maltrieve icon indicating copy to clipboard operation
maltrieve copied to clipboard
verified publisher icon krmaxwell

Warning on HTTPS connections

Open krmaxwell opened this issue 10 years ago • 7 comments 

/home/kmaxwell/src/maltrieve/venv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning

krmaxwell avatar Apr 03 '15 21:04 krmaxwell

So my inclination is that we should require valid certificates from the list sources (e.g. ZeusTracker) but not from the served samples themselves (because we expect badness there). Thoughts?

krmaxwell avatar Apr 03 '15 21:04 krmaxwell

Based on https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning , it looks like the real fix is to upgrade to v2.7.9 or greater.

krmaxwell avatar Apr 03 '15 21:04 krmaxwell

Orrrr to install the security extras.

krmaxwell avatar May 26 '15 15:05 krmaxwell

I do not think Ubuntu LTE has upgraded to that version yet on the standard install. I think it is a nice to have with the source list. It really shouldn't matter when downloading the samples as it is already malicious. People should also be using a Proxy.

On Tue, May 26, 2015 at 5:27 PM, Kyle Maxwell [email protected] wrote:

Orrrr to install the security extras http://stackoverflow.com/a/29202163/1569808.

— Reply to this email directly or view it on GitHub https://github.com/krmaxwell/maltrieve/issues/143#issuecomment-105567737 .

webstergd avatar May 26 '15 18:05 webstergd

For me, this is as much about the UX as anything else. All those warnings clutter up the display. Also, assuming that you're using pip install -r requirements.txt then we should be able to do everything via PyPI.

krmaxwell avatar May 26 '15 19:05 krmaxwell

fully agree. That warning is an annoying one for sure.

On Tue, May 26, 2015 at 9:36 PM, Kyle Maxwell [email protected] wrote:

For me, this is as much about the UX as anything else. All those warnings clutter up the display. Also, assuming that you're using pip install -r requirements.txt then we should be able to do everything via PyPI.

— Reply to this email directly or view it on GitHub https://github.com/krmaxwell/maltrieve/issues/143#issuecomment-105643486 .

webstergd avatar May 26 '15 21:05 webstergd

I was getting security errors also did this to fix it.

apt-get install libffi-dev openssl-dev pip install requests[security]

jrespeto avatar Jul 22 '15 11:07 jrespeto