Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
oliverwrites: > When I run this per email from my work laptop, > > python3 -c "import urllib.request,json; > print(json.loads(urllib.request.urlopen(' > https://www.howsmyssl.com/a/check').read())['tls_version'])" > > I get the following traceback: > ... > File "c:\Python35\lib\ssl.py", line 633, in do_handshake > self._sslobj.do_handshake() > ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:645) I guess (!) that somehow the well known trusted CA (= "Certificate authority") certificates are incomplete on your machine. Certificate verification works as follows: a certificate is always signed by a certificate authority ("CA"); for a certificate to be trusted, the signing CA must be trusted. There may be several trust steps but finally, there must be some "CA" that you are trusting "without further proof". The certificates of those "CA"s are somewhere stored on your machine. Apparently, the "https" servers you have problems with are using a CA which is not declared trusted on your machine (by installing the appropriate certificate at the correct place). -- https://mail.python.org/mailman/listinfo/python-list
Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
When I run this per email from my work laptop, python3 -c "import urllib.request,json; print(json.loads(urllib.request.urlopen(' https://www.howsmyssl.com/a/check').read())['tls_version'])" I get the following traceback: C:\...>python -c "import urllib.request,json; print(json.loads(urllib.request.url w.howsmyssl.com/a/check').read())['tls_version'])" Traceback (most recent call last): File "c:\Python35\lib\urllib\request.py", line 1254, in do_open h.request(req.get_method(), req.selector, req.data, headers) File "c:\Python35\lib\http\client.py", line 1106, in request self._send_request(method, url, body, headers) File "c:\Python35\lib\http\client.py", line 1151, in _send_request self.endheaders(body) File "c:\Python35\lib\http\client.py", line 1102, in endheaders self._send_output(message_body) File "c:\Python35\lib\http\client.py", line 934, in _send_output self.send(msg) File "c:\Python35\lib\http\client.py", line 877, in send self.connect() File "c:\Python35\lib\http\client.py", line 1260, in connect server_hostname=server_hostname) File "c:\Python35\lib\ssl.py", line 377, in wrap_socket _context=self) File "c:\Python35\lib\ssl.py", line 752, in __init__ self.do_handshake() File "c:\Python35\lib\ssl.py", line 988, in do_handshake self._sslobj.do_handshake() File "c:\Python35\lib\ssl.py", line 633, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "", line 1, in File "c:\Python35\lib\urllib\request.py", line 163, in urlopen return opener.open(url, data, timeout) File "c:\Python35\lib\urllib\request.py", line 466, in open response = self._open(req, data) File "c:\Python35\lib\urllib\request.py", line 484, in _open '_open', req) File "c:\Python35\lib\urllib\request.py", line 444, in _call_chain result = func(*args) File "c:\Python35\lib\urllib\request.py", line 1297, in https_open context=self._context, check_hostname=self._check_hostname) File "c:\Python35\lib\urllib\request.py", line 1256, in do_open raise URLError(err) urllib.error.URLError: Anyone know how to deal with that? When using pip, I get same error, unless I add "--trusted-host pypi.python.org": C:\...>pip install nose Collecting nose Could not fetch URL https://pypi.python.org/simple/nose/: There was a problem confirming the ssl certificate: [SSL: CERTIF LED] certificate verify failed (_ssl.c:645) - skipping Could not find a version that satisfies the requirement nose (from versions: ) No matching distribution found for nose C:\...>pip install nose --trusted-host pypi.python.org Collecting nose Downloading nose-1.3.7-py3-none-any.whl (154kB) 100% || 163kB 386kB/s Installing collected packages: nose Successfully installed nose-1.3.7 -- Oliver -- Oliver My StackOverflow contributions My CodeProject articles My Github projects My SourceForget.net projects -- https://mail.python.org/mailman/listinfo/python-list
Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
On 10-1-2017 16:01, Donald Stufft wrote: >> TypeError: the JSON object must be str, not ‘bytes' > Huh, just tested, my original snippet works on Python 3.6 but fails on Python > 3.5. My guess is that is due to an improvement in 3.6 mentioned here: https://docs.python.org/3/whatsnew/3.6.html#json Irmen -- https://mail.python.org/mailman/listinfo/python-list
Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
> On Jan 10, 2017, at 9:59 AM, Oleg Broytmanwrote: > > On Tue, Jan 10, 2017 at 08:27:21AM -0500, Donald Stufft > wrote: >>python3 -c "import urllib.request,json; >> print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])" > > Traceback (most recent call last): > File "", line 1, in > File "/usr/lib/python3.4/json/__init__.py", line 312, in loads >s.__class__.__name__)) > TypeError: the JSON object must be str, not ‘bytes' > Huh, just tested, my original snippet works on Python 3.6 but fails on Python 3.5. -- https://mail.python.org/mailman/listinfo/python-list
Re: Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
On Tue, Jan 10, 2017 at 08:27:21AM -0500, Donald Stufftwrote: > python3 -c "import urllib.request,json; > print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])" Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3.4/json/__init__.py", line 312, in loads s.__class__.__name__)) TypeError: the JSON object must be str, not 'bytes' Fix: $ python3 -c "import urllib.request,json; print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read().decode('ascii'))['tls_version'])" Oleg. -- Oleg Broytmanhttp://phdru.name/p...@phdru.name Programmers don't die, they just GOSUB without RETURN. -- https://mail.python.org/mailman/listinfo/python-list
Announcement: TLSv1.2 will become mandatory in the future for Python.org Sites
Fastly has announced plans to disable TLSv1.0 and TLSv1.1 on their CDN endpoints which will include PyPI (as well as other Python properties). You can see their timeline at https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan. There are two hard cut off dates to remember: * April 30, 2017, which is when any Python.org site you see that does *not* have an EV certificate that is hosted by Fastly will no longer support TLSv1.0 and TLSv1.1 (testpypi.python.org, test.pypi.org, files.pythonhosted.org, etc). * June 30, 2018, which is when any Python.org site you see that has an EV certificate that is hosted by Fastly will no longer support TSLv1.0 and TLSv1.1 (pypi.python.org, pypi.org, etc). I am going to see about possibly organizing some scheduled "brown outs" of TLSv1.0 and TLSv1.1 prior to the cut off dates to try and help folks find places that will need updates. Any scheduled brownouts will be posted to status.python.org prior to happening. Looking at the download numbers, the absolute largest driver of TLSv1.0 and TLSv1.1 traffic to PyPI are old versions of pip or other clients where I cannot tell the OS that they are being run on. Past that, macOS is going to be the largest casualty since their system Python does not support TLSv1.2 yet in any version of their OS. If you have a Python and you want to check to see if it supports TLSv1.2 or not, the easiest way to do that is by running: python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])" OR python3 -c "import urllib.request,json; print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])" If you get something other than TLS 1.2, then I suggest making plans to deal with the inevitable breakage which may start occurring on or before April 30, 2017. -- https://mail.python.org/mailman/listinfo/python-announce-list Support the Python Software Foundation: http://www.python.org/psf/donations/