Can I turn off Python (PiP) SSL cert validation with an ENV variable?

Question

I have a really bad network that uses a MITM cert to snoop on everyone's convos. This means I need to turn it off, for example, in node I use export NODE_TLS_REJECT_UNAUTHORIZED="0".

Is there a similar way to do this in Python to get around this issue?

---

Pretend I am security deficient (which I am). In my example for node I just configure an environmental variable and be done. This has me using a pem file (which I have no idea where to get). I tried downloading the cert chain but couldn't get it to a pem file. Is there really no more straight forward way to accomplish this? Honestly the way the network is set up I don't think I can even import just one cert.

---

I tried using this...

pip3 install itsdangerous --proxy=http://proxy.me.com:80 --index-url=http://pypi.python.org/simple/

Getting page http://pypi.python.org/simple/
Could not fetch URL http://pypi.python.org/simple/: timed out
Will skip URL http://pypi.python.org/simple/ when looking for download links for itsdangerous
Cannot fetch index base URL http://pypi.python.org/simple/

Still confirming that this isn't a red herring thanks to our proxy.

---

Also I've tried adding HTTP_PROXY and HTTPS_PROXY instead of the command line option. Still get the following result...

  pip3 install itsdangerous --index-url=http://pypi.python.org/simple/
  ...
  Downloading/unpacking itsdangerous
  Getting page http://pypi.python.org/simple/itsdangerous/
  Could not fetch URL http://pypi.python.org/simple/itsdangerous/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
  Will skip URL http://pypi.python.org/simple/itsdangerous/ when looking for download links for itsdangerous
  Getting page http://pypi.python.org/simple/
  Could not fetch URL http://pypi.python.org/simple/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

Also might be important...

pip 1.5.4 from /usr/lib/python3/dist-packages (python 3.4)

Answer 1

I have the exact same issue on my network. I did this to install pillow:

pip install Pillow --trusted-host pypi.python.org --index-url=http://pypi.python.org/simple/

...and it worked great for me. Hope it helps.

Answer 2

When I need to ignore the certificate validation chains I have used the following code:

import ssl

        try:
            _create_verified_https_context = ssl._create_default_https_context
            _create_unverified_https_context = ssl._create_unverified_context
        except AttributeError:
            pass
        else:
            # Handle target environment that doesn't support HTTPS verification. Save
            # a reference to the previous method so it is still available if needed.
            ssl._create_default_https_context = _create_unverified_https_context
            if not hasattr(ssl, '_create_verified_https_context'):
                ssl._create_verified_https_context = _create_verified_https_context

The above code will tell your SSL instance in your python to ignore unverified errors. You can also modify your SSL.py file directly to change the behavior.

You may want to also take a look at: https://docs.python.org/3/library/ssl.html#ssl.SSLContext