Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pypi.org: HTTP access no longer an option #3773

Closed
Wilfred opened this issue Apr 19, 2018 · 4 comments
Closed

pypi.org: HTTP access no longer an option #3773

Wilfred opened this issue Apr 19, 2018 · 4 comments

Comments

@Wilfred
Copy link

Wilfred commented Apr 19, 2018

It used to be the case that http://pypi.python.org/simple was accessible without HTTPS. This was important in legacy environments that don't support the certificates offered:

curl -L http://pypi.python.org/simple
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

pip has a --trusted-host option to support this use case, and has the appropriate caveats in the docs.

This doesn't seem to be accessible any more for pypi.org. Could this please be restored?
@brainwane
Copy link
Contributor

Hi, @Wilfred -- can you talk about why the legacy environments in question can't upgrade their TLS support versions? Thanks.

@ewdurbin
Copy link
Member

Based on the error, you are receiving a redirect from HTTP to HTTPS. This has been the behavior from pypi.python.org for as long as I can remember.

$ curl -I http://pypi.python.org/simple/
HTTP/1.1 301 Moved Permanently
Server: Varnish
Retry-After: 0
Location: https://pypi.org/simple/
...

The root of the issue you have opened is that your client is unable to negotiate a TLSv1.2 connection to PyPI. Until April 10th, 2018 this would have succeeded.

PyPI is no longer accessible to clients which do not support TLSv1.2 due to our CDN provider sunsetting support. We cannot reenable access for outdated TLS protocols.

If you provide more information on your environment someone may be able to assist you in upgrading to support modern TLS protocols.

@alex alex closed this as completed Apr 19, 2018
@Wilfred
Copy link
Author

Wilfred commented Apr 20, 2018
edited
Loading

@ewdurbin it was previously possible to access /simple without HTTPS as recently as January 2018. I have in my bash logs:

18-10-17 17:57  pip install --trusted-host pypi.python.org -i http://pypi.python.org/simple --upgrade $pkg

@ewdurbin
Copy link
Member

@Wilfred You were not communicating with the index over HTTP, in the request log you have supplied above, pip would have received a HTTP 301 with Location: https://pypi.python.org/simple and proceeded to follow the redirect into HTTPS.

The root issue here is that your client does not support TLSv1.2, and PyPI only supports TLSv1.2 or higher.

Again. If you are able to provide more information about your environment (OS version, TLS implementation and version, Python version, pip version) someone may be able to help you.

@MaxMood96 MaxMood96 mentioned this issue Sep 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alex @Wilfred @brainwane @ewdurbin