Poetry: Option to disable SSL verify

Created on 8 Nov 2019  路  10Comments  路  Source: python-poetry/poetry

  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [x] I have searched the documentation and believe that my question is not covered.

Feature Request


I'm trying to use poetry in a corporate environment. We have a private server and index for packages, and conda is setup to not verify SSL. Unfortunately, I didn't find a similar option or configuration for Poetry, so when I try to install a package with Poetry, it fails (SSLError).

I managed to get it to work by changing two lines in

https://github.com/sdispater/poetry/blob/51c7042160a74adf14038460468e5e5a72b0d965/poetry/repositories/legacy_repository.py#L415-L426

...to this:

     def _download(self, url, dest):  # type: (str, str) -> None
-        r = self._session.get(url, stream=True)
+        r = self._session.get(url, stream=True, verify=False)
         with open(dest, "wb") as f:
             for chunk in r.iter_content(chunk_size=1024):
                 if chunk:
                     f.write(chunk)

     def _get(self, endpoint):  # type: (str) -> Union[Page, None]
         url = self._url + endpoint
-        response = self._session.get(url)
+       response = self._session.get(url, verify=False)
         if response.status_code == 404:
             return

         return Page(url, response.content, response.headers)

Obviously we would use a value specified in the config.toml instead of a literal False.

Feature
Source
picture pawamoy
👍24

Most helpful comment

really need this option too

picture blunt1973 on 31 Mar 2020
👍9

All 10 comments

I guess other modifications will be needed to be able to publish as well.

EDIT: I realize the code has changed now that 1.0 is live. My patch is not enough anymore. There's the _download method in pypi_repository.py to patch as well, but I still get the SSLError.

pawamoy picture pawamoy on 24 Dec 2019

After talking with some colleagues, it seems that a better solution is to install the Certificate Authorities (CA) of your corporation on your system and configure your tools to use it, instead of disabling SSL verification (which is bad?).

There is a great answer on how to do this for Windows or Linux on this stackoverflow post.

I'm leaving this issue open since there were some upvotes, but I don't consider it myself a priority anymore.

pawamoy picture pawamoy on 25 Dec 2019

really need this option too

blunt1973 picture blunt1973 on 31 Mar 2020
👍9

We have exactly the same issue. It would be great to have this option, similar to pip's trusted-host

enicklas picture enicklas on 7 Apr 2020
👍5

I agree and I would argue that it is required to have such option to use poetry in a corporate environment with multiple private pipy indexes. You just don't want to have to deal with certificates when you know the repository is yours and can be trusted.
Having some option "trusted = true" under [[tool.poetry.source]] section could be great to specify this.

Celeborn2BeAlive picture Celeborn2BeAlive on 28 May 2020
👍5

Any progress on that?

MakuZo picture MakuZo on 10 Aug 2020

So, i have to stay using crappy pipenv because poetry doesn't have this super basic configuration

jhonatanTeixeira picture jhonatanTeixeira on 1 Oct 2020

For what it's worth here, I've used this to succesfully bypass SSL validation without any code changes to Poetry:

https://stackoverflow.com/questions/48391750/disable-python-requests-ssl-validation-for-an-imported-module

TL;DR;

Set the CURL_CA_BUNDLE environment variable to an empty string.

Shackelford-Arden picture Shackelford-Arden on 13 Oct 2020
👀3

It looks like the poetry core PR is close to acceptance? https://github.com/python-poetry/poetry-core/pull/80

This would be the last blocker for us to move over from pip.

We could set up a cert for the internal repository but this would be a much more direct path to adoption.

francoposa picture francoposa on 5 Nov 2020
🎉1

As I commented in python-poetry/poetry-core#80, I disagree with adding the option to pyproject.toml, because it is not consistent with the rest of TLS validation configuration that is already defined in the certificates.<repo> user config tree and because whether TLS validation should be disabled or not is a decision that might be different for each user. Also, in some cases, users might want to disable TLS validation without modifying the project code.

In my view, disabling the validation or defining the path to the CA file are basically the same configuration (so much that curl has only one single env var for both cases) and should be located in the same place. Either both in user configuration or both in the project, and I think in the user configuration makes more sense. I don't have anything against to allow defining them in both places (in case of defining the CA file in the project, it could be a relative path to allow one to commit it, although the security implications of this deserve further analysis, I think).

absassi picture absassi on 10 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mozartilize picture mozartilize  路  3Comments
sobolevn picture sobolevn  路  3Comments
jbarlow83 picture jbarlow83  路  3Comments
thmo picture thmo  路  3Comments
kierun picture kierun  路  3Comments