Inject securetransport support into pip

Older versions of OpenSSL (before 1.0.1) did not support TLSv1.2 and in the near future PyPI will be configured to *only* support TLSv1.2+. This allows us to utilize SecureTransport on these systems where the linked OpenSSL is *not* new enough to handle TLSv1.2.
2023-12-13 21:30:23 +01:00 · 2017-04-24 09:58:23 -04:00 · 2017-04-24 09:58:23 -04:00 · 84677844e3
parent bf5c388aa1
commit 84677844e3
2 changed files with 21 additions and 0 deletions
--- a/news/4454.bugfix
+++ b/news/4454.bugfix
@ -0,0 +1,2 @@
+Fallback to using SecureTransport on macOS when the linked OpenSSL is too old to
+support TLSv1.2.
--- a/pip/init.py
+++ b/pip/init.py
@ -20,6 +20,25 @@ import sys
 from pip._vendor.requests.packages.urllib3.exceptions import DependencyWarning
 warnings.filterwarnings("ignore", category=DependencyWarning)  # noqa

+# We want to inject the use of SecureTransport as early as possible so that any
+# references or sessions or what have you are ensured to have it, however we
+# only want to do this in the case that we're running on macOS and the linked
+# OpenSSL is too old to handle TLSv1.2
+try:
+    import ssl
+except ImportError:
+    pass
+else:
+    if (sys.platform == "darwin" and
+            ssl.OPENSSL_VERSION_NUMBER < 0x1000100f):  # OpenSSL 1.0.1
+        try:
+            from pip._vendor.requests.packages.urllib3.contrib import (
+                securetransport,
+            )
+        except (ImportError, OSError):
+            pass
+        else:
+            securetransport.inject_into_urllib3()

 from pip.exceptions import CommandError, PipError
 from pip.utils import get_installed_distributions, get_prog