Message 276423 - Python tracker

Author	jaraco
Recipients	jaraco
Date	2016-09-14.12:39:30
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1473856770.26.0.3471987491.issue28150@psf.upfronthosting.co.za>
In-reply-to

Content
I saw the notice when installing Python 3.6.0b1 on Mac that said that the bundled OpenSSL is no longer used and thus 'certifi' will need to be installed and kept up-to-date. At first, I thought, "no big deal" and pushed forward, but since, I've encountered the error in several cases: - pip install of anything but certifi - pip install in a new venv of anything but certifi - distutils upload command (even with certifi installed) I've only had 3.6.0b1 installed for a day, so I imagine I'm going to encounter new cases. Yes, indeed: $ python Python 3.6.0b1 (v3.6.0b1:5b0ca4ed5e2f, Sep 12 2016, 09:24:46) [GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import urllib.request >>> urllib.request.urlopen('https://www.google.com') Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1318, in do_open ... File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 683, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:747) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 223, in urlopen ... File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1320, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:747)> >>> import certifi So it seems that even the guidance of installing certifi isn't sufficient to restore the basic expectation that using the stdlib to open URLs securely. I can't imagine this behavior is acceptable (either requiring a bootstrap step in each environment or requiring some call at runtime to set up SSL before making HTTPS calls). I no longer have the message that the installer gave me and I don't see anything in the What's New document for 3.6 about certificates. Is this deficiency something that's planned to be corrected for the next beta? Is there a recommended procedure to enable SSL in urllib.request?

I saw the notice when installing Python 3.6.0b1 on Mac that said that the bundled OpenSSL is no longer used and thus 'certifi' will need to be installed and kept up-to-date.

At first, I thought, "no big deal" and pushed forward, but since, I've encountered the error in several cases:

- pip install of anything but certifi
- pip install in a new venv of anything but certifi
- distutils upload command (even with certifi installed)

I've only had 3.6.0b1 installed for a day, so I imagine I'm going to encounter new cases. Yes, indeed:

$ python
Python 3.6.0b1 (v3.6.0b1:5b0ca4ed5e2f, Sep 12 2016, 09:24:46) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> urllib.request.urlopen('https://www.google.com')
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1318, in do_open
...
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:747)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 223, in urlopen
...
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:747)>
>>> import certifi


So it seems that even the guidance of installing certifi isn't sufficient to restore the basic expectation that using the stdlib to open URLs securely.

I can't imagine this behavior is acceptable (either requiring a bootstrap step in each environment or requiring some call at runtime to set up SSL before making HTTPS calls).

I no longer have the message that the installer gave me and I don't see anything in the What's New document for 3.6 about certificates.

Is this deficiency something that's planned to be corrected for the next beta? Is there a recommended procedure to enable SSL in urllib.request?

History
Date	User	Action	Args
2016-09-14 12:39:30	jaraco	set	recipients: + jaraco
2016-09-14 12:39:30	jaraco	set	messageid: <1473856770.26.0.3471987491.issue28150@psf.upfronthosting.co.za>
2016-09-14 12:39:30	jaraco	link	issue28150 messages
2016-09-14 12:39:30	jaraco	create