), I'm not expecting any kind of fix, but I thought I would mention it in case it helps someone. |
Might not be relevant, but https://status.python.org/incidents/btjtz01lzp88 mentions to report issues which may have relation to https://pypi.org/simple/ansible/, and at least I seem to use that..
Never had this issue before at least (re-installing ansible 2.3.2.0 after doing some tests with 2.4.0, as evident a lot of cached stuff has been fetched earlier).
The text was updated successfully, but these errors were encountered: