Not able to install Python packages [SSL: TLSV1_ALERT_PROTOCOL_VERSION]

170

I am trying to install a Python library using pip, getting an SSL error:

~/projects/base ? pre-masterĀ±  pip install xdict

Collecting xdict
  Could not fetch URL https://pypi.python.org/simple/xdict/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590) - skipping
  Could not find a version that satisfies the requirement xdict (from versions: )
No matching distribution found for xdict

pip version: pip 9.0.1

How do I fix this error?

This question is tagged with python python-2.7 pip ssl-certificate

~ Asked on 2018-04-11 07:15:48

The Best Answer is


447

Upgrade pip as follows:

curl https://bootstrap.pypa.io/get-pip.py | python

Note: You may need to use sudo python above if not in a virtual environment.

(Note that upgrading pip using pip i.e pip install --upgrade pip will also not upgrade it correctly. It's just a chicken-and-egg issue. pip won't work unless using TLS >= 1.2.)

As mentioned in this detailed answer, this is due to the recent TLS deprecation for pip. Python.org sites have stopped support for TLS versions 1.0 and 1.1.

From the Python status page:

Completed - The rolling brownouts are finished, and TLSv1.0 and TLSv1.1 have been disabled. Apr 11, 15:37 UTC


For PyCharm (virtualenv) users:

  1. Run virtual environment with shell. (replace "./venv/bin/activate" to your own path)

    source ./venv/bin/activate
    
  2. Run upgrade

    curl https://bootstrap.pypa.io/get-pip.py | python
    
  3. Restart your PyCharm instance, and check your Python interpreter in Preference.

~ Answered on 2018-04-11 07:29:02


28

But if the curl command itself fails with error, or "tlsv1 alert protocol version" persists even after upgrading pip, it means your operating system's underlying OpenSSL library version<1.0.1 or Python version<2.7.9 (or <3.4 in Python 3) do not support the newer TLS 1.2 protocol that pip needs to connect to PyPI since about a year ago. You can easily check it in Python interpreter:

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8o 01 Jun 2010'
>>> ssl.PROTOCOL_TLSv1_2
 AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

The AttributeError (instead of expected '5') means your Python stdlib ssl module, compiled against old openssl lib, is lacking support for the TLSv1.2 protocol (even if the openssl library can or could be updated later).

Fortunately, it can be solved without upgrading Python (and the whole system), by manually installing extra Python packages -- the detailed step-by-step guide is available here on Stackoverflow.

Note, curl and pip and wget all depend on the same OpenSSL lib for establishing SSL connections (use $ openssl version command). libcurl supports TLS 1.2 since curl version 7.34, but older curl versions should be able to connect if you had OpenSSL version 1.0.2 (or later).


P.S.
For Python 3, please use python3 and pip3 everywhere (unless you are in a venv/virtualenv), including the curl command from above:
$ curl https://bootstrap.pypa.io/get-pip.py | python3 --user

~ Answered on 2018-04-23 23:35:59


Most Viewed Questions: