238

Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it's the latest version. I'm running on Debian Wheezy.

I've used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.

The error mentions urllib3, but I don't have that installed. I did install it to check if it resolved the error, but it didn't.

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and 
may cause certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest  
/security.html#insecureplatformwarning.

Any ideas as to why I'm getting this? I've checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.

16 Answers 16

393

Use the somewhat hidden security feature:

pip install requests[security] or pip install pyOpenSSL ndg-httpsclient pyasn1

Both commands install following extra packages:

  • pyOpenSSL
  • cryptography
  • idna

Please note that this is not required for python-2.7.9+.

If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution's package manager:

  • Debian/Ubuntu - python-dev libffi-dev libssl-dev packages.

  • Fedora - openssl-devel python-devel libffi-devel packages.

Distro list above is incomplete.

Workaround (see the original answer by @TomDotTom):

In case you cannot install some of the required development packages, there's also an option to disable that warning:

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.

16
  • 3
    I have requests[security], new terminal, Python 2.7.3 and still getting this error Mar 19, 2015 at 19:03
  • 46
    you also need to install additional libraries on system for Ubuntu/Debian: sudo apt-get install python-dev libffi-dev libssl-dev Apr 8, 2015 at 15:02
  • 2
    Is it ok that "pip" itself (staring from v6.1) gives the same security warning?
    – jmster
    Apr 13, 2015 at 17:22
  • 5
    depending on your shell, you may need to type pip install 'requests[security]'
    – C. Reed
    Jun 21, 2015 at 21:55
  • 5
    in zshell, you need to say: pip install requests\[security\]
    – Amir Katz
    Oct 11, 2015 at 9:28
67

Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.

Assuming you can't upgrade to a newer version of python, this will install more up-to-date python SSL libraries:

pip install --upgrade ndg-httpsclient 

HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:

apt-get install python-dev libffi-dev libssl-dev
3
  • 4
    I needed to install these packages 'python-dev libffi-dev libssl-dev' for ubuntu 14.04 as well.
    – Andrew
    Apr 8, 2015 at 16:04
  • Thanks! I've added a note to the documentation: github.com/shazow/urllib3/pull/765
    – Wolfgang
    Dec 22, 2015 at 21:20
  • @Jessica FTW! Thanks so much -- this was annoying.
    – Neal Magee
    Sep 15, 2016 at 19:56
19

I don't use this in production, just some test runners. And to reiterate the urllib3 documentation

If you know what you are doing and would like to disable this and other warnings

import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()

Edit / Update:

The following should also work:

import logging
import requests

# turn down requests log verbosity
logging.getLogger('requests').setLevel(logging.CRITICAL)
2
  • 1
    The problem with this solution is that it simply suppresses and ignores the actual problem. Furthermore, this won't work when using pip to install or upgrade packages. Mar 28, 2016 at 16:07
  • 1
    The only solution that works for me on a ubuntu 1404/ Python 2.7.6. Thanks Apr 28, 2016 at 20:53
8

In fact, you can try this.

requests.post("https://www.google.com", verify=False)

you can read the code for requests.

"C:\Python27\Lib\site-packages\requests\sessions.py"

class Session(SessionRedirectMixin):
......
 def request(self, method, url,
    params=None,
    data=None,
    headers=None,
    cookies=None,
    files=None,
    auth=None,
    timeout=None,
    allow_redirects=True,
    proxies=None,
    hooks=None,
    stream=None,
    verify=None,  # <========
    cert=None):
    """
    ...
    :param verify: (optional) if True, the SSL cert will be verified.
         A CA_BUNDLE path can also be provided.
    ...
    """
3
  • 2
    Be very careful doing this, not verifying certs can be dangerous!
    – jaapz
    May 20, 2015 at 9:01
  • Of course, not verifying certs will be dangerous. But sometimes, this is a last resort. Ex: easy_install, apt-get, yum or pip...do not ran, Or do a little Web Crawler...
    – zzzz zzzz
    May 28, 2015 at 5:13
  • 1
    I'm on a shared hosting environment so I can't upgrade python to 2.7.9 and I can't install the libffi.pc with apt-get, which is required by pip install requests[security] and the other pip install variants above. So this answer was the one that worked for me. As long as you understand the important caveat that without https verification the page contents could be changed/spoofed, I think this answer is fine.
    – Chirael
    Jun 14, 2015 at 19:11
6

If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,

you can downgrade your 'requests' version to 2.5.3:

sudo pip install requests==2.5.3

About version: http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html

3
  • 8
    Please note that 2.5.3 has security issue with cookie handling during redirects.
    – plaes
    Mar 24, 2015 at 8:05
  • 2
    Rather than post this answer twice, you should have flagged the other post as a duplicate. I've now closed it as such.
    – Martijn Pieters
    Mar 29, 2015 at 16:03
  • 6
    I second the comment to not downgrade because of the known vulnerability. Mar 31, 2015 at 20:10
5

All of the solutions given here haven't helped (I'm constrained to python 2.6.6). I've found the answer in a simple switch to pass to pip:

$ sudo pip install --trusted-host pypi.python.org <module_name>

This tells pip that it's OK to grab the module from pypi.python.org.

For me, the issue is my company's proxy behind it's firewall that makes it look like a malicious client to some servers. Hooray security.


Update: See @Alex 's answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I'd copy/paste here, but his answer, so +1 him)

1
  • I could finally install tensorflow using this command, thanks a lot!
    – pedrobisp
    Jan 23, 2017 at 2:16
4

This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:

InsecurePlatformWarning /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

You can disable it by adding the following line to your python code:

requests.packages.urllib3.disable_warnings()

1
  • Thanks for this. None of the other answers worked for me. I'm blown away that such a verbose annoying message would be put in by default.
    – Dan
    Mar 3, 2017 at 0:38
1

I had to go to bash (from ZSH) first. Then

sudo -H pip install 'requests[security]' --upgrade

fixed the problem.

1
  • I'm not sure. I think it's due to the brackets Apr 21, 2017 at 13:28
1

This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.

Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.

To fix the error, all I needed to do was become root (with su's --login switch) and let certbot-auto upgrade itself. I.e:

sudo su --login
/usr/local/bin/certbot-auto renew 
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...

instead of what normally runs from root's crontab:

5 7 * * * /usr/local/bin/certbot-auto renew --quiet --no-self-upgrade

After that, letsencrypt renwals ran normally once again.

1
  • I got the same issue described here. warnings: /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see urllib3.readthedocs.io/en/latest/…. InsecurePlatformWarning I just type the command: sudo apt-get dist-upgrade The error was fixed.
    – Didierh
    Apr 6, 2019 at 6:16
0

For me no work i need upgrade pip....

Debian/Ubuntu

install dependencies

sudo apt-get install libpython-dev libssl-dev libffi-dev

upgrade pip and install packages

sudo pip install -U pip
sudo pip install -U pyopenssl ndg-httpsclient pyasn1

If you want remove dependencies

sudo apt-get remove --purge libpython-dev libssl-dev libffi-dev
sudo apt-get autoremove
0

I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn't an option on this server right now.

Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.

Specifically, 'pip install requests[security]' was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.

To solve the OPs original issue I did:

1) pip install 'cryptography<1.3.5,>1.3.0'.  

This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.

2) pip install 'requests[security]'

This command now installs because it doesn't try to install cryptography > 1.4.0.

Note that on Centos 5 I also needed to:

yum install openssl-devel

To allow cryptography to build

0

Below is how it's working for me on Python 3.6:

import requests
import urllib3

# Suppress InsecureRequestWarning: Unverified HTTPS
urllib3.disable_warnings()
0

Dont install pyOpenSSL as it shall soon be deprecated. Current best approach is-

import requests
requests.packages.urllib3.disable_warnings()
0

if you just want to stopping insecure warning like:

/usr/lib/python3/dist-packages/urllib3/connectionpool.py:794: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)

do:

requests.METHOD("https://www.google.com", verify=False)

verify=False

is the key, followings are not good at it:

requests.packages.urllib3.disable_warnings()

or

urllib3.disable_warnings()

but, you HAVE TO know, that might cause potential security risks.

0

I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me.
Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package

0

In my case working on an old ubuntu trusty image and trying to install python dateutil. I had first to upgrade python to 2.7.12 with the following:

add-apt-repository -y ppa:fkrull/deadsnakes-python2.7
apt-get -y update
apt install -y --force-yes python2.7-minimal
pip install python-dateutil

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.