LoginSignup
2
1

More than 5 years have passed since last update.

@kei-sato

pip installでいまだにInsecurePlatformWarningが出るけどなんかいろいろと面倒くさくてやってなかった

Posted at

pip install -> InsecurePlatformWarning

$ python -V
Python 2.7.1
$ pip -V
pip 8.1.1 from /Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages (python 2.7)
$ pip install everytime-warning
…
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
…

何で怒られているのか

https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning

Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.

「2.7.9以前のバージョンでは証明書が正しくないサイトにアクセスしてしまう場合があります」的な

証明書が正しくないと何が起こるのか

最悪の場合、

  1. 著名なプラグインだから安心だろうと思ってpip installする(numpyとか)
  2. アクセス先がすり替えられて、悪意のあるプラグインをダウンロードする
  3. 証明書の検証が正しく行われず、インストールしてしまう

ということになるかもしれない

pyenv install

普通にpyenv install 2.7.9しようとしたら、怒られた

ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib?

anyenvをアップグレード

(cd ~/.anyenv && git pull)
exec $SHELL -l
anyenv install pyenv
exec $SHELL -l
pyenv install 2.7.9
pyenv global 2.7.9
pip install secure-and-silent

めでたし

2
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
1