Option to disable SSL verify

[pawamoy]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the documentation and believe that my question is not covered.

Feature Request

I'm trying to use poetry in a corporate environment. We have a private server and index for packages, and conda is setup to not verify SSL. Unfortunately, I didn't find a similar option or configuration for Poetry, so when I try to install a package with Poetry, it fails (SSLError).

I managed to get it to work by changing two lines in

https://github.com/sdispater/poetry/blob/51c7042160a74adf14038460468e5e5a72b0d965/poetry/repositories/legacy_repository.py#L415-L426

...to this:

     def _download(self, url, dest):  # type: (str, str) -> None
-        r = self._session.get(url, stream=True)
+        r = self._session.get(url, stream=True, verify=False)
         with open(dest, "wb") as f:
             for chunk in r.iter_content(chunk_size=1024):
                 if chunk:
                     f.write(chunk)

     def _get(self, endpoint):  # type: (str) -> Union[Page, None]
         url = self._url + endpoint
-        response = self._session.get(url)
+       response = self._session.get(url, verify=False)
         if response.status_code == 404:
             return

         return Page(url, response.content, response.headers)

Obviously we would use a value specified in the config.toml instead of a literal False.

[pawamoy]

I guess other modifications will be needed to be able to publish as well.

EDIT: I realize the code has changed now that 1.0 is live. My patch is not enough anymore. There's the _download method in pypi_repository.py to patch as well, but I still get the SSLError.

[pawamoy]

After talking with some colleagues, it seems that a better solution is to install the Certificate Authorities (CA) of your corporation on your system and configure your tools to use it, instead of disabling SSL verification (which is bad?).

There is a great answer on how to do this for Windows or Linux on this stackoverflow post.

I'm leaving this issue open since there were some upvotes, but I don't consider it myself a priority anymore.

[blunt1973]

really need this option too

[enicklas]

We have exactly the same issue. It would be great to have this option, similar to pip's trusted-host

[Celeborn2BeAlive]

I agree and I would argue that it is required to have such option to use poetry in a corporate environment with multiple private pipy indexes. You just don't want to have to deal with certificates when you know the repository is yours and can be trusted.
Having some option "trusted = true" under [[tool.poetry.source]] section could be great to specify this.

[piotr-kopacki]

Any progress on that?

[jhonatanTeixeira]

So, i have to stay using crappy pipenv because poetry doesn't have this super basic configuration

[Shackelford-Arden]

For what it's worth here, I've used this to succesfully bypass SSL validation without any code changes to Poetry:

https://stackoverflow.com/questions/48391750/disable-python-requests-ssl-validation-for-an-imported-module

TL;DR;

Set the CURL_CA_BUNDLE environment variable to an empty string.

[francoposa]

It looks like the poetry core PR is close to acceptance? python-poetry/poetry-core#80

This would be the last blocker for us to move over from pip.

We could set up a cert for the internal repository but this would be a much more direct path to adoption.

[absassi]

As I commented in python-poetry/poetry-core#80, I disagree with adding the option to pyproject.toml, because it is not consistent with the rest of TLS validation configuration that is already defined in the certificates.<repo> user config tree and because whether TLS validation should be disabled or not is a decision that might be different for each user. Also, in some cases, users might want to disable TLS validation without modifying the project code.

In my view, disabling the validation or defining the path to the CA file are basically the same configuration (so much that curl has only one single env var for both cases) and should be located in the same place. Either both in user configuration or both in the project, and I think in the user configuration makes more sense. I don't have anything against to allow defining them in both places (in case of defining the CA file in the project, it could be a relative path to allow one to commit it, although the security implications of this deserve further analysis, I think).

[jouve]

I found running poetry with a empty CURL_CA_BUNDLE env variable disable ssl verification:

CURL_CA_BUNDLE= poetry add ...
Resolving dependencies... (84.0s)xxxxxxxxxx/venv/lib/python2.7/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning

[Shackelford-Arden]

Just as a follow up to my previous comment using the CURL_CA_BUNDLE, I've followed the suggestion of @pawamoy and simply ensured that I have the appropriate certificates on the system I'm using poetry on. Once I know I've got the certificate on the system, I set the path to the CA certs using the REQUESTS_CA_BUNDLE variable to set the path.

Preference to use this variable over the cURL one as requests is the underlying piece making the calls here and by default does not look at the system's certificates and uses some CA certificates that are bundled in.

[pawamoy]

I'm also setting REQUESTS_CA_BUNDLE, and the more generic SSL_CERT_FILE, which is used by tools like HTTPX and OpenSSL.

[jouve]

I've found about CURL_CA_BUNDLE by serendipity (was set for curl) ;)

Looking at the code, it's used as a fallback for REQUESTS_CA_BUNDLE in requests : https://github.com/psf/requests/blob/c45a4dfe6bfc6017d4ea7e9f051d6cc30972b310/requests/sessions.py#L718

SSL_CERT_FILE was requested but never implemented : https://github.com/psf/requests/search?q=SSL_CERT_FILE&type=issues

[pawamoy]

Well I actually used that CURL_CA_BUNDLE="" trick today, so thanks a lot @jouve 😄

[FranzForstmayr]

It would be great to specify this only for dedicated sources, e.g. a company gitlab instance.

[[tool.poetry.source]]
name = "gitlab-pypi"
url = "https://gitlab.in.my.company/api/v4/groups/<group>/-/packages/pypi/simple"
ssl_verify = false

[PrzemyslawSagalo]

It would be great to specify this only for dedicated sources, e.g. a company gitlab instance.

[[tool.poetry.source]]
name = "gitlab-pypi"
url = "https://gitlab.in.my.company/api/v4/groups/<group>/-/packages/pypi/simple"
ssl_verify = false

Maybe it will be even better to have it compatible with pip and change ssl_verify=false to trusted-host=true

[stealthrabbi]

Doing CURL_CA_BUNDLE="" poetry add my-package still gives me an SSL error. THis is running on Windows 10, in a git bash terminal

[Dragas]

Doing CURL_CA_BUNDLE="" poetry add my-package still gives me an SSL error. THis is running on Windows 10, in a git bash terminal

That is because poetry spawns its own shell, and you're setting environment variables incorrectly. I would really like to see a configuration option instead of depending on environment variables, which already are acting flaky on windows, as setting an environment variable to an empty string is meant to delete it.

See: https://ss64.com/ps/syntax-env.html

[jouve]

the guys at request broke the CURL_CA_BUNDLE workaround psf/requests#6074

[Dragas]

I think the solution is to build your own CA bundle. Maintainer of requests library will not budge on this one, since thats where the issue really is. See psf/requests#6071. I do agree with maintainer's stance, but it becomes tedious after 6th time security team rerolls the certificate. The main issue with TLS is that the one time it works, people start looking for ways to disable it. It's a shame that fad is still present, and the big flashy error "Self signed certificate in chain" points to "lol just disable security"

…

On Mon, Aug 22, 2022, 22:37 Mark ***@***.***> wrote: Is there a solution for this yet? I spent all day today fiddling with poetry config to no avail. No matter what I do, it will not accept my (self-signed) CA certificate for Gitlab and there doesn't seem to be any way to disable ssl verification. — Reply to this email directly, view it on GitHub <#1556 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABOMALC2IIKZSZZM3E4ZH6LV2PJIFANCNFSM4JKZHLGQ> . You are receiving this because you commented.Message ID: ***@***.***>

[simonvdk]

Starting from 1.2:

https://python-poetry.org/docs/repositories/#certificates

The value of certificates..cert can be set to false if certificate verification is required to be skipped.

[HuM4NoiD]

What should be the <name> in certificates.<name>.cert when I want to disable it for the default pypi repository?
I tried setting certificates.pypi.cert to false and even used a ca bundle (pem file) but it still gives me this problem

[neersighted]

You need to replace pypi as the repository by setting a new default -- for security reasons, I do believe that there is no way to turn off verification for PyPI.

[BjoernPetersen]

I do wonder though, why would you want to disable the verification for the pypi.org certificate, @HuM4NoiD? Did you perchance encounter the bug #2839?

[HuM4NoiD]

I am unable to run poetry update or poetry add <package> in a poetry project directory or run poetry self update without getting this kind of error:

HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/76/97/2a99f020be5e4a5a97ba10bc480e2e6a889b5087103a2c6b952b5f819d27/crashtest-0.3.1-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

Poetry version is 1.2.0
Base python interpreter version is 3.10.6

I work on a machine behind a corporate firewall that uses self signed certificates (which I have bundled together)
pip that came with python is configured to use a proxy url and the bundle of self signed certificates provided by my organisation. all packages install properly with pip.

I only intend to use pypi.org package index for now and to either get the ssl verification working with poetry using my certificate bundle or disabling ssl verification altogether

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.