Sophos Central customers have reported issues preventing successful installation, live terminal and device list access issues in the EU-CENTRAL-1 region For more info refer to KBA-000041338 for the latest updates.

Thread Info
  • State Suggested Answer
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 9068 views
  • Users 0 members are here
Options

SSL/TLS Inspection breaks python pip

shred

With SSL/TLS inspection being utilized, I'm unable to install any python packages using pip. Here is the python error:

Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))) - skipping

Usually I can just add the domain to the Local TLS Exclusion List but when I add pypi.org, I still get the error. It's not until I completely bypass or disable the SSL/TLS inspection rule that it works.

  • 0

    Hi,

    I can not say if it is similar to the issue I had with certificates.

    Added the domains in the exclusion list at WEB and it did not have any effect at first. Only after I shutdown the appliance for 5min and back on all worked as intended.

    Best regards

    Eli.

    • 0 in reply to Eli

      The issue with python pip is that python does not use the operating system's store of trusted CAs but has its own set.

      For pip, there is a command-line option --cert <CA file> that allows you to specify a different CA. You should be able to use this option to point pip to the CA file for the appliance.

      Of course, the other option is to exclude the pip servers (domain pypi.org) from decryption by adding the domain to the Local Exclusions URL group.

      • 0 in reply to RichBaldry

        As mentioned in my original post, adding pypi.org to the local exclusion URL group does not work. It results in the same certificate errors.

        I suppose I can try the first option you mentioned of manually adding a certificate to pip, but I’m more curious as to why pypi.org doesn’t seem to work with the local exclusion URL group.

        ---

        Sophos XG guides for home users: https://shred086.wordpress.com/

        • 0 in reply to shred

          That would imply the URL is wrong.

          Ian

          XGS118 - v21.5.0

          XG115 converted to software licence v21.5.0

          If a post solves your question please use the 'Verify Answer' button.

          • 0 in reply to shred

            I found that if I wanted to exclude pip traffic, instead of providing the CA at the command line, there are more URLs/domains that need to be excluded. It looks like pypi.org is just the initial database queries, but actual file downloads are hosted on other domains.

            files.pythonhosted.org is one. I don't know if this is the same for all packages, or whether it varies from one package to another.

            I found this out by looking in the SSL/TLS log for other connections from the same client IP immediately following the initial connection to pypi.org.