“CA MD TOO WEAK” when pip-installing from local server with Python 3.10

Question

Starting with Python 3.10, I get “CA MD TOO WEAK” when I try to “pip install” any Python package. Is it because my local Python package index is on a server that has weak certificates?

Background

We have an in-house PyPI server that provides (only) in-house packages. (We do not allow our package index to refer to the global PyPI package indexes at files.pythonhosted.org and pypi.org because of the security risk in which a malicious actor can post Trojan-horse packages on the global server with (guessed) names that match in-house package names.) Given the different package indexes, my pip.ini needs to identify both the local server and the global servers. The local server requires certificates.

My pip.ini is:

[global]
trusted-host = files.pythonhosted.org pypi.org <internal.host>
index-url = https://<internal.host>/devpi/root/<dir>/+simple
extra-index-url = https://pypi.org/simple/
cert = C:\Users\<user>\combined.cert.pem
client-cert = C:\Users\<user>\<user>.pem

[search]
index = https://<internal.host>/devpi/root/dir

When I upgraded from Python 3.9 to Python 3.10, ‘pip install anything’ failed with the message “CA MD TOO WEAK”. This does not happen when I avoid my pip.ini and install directly from the public servers.

Answer 1

Here's my attempt at answering my own question -- improvements and comments are welcome!

The short answer is "yes" -- I am getting the error because Python 3.10 now uses OpenSSL 1.1.1, along with security level 1, and my in-house server certificates don’t use enough bits, or rely on MD5.

The best fix to get my server operators to use stronger certificates (and re-issue public certificates). The requirements for SSL security level 1 are given here. This might be a painful step for the IT team -- they'd have to re-issue certificates to everybody.

In the meantime, I need to downgrade to Python 3.9.