Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to disable SSL verify #1556

Closed
2 tasks done
pawamoy opened this issue Nov 8, 2019 · 27 comments · Fixed by #5719
Closed
2 tasks done

Option to disable SSL verify #1556

pawamoy opened this issue Nov 8, 2019 · 27 comments · Fixed by #5719
Labels
kind/feature Feature requests/implementations

Comments

@pawamoy
Copy link

pawamoy commented Nov 8, 2019

  • I have searched the issues of this repo and believe that this is not a duplicate.
  • I have searched the documentation and believe that my question is not covered.

Feature Request

I'm trying to use poetry in a corporate environment. We have a private server and index for packages, and conda is setup to not verify SSL. Unfortunately, I didn't find a similar option or configuration for Poetry, so when I try to install a package with Poetry, it fails (SSLError).

I managed to get it to work by changing two lines in

https://github.com/sdispater/poetry/blob/51c7042160a74adf14038460468e5e5a72b0d965/poetry/repositories/legacy_repository.py#L415-L426

...to this:

     def _download(self, url, dest):  # type: (str, str) -> None
-        r = self._session.get(url, stream=True)
+        r = self._session.get(url, stream=True, verify=False)
         with open(dest, "wb") as f:
             for chunk in r.iter_content(chunk_size=1024):
                 if chunk:
                     f.write(chunk)

     def _get(self, endpoint):  # type: (str) -> Union[Page, None]
         url = self._url + endpoint
-        response = self._session.get(url)
+       response = self._session.get(url, verify=False)
         if response.status_code == 404:
             return

         return Page(url, response.content, response.headers)

Obviously we would use a value specified in the config.toml instead of a literal False.

@pawamoy pawamoy added the kind/feature Feature requests/implementations label Nov 8, 2019
@pawamoy
Copy link
Author

pawamoy commented Dec 24, 2019

I guess other modifications will be needed to be able to publish as well.

EDIT: I realize the code has changed now that 1.0 is live. My patch is not enough anymore. There's the _download method in pypi_repository.py to patch as well, but I still get the SSLError.

@pawamoy
Copy link
Author

pawamoy commented Dec 25, 2019

After talking with some colleagues, it seems that a better solution is to install the Certificate Authorities (CA) of your corporation on your system and configure your tools to use it, instead of disabling SSL verification (which is bad?).

There is a great answer on how to do this for Windows or Linux on this stackoverflow post.

I'm leaving this issue open since there were some upvotes, but I don't consider it myself a priority anymore.

@blunt1973
Copy link

really need this option too

@enicklas
Copy link

enicklas commented Apr 7, 2020

We have exactly the same issue. It would be great to have this option, similar to pip's trusted-host

@Celeborn2BeAlive
Copy link
Contributor

I agree and I would argue that it is required to have such option to use poetry in a corporate environment with multiple private pipy indexes. You just don't want to have to deal with certificates when you know the repository is yours and can be trusted.
Having some option "trusted = true" under [[tool.poetry.source]] section could be great to specify this.

@piotr-kopacki
Copy link

Any progress on that?

@jhonatanTeixeira
Copy link

So, i have to stay using crappy pipenv because poetry doesn't have this super basic configuration

@Shackelford-Arden
Copy link

For what it's worth here, I've used this to succesfully bypass SSL validation without any code changes to Poetry:

https://stackoverflow.com/questions/48391750/disable-python-requests-ssl-validation-for-an-imported-module

TL;DR;

Set the CURL_CA_BUNDLE environment variable to an empty string.

@francoposa
Copy link

It looks like the poetry core PR is close to acceptance? python-poetry/poetry-core#80

This would be the last blocker for us to move over from pip.

We could set up a cert for the internal repository but this would be a much more direct path to adoption.

@absassi
Copy link

absassi commented Nov 10, 2020

As I commented in python-poetry/poetry-core#80, I disagree with adding the option to pyproject.toml, because it is not consistent with the rest of TLS validation configuration that is already defined in the certificates.<repo> user config tree and because whether TLS validation should be disabled or not is a decision that might be different for each user. Also, in some cases, users might want to disable TLS validation without modifying the project code.

In my view, disabling the validation or defining the path to the CA file are basically the same configuration (so much that curl has only one single env var for both cases) and should be located in the same place. Either both in user configuration or both in the project, and I think in the user configuration makes more sense. I don't have anything against to allow defining them in both places (in case of defining the CA file in the project, it could be a relative path to allow one to commit it, although the security implications of this deserve further analysis, I think).

@jouve
Copy link
Contributor

jouve commented Feb 25, 2021

I found running poetry with a empty CURL_CA_BUNDLE env variable disable ssl verification:

CURL_CA_BUNDLE= poetry add ...
Resolving dependencies... (84.0s)xxxxxxxxxx/venv/lib/python2.7/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning

@Shackelford-Arden
Copy link

Just as a follow up to my previous comment using the CURL_CA_BUNDLE, I've followed the suggestion of @pawamoy and simply ensured that I have the appropriate certificates on the system I'm using poetry on. Once I know I've got the certificate on the system, I set the path to the CA certs using the REQUESTS_CA_BUNDLE variable to set the path.

Preference to use this variable over the cURL one as requests is the underlying piece making the calls here and by default does not look at the system's certificates and uses some CA certificates that are bundled in.

@pawamoy
Copy link
Author

pawamoy commented May 4, 2021

I'm also setting REQUESTS_CA_BUNDLE, and the more generic SSL_CERT_FILE, which is used by tools like HTTPX and OpenSSL.

@jouve
Copy link
Contributor

jouve commented May 5, 2021

I've found about CURL_CA_BUNDLE by serendipity (was set for curl) ;)

Looking at the code, it's used as a fallback for REQUESTS_CA_BUNDLE in requests : https://github.com/psf/requests/blob/c45a4dfe6bfc6017d4ea7e9f051d6cc30972b310/requests/sessions.py#L718

SSL_CERT_FILE was requested but never implemented : https://github.com/psf/requests/search?q=SSL_CERT_FILE&type=issues

@pawamoy
Copy link
Author

pawamoy commented May 5, 2021

Well I actually used that CURL_CA_BUNDLE="" trick today, so thanks a lot @jouve 😄

@FranzForstmayr
Copy link

FranzForstmayr commented Nov 19, 2021

It would be great to specify this only for dedicated sources, e.g. a company gitlab instance.

[[tool.poetry.source]]
name = "gitlab-pypi"
url = "https://gitlab.in.my.company/api/v4/groups/<group>/-/packages/pypi/simple"
ssl_verify = false

@PrzemyslawSagalo
Copy link

PrzemyslawSagalo commented Dec 7, 2021

It would be great to specify this only for dedicated sources, e.g. a company gitlab instance.

[[tool.poetry.source]]
name = "gitlab-pypi"
url = "https://gitlab.in.my.company/api/v4/groups/<group>/-/packages/pypi/simple"
ssl_verify = false

Maybe it will be even better to have it compatible with pip and change ssl_verify=false to trusted-host=true

@stealthrabbi
Copy link

Doing CURL_CA_BUNDLE="" poetry add my-package still gives me an SSL error. THis is running on Windows 10, in a git bash terminal

@Dragas
Copy link

Dragas commented Jan 27, 2022

Doing CURL_CA_BUNDLE="" poetry add my-package still gives me an SSL error. THis is running on Windows 10, in a git bash terminal

That is because poetry spawns its own shell, and you're setting environment variables incorrectly. I would really like to see a configuration option instead of depending on environment variables, which already are acting flaky on windows, as setting an environment variable to an empty string is meant to delete it.

See: https://ss64.com/ps/syntax-env.html

@jouve
Copy link
Contributor

jouve commented Jul 11, 2022

the guys at request broke the CURL_CA_BUNDLE workaround psf/requests#6074

@Dragas
Copy link

Dragas commented Aug 22, 2022 via email

@simonvdk
Copy link

simonvdk commented Sep 1, 2022

Starting from 1.2:

https://python-poetry.org/docs/repositories/#certificates

The value of certificates..cert can be set to false if certificate verification is required to be skipped.

@HuM4NoiD
Copy link

HuM4NoiD commented Sep 7, 2022

What should be the <name> in certificates.<name>.cert when I want to disable it for the default pypi repository?
I tried setting certificates.pypi.cert to false and even used a ca bundle (pem file) but it still gives me this problem

@neersighted
Copy link
Member

You need to replace pypi as the repository by setting a new default -- for security reasons, I do believe that there is no way to turn off verification for PyPI.

@BjoernPetersen
Copy link

I do wonder though, why would you want to disable the verification for the pypi.org certificate, @HuM4NoiD? Did you perchance encounter the bug #2839?

@HuM4NoiD
Copy link

HuM4NoiD commented Sep 7, 2022

I am unable to run poetry update or poetry add <package> in a poetry project directory or run poetry self update without getting this kind of error:

HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/76/97/2a99f020be5e4a5a97ba10bc480e2e6a889b5087103a2c6b952b5f819d27/crashtest-0.3.1-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

Poetry version is 1.2.0
Base python interpreter version is 3.10.6

I work on a machine behind a corporate firewall that uses self signed certificates (which I have bundled together)
pip that came with python is configured to use a proxy url and the bundle of self signed certificates provided by my organisation. all packages install properly with pip.

I only intend to use pypi.org package index for now and to either get the ssl verification working with poetry using my certificate bundle or disabling ssl verification altogether

Copy link

github-actions bot commented Mar 1, 2024

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.