New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot import name 'PROTOCOL_TLS' from 'urllib3.util.ssl_' #2580
Comments
Hi @thehunt33r, Thanks for raising this! I don't see anything wrong with your change at surface-level, but I'll review with the team to get their thoughts. |
Hi @thehunt33r, I saw you mentioned using vendored older versions of |
Hey! Sorry yeah I was using an old version of an AWS solution (LandingZone) I'm stuck with for the foreseeable future. I did see the minimum requirement for the version of urllib3 but since an earlier similar PR was merged I thought it could be worth it to do this change? If you don't think that's worth it feel free to close the PR :-) Thank you for taking the time to look through it. Matthieu |
Hi @thehunt33r, That makes sense. I discussed this with a few team members yesterday and they were not inclined to merge the PR due to the problem occurring well below our |
Hi @stobrien89, awscli==1.22.26 Statement on lines 10-12 in httpsession.py wants to import PROTOCOL_TLS from urllib3.util.ssl_, which does not exist there. I can workaround by removing it from that statement and adding a separate statement, pulling from ssl. Though, I suspect the strategic direction is to level up on TLS version which would require more planning. |
Hi @drigoli, PROTOCOL_TLS has been present in each release of urllib3 for the last ~3 years since 1.25.0. You can find the import workflow here. I'd double check the version of urllib3 you're using with botocore is actually 1.26.7. You can use As @stobrien89 said earlier, I think we're disinclined to add support for these older versions. The primary reason is they contain multiple medium to high scoring CVEs which may compromise your security. We'd prefer to not make it easy for users to unknowingly use these versions on their systems. For the time being, I think our recommendation is going to be investing in upgrading urllib3 to a secure version. As Sean, said we may revisit this after the New Year, but I believe it's unlikely to change. |
Good catch @nateprewitt, pip reported version:
interactive query versions:
hmm... |
Hi @thehunt33r and @drigoli, After further discussion, we've decided not to move forward with merging the PR related to this issue due to the security risks associated with the CVEs mentioned by @nateprewitt. Sorry for the inconvenience! |
|
Thanks @stobrien89! |
Cannot import name 'PROTOCOL_TLS' from 'urllib3.util.ssl_' boto/botocore#2580
Still reproducible on python 3.8.13: |
Describe the bug
This issue is a direct follow-up from #2562
When using older versions of urllib3 (often vendored), importing botocore.utils (or using botocore in any consideration) will fail.
Steps to reproduce
Expected behavior
botocore should fallback to importing PROTOCOL_TLS from
ssl
.The text was updated successfully, but these errors were encountered: