Message 406827 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ronaldoussoren
Recipients	christian.heimes, eric.smith, mirfanasghar, ned.deily, ronaldoussoren
Date	2021-11-23.09:03:07
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1637658187.68.0.0278695845153.issue45839@roundup.psfhosted.org>
In-reply-to

Content
Could you check with "curl -k https://pypi.org/ >/dev/null" what certificate is used by PyPI? On my system I get (amongst other output): ... * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=pypi.org * start date: Oct 22 18:55:44 2021 GMT * expire date: Nov 23 18:55:43 2022 GMT * subjectAltName: host "pypi.org" matched cert's "pypi.org" * issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021 * SSL certificate verify ok. ... Note how the issuer is GlobalSign. If you see some other certificate authority, or get an error from curl due to the same certificate verification problem, you have something on the path between you and PyPI that intercepts the connection, such as a corporate proxy. Pip appears to have a way to override certificate verification, you'll have to (a) read pip's manual for that and (b) be very sure you know what's going on before you start trusting some other CA that's not in the global trust root used by pip and certify.

Could you check with "curl -k https://pypi.org/ >/dev/null" what certificate is used by PyPI?

On my system I get (amongst other output):

...
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pypi.org
*  start date: Oct 22 18:55:44 2021 GMT
*  expire date: Nov 23 18:55:43 2022 GMT
*  subjectAltName: host "pypi.org" matched cert's "pypi.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
...

Note how the issuer is GlobalSign. If you see some other certificate authority, or get an error from curl due to the same certificate verification problem, you have something on the path between you and PyPI that intercepts the connection, such as a corporate proxy. 

Pip appears to have a way to override certificate verification, you'll have to (a) read pip's manual for that and (b) be *very* sure you know what's going on before you start trusting some other CA that's not in the global trust root used by pip and certify.

History
Date	User	Action	Args
2021-11-23 09:03:07	ronaldoussoren	set	recipients: + ronaldoussoren, eric.smith, christian.heimes, ned.deily, mirfanasghar
2021-11-23 09:03:07	ronaldoussoren	set	messageid: <1637658187.68.0.0278695845153.issue45839@roundup.psfhosted.org>
2021-11-23 09:03:07	ronaldoussoren	link	issue45839 messages
2021-11-23 09:03:07	ronaldoussoren	create