Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-14 Thread dieter 
oliver  writes:

> When I run this per email from my work laptop,
>
> python3 -c "import urllib.request,json;
> print(json.loads(urllib.request.urlopen('
> https://www.howsmyssl.com/a/check').read())['tls_version'])"
>
> I get the following traceback:
> ...
> File "c:\Python35\lib\ssl.py", line 633, in do_handshake
> self._sslobj.do_handshake()
> ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:645)

I guess (!) that somehow the well known trusted CA (= "Certificate authority")
certificates are incomplete on your machine.

Certificate verification works as follows:
a certificate is always signed by a certificate authority ("CA");
for a certificate to be trusted, the signing CA must be trusted.
There may be several trust steps but finally, there must be
some "CA" that you are trusting "without further proof".
The certificates of those "CA"s are somewhere stored on your machine.

Apparently, the "https" servers you have problems with
are using a CA which is not declared trusted on your machine
(by installing the appropriate certificate at the correct place).

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-13 Thread oliver 
When I run this per email from my work laptop,

python3 -c "import urllib.request,json;
print(json.loads(urllib.request.urlopen('
https://www.howsmyssl.com/a/check').read())['tls_version'])"

I get the following traceback:

C:\...>python -c "import urllib.request,json;
print(json.loads(urllib.request.url
w.howsmyssl.com/a/check').read())['tls_version'])"
Traceback (most recent call last):
File "c:\Python35\lib\urllib\request.py", line 1254, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "c:\Python35\lib\http\client.py", line 1106, in request
self._send_request(method, url, body, headers)
File "c:\Python35\lib\http\client.py", line 1151, in _send_request
self.endheaders(body)
File "c:\Python35\lib\http\client.py", line 1102, in endheaders
self._send_output(message_body)
File "c:\Python35\lib\http\client.py", line 934, in _send_output
self.send(msg)
File "c:\Python35\lib\http\client.py", line 877, in send
self.connect()
File "c:\Python35\lib\http\client.py", line 1260, in connect
server_hostname=server_hostname)
File "c:\Python35\lib\ssl.py", line 377, in wrap_socket
_context=self)
File "c:\Python35\lib\ssl.py", line 752, in __init__
self.do_handshake()
File "c:\Python35\lib\ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "c:\Python35\lib\ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "", line 1, in 
File "c:\Python35\lib\urllib\request.py", line 163, in urlopen
return opener.open(url, data, timeout)
File "c:\Python35\lib\urllib\request.py", line 466, in open
response = self._open(req, data)
File "c:\Python35\lib\urllib\request.py", line 484, in _open
'_open', req)
File "c:\Python35\lib\urllib\request.py", line 444, in _call_chain
result = func(*args)
File "c:\Python35\lib\urllib\request.py", line 1297, in https_open
context=self._context, check_hostname=self._check_hostname)
File "c:\Python35\lib\urllib\request.py", line 1256, in do_open
raise URLError(err)
urllib.error.URLError: 

Anyone know how to deal with that? When using pip, I get same error, unless
I add "--trusted-host pypi.python.org":

C:\...>pip install nose
Collecting nose
Could not fetch URL https://pypi.python.org/simple/nose/: There was a
problem confirming the ssl certificate: [SSL: CERTIF
LED] certificate verify failed (_ssl.c:645) - skipping
Could not find a version that satisfies the requirement nose (from
versions: )
No matching distribution found for nose

C:\...>pip install nose --trusted-host pypi.python.org
Collecting nose
Downloading nose-1.3.7-py3-none-any.whl (154kB)
100% || 163kB 386kB/s
Installing collected packages: nose
Successfully installed nose-1.3.7


-- 
Oliver
-- 
Oliver
My StackOverflow contributions
My CodeProject articles
My Github projects
My SourceForget.net projects
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-10 Thread Irmen de Jong 
On 10-1-2017 16:01, Donald Stufft wrote:
>> TypeError: the JSON object must be str, not ‘bytes'
> Huh, just tested, my original snippet works on Python 3.6 but fails on Python 
> 3.5. 


My guess is that is due to an improvement in 3.6 mentioned here:
https://docs.python.org/3/whatsnew/3.6.html#json

Irmen


-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-10 Thread Donald Stufft 

> On Jan 10, 2017, at 9:59 AM, Oleg Broytman  wrote:
> 
> On Tue, Jan 10, 2017 at 08:27:21AM -0500, Donald Stufft  
> wrote:
>>python3 -c "import urllib.request,json; 
>> print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
> 
> Traceback (most recent call last):
>  File "", line 1, in 
>  File "/usr/lib/python3.4/json/__init__.py", line 312, in loads
>s.__class__.__name__))
> TypeError: the JSON object must be str, not ‘bytes'
> 


Huh, just tested, my original snippet works on Python 3.6 but fails on Python 
3.5. 

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-10 Thread Oleg Broytman 
On Tue, Jan 10, 2017 at 08:27:21AM -0500, Donald Stufft  
wrote:
> python3 -c "import urllib.request,json; 
> print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python3.4/json/__init__.py", line 312, in loads
s.__class__.__name__))
TypeError: the JSON object must be str, not 'bytes'

   Fix:

$ python3 -c "import urllib.request,json; 
print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read().decode('ascii'))['tls_version'])"

Oleg.
-- 
 Oleg Broytmanhttp://phdru.name/p...@phdru.name
   Programmers don't die, they just GOSUB without RETURN.
-- 
https://mail.python.org/mailman/listinfo/python-list

Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites

2017-01-10 Thread Donald Stufft 
Fastly has announced plans to disable TLSv1.0 and TLSv1.1 on their CDN endpoints
which will include PyPI (as well as other Python properties). You can see their
timeline at 
https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan.

There are two hard cut off dates to remember:

* April 30, 2017, which is when any Python.org site you see that does *not*
  have an EV certificate that is hosted by Fastly will no longer support
  TLSv1.0 and TLSv1.1 (testpypi.python.org, test.pypi.org,
  files.pythonhosted.org, etc).

* June 30, 2018, which is when any Python.org site you see that has an EV
  certificate that is hosted by Fastly will no longer support TSLv1.0 and
  TLSv1.1 (pypi.python.org, pypi.org, etc).

I am going to see about possibly organizing some scheduled "brown outs" of
TLSv1.0 and TLSv1.1 prior to the cut off dates to try and help folks find places
that will need updates. Any scheduled brownouts will be posted to
status.python.org prior to happening.

Looking at the download numbers, the absolute largest driver of TLSv1.0 and
TLSv1.1 traffic to PyPI are old versions of pip or other clients where I cannot
tell the OS that they are being run on. Past that, macOS is going to be the
largest casualty since their system Python does not support TLSv1.2 yet in any
version of their OS.

If you have a Python and you want to check to see if it supports TLSv1.2 or not,
the easiest way to do that is by running:

python2 -c "import urllib2,json; 
print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

OR

python3 -c "import urllib.request,json; 
print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

If you get something other than TLS 1.2, then I suggest making plans to deal
with the inevitable breakage which may start occurring on or before April 30,
2017.
-- 
https://mail.python.org/mailman/listinfo/python-announce-list

Support the Python Software Foundation:
http://www.python.org/psf/donations/