无法在Ubuntu Linux中使用pip安装Python软件包:InsecurePlatformWarning,SSLError,tlsv1警报协议版本 [英] Unable to install Python packages using pip in Ubuntu Linux: InsecurePlatformWarning, SSLError, tlsv1 alert protocol version
问题描述
以前我以前是通过pip来安装软件包的,但是现在我正尝试使用pip来安装Python库,并出现SSL错误:
Previously I used to install packages by pip but now I am trying to install a Python library using pip, getting an SSL error:
/home/teleduce/.virtualenvs/teleduce_handler/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/home/teleduce/.virtualenvs/teleduce_handler/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Could not fetch URL https://pypi.python.org/simple/xlwt/: There was a problem confirming the ssl certificate: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version - skipping
OpenSSL和TLS版本
OpenSSL 1.0.1 14 Mar 2012
SSLv3
TLSv1.2
Pip版本
pip 8.1.2 from /home/teleduce/.virtualenvs/project_name/local/lib/python2.7/site-packages (python 2.7)
操作系统信息
Ubuntu 12.04.4 LTS (GNU/Linux 3.8.0-44-generic x86_64)
我尝试了
pip install --upgrade pip
curl https://bootstrap.pypa.io/get-pip.py | python
但这对我不起作用.收到错误消息是
but it does not work for me. Got an error message is
SSL例程:SSL23_GET_SERVER_HELLO:tlsv1警报协议版本
SSL routines: SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
如何解决此错误?
推荐答案
发生SSLError的原因是系统OpenSSL库版本(编译时链接到您的Python的版本)低于1.0.1 安装Python的那一天或您当前的Python版本低于2.7.9/3.4,因为这两个版本均未真正支持TLS 1.2协议版本,而Python封装索引(PyPI)
The SSLError occurs because system OpenSSL library version (the one linked to your Python upon compilation) was below 1.0.1 the day when Python has been installed or your current Python version is below 2.7.9 / 3.4, because neither of these really support TLS 1.2 protocol version which the Python Package Index (PyPI) now requires from pip to connect.
发行版通常无法轻松升级旧的openssl和系统Python,而不进行完整的OS升级,这并非总是如此.您可以从最近的源编译自己的非系统" OpenSSL,然后尝试编译独立的非系统的 Python 将其链接到您刚编译的OpenSSL,但有时这种方法是由于种种限制,也是不可行的.
Distributions usually cannot easily upgrade old openssl and system Python without undergoing a full OS upgrade, which is not always desirable. You could compile your own 'non-system' OpenSSL from recent sources and then try to compile a standalone 'non-system' Python linking it against the OpenSSL you have just compiled, but sometimes this approach is also unfeasible due to various limitations.
受欢迎的建议(例如pip安装请求[安全]或urllib3 [安全])通常无法帮助修复pip,因为pip 本身是受影响,并且将无法连接到PyPI进行任何安装.我们不能要求pip连接到PyPI来解决pip无法连接到PyPI的问题. :)要在不升级Python的情况下修复它,我们需要手动安装相关的软件包,以解决依赖关系:
Popular recommendations, such as to pip install requests[secure] or urllib3[secure], often cannot help fix pip because pip itself is affected and won't be able to connect to PyPI to install anything. We cannot ask pip to connect to PyPI to fix pip's inability to connect to PyPI. :) To fix it without upgrading Python, we need to install relevant packages manually, resolving dependencies:
-
PyOpenSSL和cryptography(其manylinux1轮附带了更新的openssl库); - 它们的依存关系:
asn1crypto,cffi,enum34,idna,ipaddress,pycparser,six; - 任何
pip10+版本,因为较早的pip版本并未真正使用加密-仅标准库的ssl模块(如果您已经是10或更高版本,则不需要新的pip版本,任何pip v10 +会做到的)
PyOpenSSLandcryptography(itsmanylinux1wheel ships newer openssl library);- their dependencies:
asn1crypto,cffi,enum34,idna,ipaddress,pycparser,six; - any
pip10+ version, because older pip versions did not really use cryptography - only the standard library'ssslmodule (you don't require a new pip version if yours is already 10 or above, any pip v10+ will do)
在具有旧的无效pip和过时的系统openssl版本的古老Ubuntu上进行了测试.
Tested on ancient Ubuntu with old non-working pip and outdated system openssl version.
步骤1-下载
通过您选择的Web浏览器下载从Python Packing Index(pypi.org)的以下软件包-选择最新的 manylinux1 轮子( .whl )以用于您的操作系统/平台:
Step 1 - Download
Download the following packages from Python Packing Index (pypi.org) via your web browser of choice -- choose recent manylinux1 wheels (.whl) for your OS/platform:
pip , enum34 , idna , ipaddress ,密码学滚轮;以及 pycparser (非转盘,它将是tar.gz)
pip, asn1crypto, enum34, idna, six, ipaddress, pyOpenSSL, cffi, cryptography wheels; and also pycparser (a non-wheel, it will be a tar.gz)
cp27-代表Python 2.7, cp36-代表Python 3.6;
mu-类型manylinux滚轮是常见的选择,因为它们适用于以UCS-4(UTF-32)格式存储Unicode数据的Python-以下是检查方法:
$ python -c "import sys; print('UCS4/UTF-32: mu-manylinux1' if sys.maxunicode > 65535 else 'UCS2/UTF-16: m-manylinux1')"
cp27- stands for Python 2.7, cp36- for Python 3.6;
mu- type manylinux wheels are a common choice, as they are for Pythons that store Unicode data in UCS-4 (UTF-32) format -- here's how to check it:
$ python -c "import sys; print('UCS4/UTF-32: mu-manylinux1' if sys.maxunicode > 65535 else 'UCS2/UTF-16: m-manylinux1')"
Python 3的注意事项:cp34-abi3-manylinux1密码学的轮子可以与 any Python版本> = 3.4一起使用,因为abi3
Note for Python 3: the cp34-abi3-manylinux1 cryptography's wheel can be used with any Python version>=3.4 because abi3 support multiple versions of Python3, e.g cryptography-2.5-cp34-abi3-manylinux1_x86_64.whl (2.4 MB)
基本上, wheels 是具有特殊格式的文件名和.whl扩展名的ZIP存档,其中包含可重定位的Python包.该软件包可以是纯python的,也可以具有预编译的用于python绑定的C库,因此可以安装它而无需具有某些系统依赖性,例如gcc,python-dev和其他C标头/库,通常是经典.tar.gz格式软件包所必需的.这也允许使用每个车轮内捆绑的程序的确切版本. manylinux1 _ {x86_64,i686}滚轮平台标记在 PEP-513 ,它将在许多 linux系统上运行,包括流行的常用台式机和服务器发行版.希望将来有 manylinux2 标签!
Basically, wheels are ZIP archives with a specially formatted file name and the .whl extension, containing a relocatable Python package. The package can be pure-python, but also can have pre-compiled C libraries for python bindings, so it can be installed without the need to have certain system dependencies like gcc, python-dev and other C headers/libs, often required for classic .tar.gz format packages. This also allows to use exact versions of programs bundled within each wheel. The manylinux1_{x86_64,i686} wheel platform tag was adopted in PEP-513 and will work on many linux systems, including the popular desktop and server distros in common use. Expect manylinux2 tag in future!
只需创建一个新目录,例如:
$ mkdir ~/wheels_dir
并将所有下载的软件包复制(或移动)到该目录.
Simply create a new directory, for example:
$ mkdir ~/wheels_dir
and copy (or move) all the downloaded packages to that directory.
请没有其他文件(下载的车轮除外),也没有子目录!
No other files (except the downloaded wheels) and no subdirs there please!
如果您当前的pip版本低于8.1,则必须先安装较新的pip版本,然后才能继续使用所有其他软件包:
$ pip install --user --no-index ~/wheels_dir/pip-19.0.1-py2.py3-none-any.whl
它将升级pip以处理新的 multilinux1 滚轮格式,并帮助避免此平台上不支持的滚轮" 错误.
If your current pip version is below 8.1, the newer pip version has to be installed before proceeding with all other packages:
$ pip install --user --no-index ~/wheels_dir/pip-19.0.1-py2.py3-none-any.whl
It will upgrade pip to handle the new multilinux1 wheel format and help avoid the "not a supported wheel on this platform" error.
要在用户家庭级别安装所有软件包:
$ pip install --user --no-index ~/wheels_dir/*
$ pip3在Python 3中
To install all the packages at user home level:
$ pip install --user --no-index ~/wheels_dir/*
$ pip3 in Python 3
如果要在新的或现有的virtualenv中安装,请省略--user选项:
If installing in a new or existing virtualenv, omit the --user option:
$ source bin/activate
$ pip install --no-index ~/wheels_dir/*
Pip将自动解析正确的安装顺序和相关性. (如果需要,也可以为此创建一个requirements.txt)
Pip will resolve correct installation order and dependencies automagically. (one could also create a requirements.txt for this if so needed)
注意:除非您安装在Python virtualenv或venv中,否则强烈建议始终对pip使用
--user标志.然后,它将python软件包部署到〜/.local/lib/中的主目录下.实际上,在python3-pip和python-pip软件包提供的发行补丁的pip版本中,默认情况下此选项始终为 On 最近版本的流行发行版,例如Ubuntu,Debian,Fedora等.请尝试避免sudo pip,因为使用具有根访问权限的pip会干扰您的OS软件包管理器子系统(apt,yum等),并且可能
Note: Unless you install in a Python virtualenv or venv, it is highly recommended to always use
--userflag with pip. It then deploys python packages under your home dir in ~/.local/lib/ In fact, this option is always On by default in distro-patched pip versions provided bypython3-pipandpython-pippackages in recent versions of popular distros such as Ubuntu, Debian, Fedora, etc. Please try to avoidsudo pip, as using pip with root access interferes with your OS package manager subsystem (apt, yum, etc) and may affect essential OS components that depend on the distro-supplied system python.
运行$ pip freeze(或Python 3中的pip3 freeze)命令来检查结果,并确保已为您的Python环境安装了所有软件包.
Run $ pip freeze (or pip3 freeze in Python 3) command to check the results and ensure all packages have been installed for your Python environment.
恭喜!现在,您的pip应该可以与PyPI一起使用,并且您可以尝试从在线PyPI存储库中查找类似pip search colorama的内容.
Congratulations! Now your pip should work with PyPI, and you can try to look up something like pip search colorama from the online PyPI repo.
您可以通过直接查询已安装的pyOpenSSL lib来查看系统SSL/TLS设置的详细摘要:
$ python -m OpenSSL.debug
( ModuleNotFoundError 表示未安装pyOpenSSL软件包)
You can see the detailed summary of your system SSL/TLS setup by querying the installed pyOpenSSL lib directly:
$ python -m OpenSSL.debug
(a ModuleNotFoundError would mean the pyOpenSSL package was not installed)
密码学链接的OpenSSL共享库与您的系统Python的openssl版本没有任何冲突.现在,这可能是个很好的机会,可以通过安装最新的python certifi软件包来将来更新根SSL证书的集合.
Cryptography's linked OpenSSL shared lib doesn't conflict in any way with your system Python's openssl version. It may now be a good opportunity to also update your collection of root SSL certificates for the future by installing the latest python certifi package.
pip的早期版本(10之前)仅使用标准库的ssl模块(这是系统OpenSSL库的Python API),而不会回退到其他库,例如cryptography.从版本10开始,如果环境中存在pip,则现在可以将pyOpenSSL与加密一起使用.
Earlier versions of pip (before 10) only used the standard library's ssl module (which is a Python API to system OpenSSL library) without any possible fallback to other libraries like cryptography. Since version 10, pip now can use pyOpenSSL with cryptography, if present in the environment.
cryptography软件包的manylinux1轮子包括最新的OpenSSL库,无论您的平台是什么,该库都支持高达v1.3的所有TLS协议(PyPI希望pip支持TLSv1.2 ).这就是为什么这个轮子重2.1 Mb的原因-存档附带了一个共享的lib绑定:
The manylinux1 wheel of cryptography package includes recent OpenSSL library that supports all TLS protocols as high as v1.3 regardless of what's on your platform (PyPI expects pip to support TLSv1.2). That's why this wheel weighs 2.1 Mb -- the archive ships a shared lib binding:
$ strings site-packages/cryptography/hazmat/bindings/_openssl.so | grep OpenSSL -m1
OpenSSL 1.1.1a 20 Nov 2018
$ python -c "from cryptography.hazmat.backends.openssl import backend as b; print b.openssl_version_text()"
OpenSSL 1.1.1a 20 Nov 2018
$ python -c "from OpenSSL import SSL; print SSL.SSLeay_version(0)"
OpenSSL 1.1.1a 20 Nov 2018
$ python -c "import requests; print requests.get('https://www.howsmyssl.com/a/check').json()['tls_version']"
TLS 1.3
密码轮包含一个静态链接的OpenSSL绑定,它确保您可以访问最新的OpenSSL版本,而不会破坏系统依赖性.
这将允许您继续使用相对较旧的Linux发行版(例如LTS版本),同时确保您拥有适用于Python程序的最新OpenSSL. ( https://cryptography.io/en/latest/installation/)
The Cryptography wheel contains a statically-linked OpenSSL binding, which ensures that you have access to the most-recent OpenSSL releases without corrupting your system dependencies.
This will allow you to continue to use relatively old Linux distributions (such as LTS releases), while making sure you have the most recent OpenSSL available to your Python programs. (https://cryptography.io/en/latest/installation/)
在Python 2中,标准库的ssl模块自版本2.7.9起开始显式支持PROTOCOL_TLSv1_2标志,而在Python 3中自版本3.4起开始显着支持PROTOCOL_TLSv1_2标志.但是TLSv1.2连接仅在以下情况下有效:并且仅当在编译Python时系统中具有TLSv1.2功能的系统级OpenSSL库已可用并反对它. TLSv1.2至少需要OpenSSL 1.0.1才能运行,但是通常建议使用OpenSSL 1.0.2(或更高版本)(默认情况下使用TLSv1.2).
In Python 2, the standard library's ssl module began supporting PROTOCOL_TLSv1_2 flag explicitly since version 2.7.9, while in Python 3 - since version 3.4; but TLSv1.2 connections would only work if and only if the TLSv1.2-capable system-wide OpenSSL library was already available in the system by the time Python was being compiled and linked against it. TLSv1.2 requires a minimum of OpenSSL 1.0.1 to function but OpenSSL 1.0.2 (or later) is generally recommended (it uses TLSv1.2 by default).
如果您确实拥有Python 2.7.9+或3.4+,并且实际上已经针对系统openssl(例如v1.0.2k)甚至是旧的pip(例如v6.0.8)对它的ssl模块进行了编译.在撰写本文时, still 仍将与PyPI一起使用,并且您甚至不需要加密.要检查标准库Python ssl和系统openssl版本,请执行以下操作:
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)" && openssl version
OpenSSL 0.9.8o 2010年6月1日
If you do have Python 2.7.9+ or 3.4+, and its ssl module had been, in fact, compiled against system openssl, say v1.0.2k, then even old pip (such as v6.0.8) would still be working with PyPI as of the time of this writing, and you would not even need cryptography for that. To check the standard library Python ssl and system openssl versions:
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)" && openssl version
OpenSSL 0.9.8o 01 Jun 2010
即使我们升级了一些过时的发行版openssl或编译了最新的openssl,我们也不能仅将现有的Python安装重新链接到它:ssl模块已硬链接到系统提供的OpenSSL在编译/安装Python之后,反之亦然.因此,基本上,如果不重新编译/重新安装Python本身(至少应为2.7.9+/3.4+版本)将其链接到新的系统openssl库,就无法利用新的TLS协议.这就是上述pyopenssl + cryptography方法的得力之处.
Even if we upgraded some outdated distro-supplied openssl, or compiled the newest one, we can't just re-link the existing Python installation to it: the ssl module was hard-linked to the system-supplied OpenSSL upon compilation/installation of Python, and not vice versa. So, basically, one could not take advantage of new TLS protocols without recompiling/reinstalling Python itself (that should be versions 2.7.9+ / 3.4+ at least) to link it to the new system openssl library. This is where the above pyopenssl+cryptography approach comes to the rescue.
祝你生日快乐! :)
这篇关于无法在Ubuntu Linux中使用pip安装Python软件包:InsecurePlatformWarning,SSLError,tlsv1警报协议版本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
