“ ca Md太弱”使用Python 3.10从本地服务器上安装时
从python 3.10开始,当我尝试“ pip install”任何python软件包时,我就会得到“ CA MD太弱”。是因为我本地的Python软件包索引在具有弱证书的服务器上吗?
背景
我们有一个内部PYPI服务器,可提供(仅)内部软件包。 (我们不允许我们的软件包索引在files.pythonhosted.org和pypi.org上参考全局PYPI软件包索引,因为安全风险恶意演员可以在全球服务器上发布特洛伊木马软件包,其中(猜测)名称与内部软件包名称匹配。) 给定不同的软件包索引,我的pip.ini需要同时标识本地服务器和全局服务器。本地服务器需要证书。
我的pip.ini是:
[global]
trusted-host = files.pythonhosted.org pypi.org <internal.host>
index-url = https://<internal.host>/devpi/root/<dir>/+simple
extra-index-url = https://pypi.org/simple/
cert = C:\Users\<user>\combined.cert.pem
client-cert = C:\Users\<user>\<user>.pem
[search]
index = https://<internal.host>/devpi/root/dir
当我从python 3.9升级到python 3.10时,“ pip安装了任何东西”失败了。当我避免我的pip.ini并直接从公共服务器安装时,这不会发生。
Starting with Python 3.10, I get “CA MD TOO WEAK” when I try to “pip install” any Python package. Is it because my local Python package index is on a server that has weak certificates?
Background
We have an in-house PyPI server that provides (only) in-house packages. (We do not allow our package index to refer to the global PyPI package indexes at files.pythonhosted.org and pypi.org because of the security risk in which a malicious actor can post Trojan-horse packages on the global server with (guessed) names that match in-house package names.)
Given the different package indexes, my pip.ini needs to identify both the local server and the global servers. The local server requires certificates.
My pip.ini is:
[global]
trusted-host = files.pythonhosted.org pypi.org <internal.host>
index-url = https://<internal.host>/devpi/root/<dir>/+simple
extra-index-url = https://pypi.org/simple/
cert = C:\Users\<user>\combined.cert.pem
client-cert = C:\Users\<user>\<user>.pem
[search]
index = https://<internal.host>/devpi/root/dir
When I upgraded from Python 3.9 to Python 3.10, ‘pip install anything’ failed with the message “CA MD TOO WEAK”. This does not happen when I avoid my pip.ini and install directly from the public servers.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是我回答自己的问题的尝试 - 欢迎改进和评论!
简短的答案是“是” - 我正在遇到错误,因为Python 3.10现在使用 openssl 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 ,与安全级别1一起,我的内部服务器证书不使用足够的位或依赖MD5。
最好的修复方法是让我的服务器运营商使用更强大的证书(并重新发行公共证书)。 SSL安全级别1的要求给出了
同时,我需要降级到Python 3.9。
Here's my attempt at answering my own question -- improvements and comments are welcome!
The short answer is "yes" -- I am getting the error because Python 3.10 now uses OpenSSL 1.1.1, along with security level 1, and my in-house server certificates don’t use enough bits, or rely on MD5.
The best fix to get my server operators to use stronger certificates (and re-issue public certificates). The requirements for SSL security level 1 are given here. This might be a painful step for the IT team -- they'd have to re-issue certificates to everybody.
In the meantime, I need to downgrade to Python 3.9.