Help us understand the problem. What is going on with this article?

pip installでいまだにInsecurePlatformWarningが出るけどなんかいろいろと面倒くさくてやってなかった

More than 3 years have passed since last update.

pip install -> InsecurePlatformWarning

$ python -V
Python 2.7.1
$ pip -V
pip 8.1.1 from /Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages (python 2.7)
$ pip install everytime-warning
…
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
…

何で怒られているのか

https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning

Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.

「2.7.9以前のバージョンでは証明書が正しくないサイトにアクセスしてしまう場合があります」的な

証明書が正しくないと何が起こるのか

最悪の場合、

  1. 著名なプラグインだから安心だろうと思ってpip installする(numpyとか)
  2. アクセス先がすり替えられて、悪意のあるプラグインをダウンロードする
  3. 証明書の検証が正しく行われず、インストールしてしまう

ということになるかもしれない

pyenv install

普通にpyenv install 2.7.9しようとしたら、怒られた

ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib?

anyenvをアップグレード

(cd ~/.anyenv && git pull)
exec $SHELL -l
anyenv install pyenv
exec $SHELL -l
pyenv install 2.7.9
pyenv global 2.7.9
pip install secure-and-silent

めでたし

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした