Pip: SNIMissingWarning / InsecurePlatformWarning not fixable with pip 9.0 / 9.0.1

For comparison, here's a log on another fresh Ubuntu install showing that the errors go away when I install the various security packages if I'm using pip 8.1.2:

ubuntu@ip-10-165-77-50:~$ python --version
Python 2.7.6
ubuntu@ip-10-165-77-50:~$ uname -a
Linux ip-10-165-77-50 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-10-165-77-50:~$ wget https://bootstrap.pypa.io/get-pip.py
--2016-11-07 14:31:24--  https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)... 151.101.32.175
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.32.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1595408 (1.5M) [text/x-python]
Saving to: ‘get-pip.py’

100%[====================================================================================================>] 1,595,408   --.-K/s   in 0.04s   

2016-11-07 14:31:24 (42.1 MB/s) - ‘get-pip.py’ saved [1595408/1595408]

ubuntu@ip-10-165-77-50:~$ sudo python get-pip.py 
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    100% |████████████████████████████████| 1.3MB 587kB/s 
Collecting setuptools
  Downloading setuptools-28.8.0-py2.py3-none-any.whl (472kB)
    100% |████████████████████████████████| 481kB 1.6MB/s 
Collecting wheel
  Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
    100% |████████████████████████████████| 71kB 6.6MB/s 
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-9.0.1 setuptools-28.8.0 wheel-0.29.0
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
ubuntu@ip-10-165-77-50:~$ sudo pip install pip==8.1.2
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip==8.1.2
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading pip-8.1.2-py2.py3-none-any.whl (1.2MB)
    100% |████████████████████████████████| 1.2MB 590kB/s 
Installing collected packages: pip
  Found existing installation: pip 9.0.1
    Uninstalling pip-9.0.1:
      Successfully uninstalled pip-9.0.1
Successfully installed pip-8.1.2
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ pip --version
pip 8.1.2 from /usr/local/lib/python2.7/dist-packages (python 2.7)
ubuntu@ip-10-165-77-50:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting aafigure
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading aafigure-0.5.tar.gz (49kB)
    100% |████████████████████████████████| 51kB 4.9MB/s 
Installing collected packages: aafigure
  Running setup.py install for aafigure ... done
Successfully installed aafigure-0.5
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo apt-get install build-essential python-dev libffi-dev libssl-dev
Reading package lists... Done
Building dependency tree       

[snip]

Setting up python2.7-dev (2.7.6-8ubuntu0.2) ...
Setting up python-dev (2.7.5-5ubuntu3) ...
Setting up libffi-dev:amd64 (3.1~rc1+r3.0.13-12ubuntu0.1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ip-10-165-77-50:~$ sudo pip install urllib3[secure] pyOpenSSL cryptography idna certifi ndg-httpsclient pyasn1
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): urllib3[secure] in /usr/lib/python2.7/dist-packages
  urllib3 1.7.1 does not provide the extra 'secure'
Requirement already satisfied (use --upgrade to upgrade): pyOpenSSL in /usr/lib/python2.7/dist-packages
Collecting cryptography
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading cryptography-1.5.3.tar.gz (400kB)
    100% |████████████████████████████████| 409kB 1.7MB/s 
Collecting idna
  Downloading idna-2.1-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 6.2MB/s 
Collecting certifi
  Downloading certifi-2016.9.26-py2.py3-none-any.whl (377kB)
    100% |████████████████████████████████| 378kB 1.8MB/s 
Collecting ndg-httpsclient
  Downloading ndg_httpsclient-0.4.2.tar.gz
Collecting pyasn1
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/dist-packages (from cryptography)
Requirement already satisfied (use --upgrade to upgrade): setuptools>=11.3 in /usr/local/lib/python2.7/dist-packages (from cryptography)
Collecting enum34 (from cryptography)
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting ipaddress (from cryptography)
  Downloading ipaddress-1.0.17-py2-none-any.whl
Collecting cffi>=1.4.1 (from cryptography)
  Downloading cffi-1.8.3-cp27-cp27mu-manylinux1_x86_64.whl (386kB)
    100% |████████████████████████████████| 389kB 1.8MB/s 
Collecting pycparser (from cffi>=1.4.1->cryptography)
  Downloading pycparser-2.17.tar.gz (231kB)
    100% |████████████████████████████████| 235kB 3.1MB/s 
Installing collected packages: idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, certifi, ndg-httpsclient
  Running setup.py install for pycparser ... done
  Running setup.py install for cryptography ... done
  Running setup.py install for ndg-httpsclient ... done
Successfully installed certifi-2016.9.26 cffi-1.8.3 cryptography-1.5.3 enum34-1.1.6 idna-2.1 ipaddress-1.0.17 ndg-httpsclient-0.4.2 pyasn1-0.1.9 pycparser-2.17
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): aafigure in /usr/local/lib/python2.7/dist-packages
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install requests
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python2.7/dist-packages
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install pyladies
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pyladies
  Downloading pyladies-2.0.4-py2.py3-none-any.whl (5.5MB)
    100% |████████████████████████████████| 5.5MB 132kB/s 
Collecting Sphinx (from pyladies)
  Downloading Sphinx-1.4.8-py2.py3-none-any.whl (1.6MB)
    100% |████████████████████████████████| 1.6MB 503kB/s 
Collecting sphinx-rtd-theme (from pyladies)
  Downloading sphinx_rtd_theme-0.1.9-py2-none-any.whl (693kB)
    100% |████████████████████████████████| 696kB 1.2MB/s 
Collecting Jinja2>=2.3 (from Sphinx->pyladies)
  Downloading Jinja2-2.8-py2.py3-none-any.whl (263kB)
    100% |████████████████████████████████| 266kB 4.0MB/s 
Collecting babel!=2.0,>=1.3 (from Sphinx->pyladies)
  Downloading Babel-2.3.4-py2.py3-none-any.whl (7.1MB)
    100% |████████████████████████████████| 7.1MB 106kB/s 
Collecting docutils>=0.11 (from Sphinx->pyladies)
Collecting alabaster<0.8,>=0.7 (from Sphinx->pyladies)
  Downloading alabaster-0.7.9-py2.py3-none-any.whl
Collecting snowballstemmer>=1.1 (from Sphinx->pyladies)
  Downloading snowballstemmer-1.2.1-py2.py3-none-any.whl (64kB)
    100% |████████████████████████████████| 71kB 7.0MB/s 
Collecting Pygments>=2.0 (from Sphinx->pyladies)
  Downloading Pygments-2.1.3-py2.py3-none-any.whl (755kB)
    100% |████████████████████████████████| 757kB 1.1MB/s 
Requirement already satisfied (use --upgrade to upgrade): six>=1.5 in /usr/lib/python2.7/dist-packages (from Sphinx->pyladies)
Collecting imagesize (from Sphinx->pyladies)
  Downloading imagesize-0.7.1-py2.py3-none-any.whl
Collecting MarkupSafe (from Jinja2>=2.3->Sphinx->pyladies)
Collecting pytz>=0a (from babel!=2.0,>=1.3->Sphinx->pyladies)
  Downloading pytz-2016.7-py2.py3-none-any.whl (480kB)
    100% |████████████████████████████████| 481kB 1.9MB/s 
Installing collected packages: MarkupSafe, Jinja2, pytz, babel, docutils, alabaster, snowballstemmer, Pygments, imagesize, Sphinx, sphinx-rtd-theme, pyladies
Successfully installed Jinja2-2.8 MarkupSafe-0.23 Pygments-2.1.3 Sphinx-1.4.8 alabaster-0.7.9 babel-2.3.4 docutils-0.12 imagesize-0.7.1 pyladies-2.0.4 pytz-2016.7 snowballstemmer-1.2.1 sphinx-rtd-theme-0.1.9
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ 

So this is a bit of a sticky issue. We've modified our bundled copies of the libraries so that they will not load any of the C libraries because on some OSs (particularly Windows) if pip imports the C library then it becomes impossible for pip to actually upgrade or uninstall that library (because importing locks the .dll from deletion). The downside of this is that it means you're stuck with what your Python is able to provide.

I see a few ways around this:

1. Do nothing, let the warning's stand to try and push people to upgrade their Python to one that has a better SSL module.
2. Disable the warnings completely, the warnings don't matter much for PyPI's own usage (although they could for non PyPI repositories) and just live with it.
3. Adjust our disable of C libraries to only disable them on platforms where they cause problems (e.g. Windows).

If we pick (3) we'd still need to pick which of (1) or (2) we want to happen on platforms where our C libraries support is disabled.

Heh, I was just poking around in the codebase and was about to point to your commit at https://github.com/pypa/pip/commit/cab01774eaddf417ff90df11bdab672aa30001be, which I assume is the change that you're referring to.

From our perspective (PythonAnywhere PaaS), while we really do want to upgrade our default system Python 2.7 to something more recent, it's really hard in the short term because people have (eg.) --user-installed packages and virtualenvs which would be broken if we did that. Basically, a coordination exercise with tens of thousands of participants. I fully appreciate that's our problem, not yours! But I imagine there are other larger-scale installs with the same problem.

FWIW I'd personally vote for #3, with #1 for Windows etc.

One thing I would definitely suggest, though, if you don't disable the warnings completely, is that you change them. Right now pip is printing out (thanks to urllib3) messages like

/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

...which is telling people to go to a page that tells them to install something, and installing that thing doesn't fix the problem. That's bound to lead to confusion.

I am in a very similar situation to @gpjt where it is not all that easy to coordinate an update to a newer version of Python for all of our users. I agree that solutions (3) and (1) seem like the way to go along with a change in the warning message shown to more accurately reflect the situation. In my opinion, reducing the security across all platforms for the sake of the lowest common denominator seems like the wrong way to go.

To help other folks hitting this same issue, I thought I was going crazy since we are indeed pinning pip==8.1.2 on the host OS (ubuntu). I only just discovered that creating a virtualenv doesn't attempt to match the version of pip that is on the host but goes ahead and uses the newest version of pip available (currently 9.0.1), thus reintroducing what had been a solved issue. I'm not suggesting this part in particular is anything the pip maintainers need to address, just a heads up for others trying to debug their setups.

If someone makes a PR for (1) and (3) I would be happy to accept it, otherwise I'll try to get to it myself.

any updates?

any updates?

Hi @rlam3!

AFAICT, #4142 (has merge conflicts) and #4612 are 2 PRs that both do (1) and (3). It's probably just the matter of someone finding the time to review both of those PRs and do the needful.

I'd say by the time pip 10.0 releases, this would be fixed. :)

How do we progress this issue? If we're going to hold the release of pip 10 till this is resolved, who is in a position to move it forward?

There's 2 existing PRs for it. Both have merge conflicts. Someone would have to resolve the conflicts for one of them and then it shouldn't take long to merge since I think there seems to be a general preference to taking the same approach as those PRs.

So - while I see the need for this, AIUI this is an existing behaviour in pip 9. If we don't fix it in 10, we're not making any behaviour worse for the user, simply not fixing an issue. And if people fix the security warnings this is telling them about, that resolves the issue for them.

So what I'm saying is that I'm fine with pushing to get this ready for pip 10, but if no-one has time to work on it, I think it's fine to remove the blocker tag. What I don't want is to have pip 10 blocked indefinitely because we don't have anyone working on this. Does that seem reasonable?

Does that seem reasonable?

Yep!

And if people fix the security warnings this is telling them about, that resolves the issue for them.

btw -- they can't. That's the issue.

Ah. OK. I was going off the original comment "For various reasons we can't upgrade to Python 2.7.9 or higher" which I took to mean that if they did upgrade their Python, they'd be OK. (I don't think "issues on outdated versions of Python 2.7" qualifies as a release blocker, is all I'm saying).

@pfmoore I've made #4835 for this.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.