While working on my company-issued laptop, I have encountered this SSL handshake error multiple times. Often, when you work directly on the terminal to install a library or software.
Some popular apps, like Telegram, SimpleNote etc. fail to start or don’t allow you to sign-in without given any error or hint. However, these apps work perfectly fine on a personal computer. what’s the difference?
TLDR; Supply self-sign certificate to the program as an option OR ignore Cert check (security issue) e.g. pip install fastai — cert /home/user/certs/pypi.crt
Big Organization take Data Security in their hands…literally
In the online secure communication world, Data that is sent and received by your computer to the web is encrypted using Certificates issued by Trusted Certificate managers.
However, this is a double-edged sword. Since the data is encrypted, Your company can not see what is being sent out or being brought in by anyone and this is a big issue. It will risk the loss of IP, Data Protection, and will result in compliance & Regulatory issues.
To mitigate this problem; Enterprises often intercept the data coming in and out of the enterprise network. This is accomplished by issuing an Encryption Certificate that is issued by the Enterprise.
Self Sign Certificates and SSL handshake errors
Any Certificate not issued by a registered Trusted Certificate Managers is treated as a Self-signed Certificate. Browsers, APIs, and applications running on terminals e.g. PIP cURL etc. by default do not trust a self-sign certificate. Any attempt to use the self-sign certificate with default settings is terminated automatically.
However, above is the default behaviour; you can override by providing a self-sign certificate as an input to the program or by setting the self-sign certificate check to be turned off.
Example 1: Solve PIP install issue
Problem — Try to install a python package with the following command
pip install fastai
Error:
SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)])”))
Here the hidden issue is — Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate
Solution:
- Open a Browser (firefox):
- Go to: https://pypi.org/simple/pip
- If you are not able to access the link and are presented with a warning message: Then select “Accept the Risk” and add certs to the browser
- Now, in the address bar click on the little Lock Icon (shown below)
5. A new box will show you that your connection is ‘Secure’ and also gives you an additional option to get Certificate details
6. Click on Certificate and then details — an option to download the certificate is presented.
7. Save the certificate on your machine (tip: on the save dialogue box, select certificate chain to be saved and not a single cert) e.g. /home/user/certs/pypi.crt
8. Now on your terminal use the following command:
pip install fastai --cert /home/user/certs/pypi.crt
Conclusion:
If your company is using Self-Sign certificates then, supply this certificate to the program as an option Or if possible ignore certificate check e.g use -k with the curl command: curl -k GET https://pypi.org
