30

wondering if someone may please explain how openssl works in python2.7. I'm not sure if python got its own openssl or picks it up from local machine/env?

let me explain: (if I do this in Python)

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8x 10 May 2012'

(In terminal)

$ openssl version
OpenSSL 0.9.8x 10 May 2012
$ which openssl 
/usr/bin/openssl

now I updated openssl (downloaded .)

$ cd openssl-1.0.1c
$ ./Configure darwin64-x86_64-cc --prefix=/usr --openssldir=/opt/local/etc/openssl shared
$ make
$ sudo make install

this created separate director(as specified), so I copied it to the old path 

cp -f /usr/local/ssl/bin/openssl /usr/bin/openssl

now in terminal openssl version has been updated but not from python!

$ openssl version
OpenSSL 1.0.1c 10 May 2012

I did noticed that .dylib is still pointing to old version, how can I change this?

$ ls -l /usr/lib/*ssl*
-rwxr-xr-x  1 root  wheel  411680 Jul 17  2012 /usr/lib/libssl.0.9.7.dylib
-rwxr-xr-x  1 root  wheel  602800 May 24 03:43 /usr/lib/libssl.0.9.8.dylib
-rwxr-xr-x  1 root  wheel  390908 Sep  9 17:37 /usr/lib/libssl.1.0.0.dylib
lrwxr-xr-x  1 root  wheel      18 Jul 17  2012 /usr/lib/libssl.dylib -> libssl.0.9.8.dylib

Update: I changed the link still got old version at python.

$ ls -l /usr/lib/*ssl*
-rwxr-xr-x  1 root  wheel  411680 Jul 17  2012 /usr/lib/libssl.0.9.7.dylib
-rwxr-xr-x  1 root  wheel  602800 May 24 03:43 /usr/lib/libssl.0.9.8.dylib
-rwxr-xr-x  1 root  wheel  390908 Sep  9 17:37 /usr/lib/libssl.1.0.0.dylib
lrwxr-xr-x  1 root  wheel      18 Sep 11 15:47 /usr/lib/libssl.dylib -> libssl.1.0.0.dylib
Peter
  • 1,023
  • 4
  • 18
  • 23
  • 4
    Do not overwrite system OpenSSL by using an install prefix of / or /usr OR symlink/copy over system OpenSSL, or it will cause huge problems. You will break your system. –  Dec 23 '13 at 10:26

6 Answers6

33

Please refer to http://rkulla.blogspot.kr/2014/03/the-path-to-homebrew.html

After upgrading openssl to 1.0.1j by homebrew on MAC, but system python still referred to old version 0.9.8. It turned out the python referred to openssl. So I have installed new python with brewed openssl and finished this issue on Mac, not yet Ubuntu.

On Mac OS X version 10.10 and system python version 2.7.6, my procedure is as follows:

$ brew update

$ brew install openssl

Then you can see openssl version 1.0.1j.

$ brew link openssl --force 

$ brew install python --with-brewed-openssl

You have to install new python with brewed openssl. Then, you can see /usr/local/Cellar/python/2.7.8_2/bin/python.

$ sudo ln -s /usr/local/Cellar/python/2.7.8_2/bin/python /usr/local/bin/python

Of course, /usr/local/* should be owned by $USER, not root, which is told by Ryan, but I used 'sudo'. And, before this instruction, I didn't have /usr/local/bin/python. After this instruction, you can use python version 2.7.8 not 2.7.6.

Finally, you can see as belows;

$ python --version  
Python 2.7.8

$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.0.1j 15 Oct 2014

Till now, I'm working on it on Ubuntu 12.04. If I have a solution for Ubuntu 12.04, then I will update my answer. I hope this procedure help you.

xtreak
  • 1,376
  • 18
  • 42
user2434741
  • 547
  • 6
  • 8
  • This worked even though I did it slightly different. My steps: `$ brew update && brew install openssl`, skip the linking: `brew update python --with-brewed-openssl` I had already installed python with brew `$ /usr/local/Cellar/python/2.7.13_1/bin/python2 -c "import ssl; print ssl.OPENSSL_VERSION"` `OpenSSL 1.0.2l 25 May 2017` system version: `OpenSSL 0.9.8zh 14 Jan 2016` – user666406 Jul 25 '17 at 06:39
  • I get... curl: (23) Failed writing body (0 != 16384) Trying a mirror... ==> Downloading https://dl.bintray.com/homebrew/mirror/pkg-config-0.29.2.tar.gz Warning: Failed to create the file Warning: /Users/paulkenjora/Library/Caches/Homebrew/pkg-config-0.29.2.tar.gz.in Warning: complete: Permission denied – Paul Kenjora Sep 13 '17 at 13:06
  • 1
    Is there any equivalent to upgrade OpenSSL on Kivy instead of Python, like "$ brew install python --with-brewed-openssl"? – user761567 Jun 04 '18 at 06:08
19

Outdated SSL is a common issue on multiple platforms:

Here's the general approach...

0. Install OpenSSL

  • Option I: Install system packages of side-by-side OpenSSL 1.x libs (-dev or -devel) packages.

    # FreeBSD

pkg install openssl
OPENSSL_ROOT=/usr/local


# Mac (brew)

brew install openssl # DO NOT DO ANY WEIRD SYMLINK HACKS, ITS KEG-ONLY FOR A REASON!
OPENSSL_ROOT="$(brew --prefix openssl)"

  • Option II: Install OpenSSL from source to a temporary directory

    OPENSSL_ROOT="$HOME/.build/openssl-1.0.1e"

curl http://www.openssl.org/source/openssl-1.0.1e.tar.gz | tar zxvf -
cd openssl-1.0.1e
mkdir -p "$OPENSSL_ROOT"
./config no-hw --prefix="$OPENSSL_ROOT" --openssldir=...
# osx (instead of previous line): ./Configure darwin64-x86_64-cc no-hw --prefix="$OPENSSL_ROOT" --openssldir=...
make install
cd ..
rm -rf openssl-1.0.1e

1. Building Python from source

  • Option A: Use pyenv:

    export CONFIGURE_OPTS="CPPFLAGS=-I"$OPENSSL_ROOT"/include LDFLAGS=-L"$OPENSSL_ROOT"/lib [your other options here]"
pyenv install 2.7.6

  • Option B: Install Python from source

    ./configure CPPFLAGS="-I$OPENSSL_ROOT/include" LDFLAGS="-L$OPENSSL_ROOT/lib" [your other options here]`
make
# ...
# if compiled openssl was used, it can be safely deleted because python's module ssl links openssl statically.

Example: FreeBSD 9.2 (skipping make install for demo purposes)

pkg install openssl curl gmake gdbm sqlite3 readline ncurses
OPENSSL_ROOT=/usr/local
curl http://www.python.org/ftp/python/2.7.6/Python-2.7.6.tar.xz | tar jxvf -
cd Python-2.7.6
./configure CPPFLAGS="-I$OPENSSL_ROOT/include" LDFLAGS="-L$OPENSSL_ROOT/lib" [your other options here]
make
./python -c 'import ssl; print(ssl.OPENSSL_VERSION)' # osx: ./python.exe ...
# prints: OpenSSL 1.0.1e 11 Feb 2013

Afterwards, temporary openssl libraries are no longer needed b/c the ssl modele with openssl statically into the python executable (verify using otool or readelf).

  • I had the same problem in https://stackoverflow.com/questions/46457404/how-can-i-compile-python-3-6-2-on-macos-with-openssl-from-homebrew/46476640#46476640 and your answer worked for me. This is still the correct answer in late 2017. You need to pass CPPFLAGS and LDFLAGS along with the `./configure` command; you can't set them in the environment or else setup.py won't notice them. – iLikeDirt Sep 28 '17 at 19:11
  • 4
    Can anyone explain to me why I have to rebuild/reinstall whole python if the only thing that needs an update is openssl? – normanius Apr 17 '18 at 08:51
  • 1
    @normanius If a binary statically-links an library like OpenSSL, the linker merges it inside the binary and cannot just be swapped out. If it were instead dynamically-linked to a shared library, sometimes just the library can be updated and it picks up the new code... but this has to be done with great care. The point of compiling OpenSSL is to get newer versions of it. If only upgrading OpenSSL of a dynamically-linked binary, it’s possible to custom compile a new version of OpenSSL on top of the old one without recompiling Python. Python must also be configured with `--enable-shared`. –  May 19 '18 at 09:44
4

This could be because of an outdated version of Python.

After running python -c "import ssl; print ssl.OPENSSL_VERSION" on Python 2.7.1, I saw that I had this outdated version: OpenSSL 0.9.7l 28 Sep 2006.

It seems as though my version of Python depended on a deprecated version of OpenSSL, as indicated by this forum:

For the upcoming Python 2.7.9 release (planned for early December), I intend to have the Pythons in the python.org OS X installers use their own versions of OpenSSL and thus no longer depend on the now-deprecated system OpenSSL.

I updated to Python 2.7.9 and the issue was immediately fixed. Now, after running python -c "import ssl; print ssl.OPENSSL_VERSION", I get OpenSSL 0.9.8za 5 Jun 2014.

aralar
  • 3,022
  • 7
  • 29
  • 44
1

The following worked for me. I was already able to update OpenSSL from 0.9.8zh to a 1.0.2o version, but python never accessed the newer version until found this suggestion to use pyenv to reinstall python (with 2.7.10, the version I wanted).

brew update
brew install pyenv

echo 'eval "$(pyenv init -)"' >> .bashrc
source .bashrc

pyenv install 2.7.10
pyenv global 2.7.10

and then to check...

python --version
Python 2.7.10

python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.2o  27 Mar 2018

I did have to reinstall python packages of course.

Source: https://github.com/ianunruh/hvac/issues/75

bkinnell
  • 11
  • 1
1

I think python has recognized that this is an issue: https://www.python.org/downloads/release/python-2715/

Note

Attention macOS users: as of 2.7.15, all python.org macOS installers ship with a builtin copy of OpenSSL. Additionally, there is a new additional installer variant for macOS 10.9+ that includes a built-in version of Tcl/Tk 8.6. See the installer README for more information.

Simply installing 2.7.15 fixed my OpenSSL issues.

Community
  • 1
  • 1
KeelyD
  • 161
  • 4
  • 3
-6

SOLVED NO HACKS, none of the above worked for me. I ended up taking a simpler and uncomplicated approach....

  1. Install python 2.7.13 from the official site, it actually installs as the default python, automatically upgrading the old python system wide ( yes! ).

https://www.python.org/downloads/mac-osx/

  1. Upgrade openssl after the python install. Updating it for system python ( yes! ).

sudo pip install --upgrade pyOpenSSL

  1. You will have to re-install all your python modules ( because you replaced python ), I strongly recommend using pip. After a few minutes of pip installs my default OSX python was upgraded, I had openssl upgraded, and I had all my modules ( including django running ).
Paul Kenjora
  • 1,914
  • 18
  • 20
  • 2
    Please don't do this. Replacing the system python on something like RHEL could have some unwanted consequences. There's plenty of other tools that you can use to alt-install a different version of Python with a different version of OpenSSL. Conda is an example of such a tool. – disflux Apr 16 '18 at 18:19