-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLSv1.0/TLSv1.1 rolling brownouts are not transparent #130
Comments
What version of pip are you using? |
Looks like 6.0.6. |
Baked into what? Can you try with the latest pip, 9.0.3? |
Baked-in the project config files. Which are probably up for grabs now anyway, because the TLSv1.0/TLSv1.1 change. |
Ancient versions of OpenSSL will definitely be an issue. |
I don't know anything about SLES, but https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html seems like the relevant doc |
Roger that. Will need new bits. Will take time. Meanwhile, a local mirror or cache or such, to keep project going. Tearing hair out today. |
Using devpi-on-recent-Python as a caching proxy could be a pretty robust workaround for older pip clients. I'm not sure we could provide that as a generic pre-assembled solution (since the specifics will differ depending on the exact constraints preventing a pip upgrade), but I believe it would let devpi handle the TLS v1.2 link to PyPI, while talking whatever the legacy client needs on the local side of things (for a local host loopback connection, it could even be HTTP, without using TLS at all). |
Our local PyPI mirror supports http and is working well. I did not build this mirror, and do not know how it works. Pip install needs parameters However, many of our scripts also use easy_install. To go get virtualenv, for example. |
We strongly recommend you stop using easy_install; it's been deprecated for a long time and hasn't really kept up with improvements to the packaging ecosystem. |
Good advice. Do you happen to know when the TLSv1.0/TLSv1.1 policy will be fully enforced on pypi.org?
|
We'll be gradually ratcheting up the brownout periods over the next few weeks; April 8th is our current target for fully disabling them. |
Said I'd get back to you on the pip error message. time: 2018-03-23 08:06 PT
|
@dstufft this seems like an issue, pip should, without |
It did print the status code out right?
|
I don't tihnk there's a bug for tracking any additional changes to that though, no. |
It only printed that with |
Oh right. Yea open an issue |
FYI, pip 9.0.1 does not pass on any message or note a 403. It just says no matching versions are found, for everything. One must pass in |
So what needs to be done to fix this? it's causing some of my python projects to fail in TravisCI Could not fetch URL https://pypi.python.org/simple/pip/: 403 Client Error: Brownout of Legacy TLS Just upgrade OpenSSL? |
@ntwaddell try to upgrade pip first. you can download/run the get-pip.py from here: https://bootstrap.pypa.io/ that should fix several environments. |
What platform are you hitting this on with Travis CI? We should make sure any builtin packages they have are updated. |
@alex I'm using TravisCI Enterprise, it always takes them longer to update their enterprise platform. Build language: python OpenSSL is OpenSSL 1.0.1 14 Mar 2012 |
@ntwaddell On Ubuntu Precise you should be able to get a working OpenSSL by doing |
@ntwaddell FYI, that's the first heartbleed release. That should have been upgraded years ago. |
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1]. It fixed by updating pip to at least 9.0.2 (tested with 9.0.3), see [2]. [1]: pypa/packaging-problems#130 [2]: pypa/pip#4454
I have spent around 5 hours and almost die, man |
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
I'm not sure if this is related at all but a coworker was having similar issues and |
I can confirm: I've read posts about |
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
A comment on LWN suggests we should have an announcement about this on python.org. Someone could write something to post to http://blog.python.org/ which syndicates to that front page -- caution that only about the first ~30 characters will show up. |
At this point we've had TLS 1.0/1.1 disabled 100% of the time for a few days with limited feedback, I'm reluctant to think we need further publication of this. |
I know this caught my company by surprise and has broken a few things. |
Can you suggest what communications channels we could have promoted the brownouts on to help you see them? |
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
The reason of the failures is TLSv1.0/TLSv1.1 brownout on the PyPI side, see [1] for more information. [1]: pypa/packaging-problems#130
Old version of pip can't connect due to: <pypa/packaging-problems#130>
Now that we have entirely stopped supporting TLS 1.0 and 1.1, I am closing this issue. To be notified of future breaking changes to PyPI, please subscribe to the pypi-announce mailing list. |
FYI, The pip clients we're using sure don't pass along any error 403 message.
The connection "succeeds" but the client just won't find anything it is looking for (pip install).
No response needed.
Thanks.
The text was updated successfully, but these errors were encountered: