current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 43 down vote favorite
14

Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it's the latest version. I'm running on Debian Wheezy.

I've used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.

The error mentions urllib3, but I don't have that installed. I did install it to check if it resolved the error, but it didn't.

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and 
may cause certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest  
/security.html#insecureplatformwarning.

Any ideas as to why I'm getting this? I've checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.

share|improve this question

4 Answers 4

up vote 58 down vote accepted

Use the somewhat hidden security feature:

pip install requests[security]

This installs following extra packages:

  • pyOpenSSL
  • ndg-httpsclient
  • pyasn1

Please note that this is not required for python-2.7.9+

share|improve this answer
1  
I've installed successfully, but same problem. –  Luke Peckham Mar 17 at 13:05
2  
my bad, works. Had to restart terminal session –  Luke Peckham Mar 17 at 13:06
    
I have requests[security], new terminal, Python 2.7.3 and still getting this error –  Josh Nankin Mar 19 at 19:03
13  
you also need to install additional libraries on system for Ubuntu/Debian: sudo apt-get install python-dev libffi-dev libssl-dev –  therealmarv Apr 8 at 15:02
2  
depending on your shell, you may need to type pip install 'requests[security]' –  C. Reed Jun 21 at 21:55
up vote 5 down vote

Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.

Assuming you can't upgrade to a newer version of python, this will install more up-to-date python SSL libraries:

pip install --upgrade ndg-httpsclient

HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:

apt-get install python-dev libffi-dev libssl-dev
share|improve this answer
    
I needed to install these packages 'python-dev libffi-dev libssl-dev' for ubuntu 14.04 as well. –  Andrew Anthony Gerst Apr 8 at 16:04
up vote 2 down vote

If you are not able to upgrade your Python version to 2.7.9, and want to suppress warnings,

you can downgrade your 'requests' version to 2.5.3:

sudo pip install requests==2.5.3

About version: http://fossies.org/diffs/requests/2.5.3_vs_2.6.0/requests/packages/urllib3/util/ssl_.py-diff.html

share|improve this answer
4  
Please note that 2.5.3 has security issue with cookie handling during redirects. –  plaes Mar 24 at 8:05
    
Rather than post this answer twice, you should have flagged the other post as a duplicate. I've now closed it as such. –  Martijn Pieters Mar 29 at 16:03
    
I second the comment to not downgrade because of the known vulnerability. –  sergiopereira Mar 31 at 20:10
up vote 0 down vote

In fact, you can try this.

requests.post("https://www.google.com", **cerify=False**)

you can read the code for requests.

"C:\Python27\Lib\site-packages\requests\sessions.py"

class Session(SessionRedirectMixin):
......
 def request(self, method, url,
    params=None,
    data=None,
    headers=None,
    cookies=None,
    files=None,
    auth=None,
    timeout=None,
    allow_redirects=True,
    proxies=None,
    hooks=None,
    stream=None,
    **verify=None**,
    cert=None):
    """
    ...
    :param verify: (optional) if True, the SSL cert will be verified.
         A CA_BUNDLE path can also be provided.
    ...
    """
share|improve this answer
    
Be very careful doing this, not verifying certs can be dangerous! –  jaapz May 20 at 9:01
    
Of course, not verifying certs will be dangerous. But sometimes, this is a last resort. Ex: easy_install, apt-get, yum or pip...do not ran, Or do a little Web Crawler... –  张志鹏 May 28 at 5:13
    
I'm on a shared hosting environment so I can't upgrade python to 2.7.9 and I can't install the libffi.pc with apt-get, which is required by pip install requests[security] and the other pip install variants above. So this answer was the one that worked for me. As long as you understand the important caveat that without https verification the page contents could be changed/spoofed, I think this answer is fine. –  Chirael Jun 14 at 19:11

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.