Braintree SDK SSLCertificateError on AppEngine local dev server

Question

The use of Braintree SDK under my local dev_appserver.py is returning following error on braintree.ClientToken.generate():

SSLError: SSLCertificateError:
Invalid and/or missing SSL certificate for URL:  
https://api.sandbox.braintreegateway.com:443/merchants/<merchant_id>/client_token

I am using the requests_toolbelt at the start of my server:

# Make requests work in GAE
import requests
from requests_toolbelt.adapters import appengine
appengine.monkeypatch()

Explicitly excluding SSL Validation doesn't work either (returns with the same error message):

appengine.monkeypatch(validate_certificate=False)

In fact, without requests_toolbelt, the error I get when calling .generate() is:

ProtocolError('Connection aborted.', error(13, 'Permission denied'))

I also tried the hack in the main.py of braintree-python-appengine project but I get the same SSL error message back.

My dev environment:

• MacOSX 10.11.6
• gcloud app Python Extensions 1.9.63
• Python 2.7.10
• requests==2.18.4
• braintree==3.39.0
• Flask==0.12.2

Note:

1. Once deployed to Google App Engine, I get the client token back without any problem
2. Directly use of requests on https://www.braintreepayments.com/ returns 200 without any errors

Answer 1

Braintree support kindly replied to my inquiry with (on 2017-11-20):

The error you're receiving is generally related to the SSL/TLS protocols being used when your app is run; our sandbox environment requires connections to be made via TLS 1.2, a requirement that does not yet apply to production.

From review, it appears that the protocols being used when the app is deployed locally are not valid for our environment. If the app settings are localised within the Google App Engine, that may be the cause of the issue; Python uses the system-supplied OpenSSL, and TLSv1.2 requires OpenSSL 1.0.1c or later.

So the root cause is my version of Python which uses an older version of OpenSSL:

$ python --version
Python 2.7.10

$ python
>> import ssl
>> ssl.OPENSSL_VERSION
>> 'OpenSSL 0.9.8zh 14 Jan 2016'

The solution is to upgrade my version of python via brew:

$ brew install python
$ python2 --version
Python 2.7.14

$ python2
>> import ssl
>> ssl.OPENSSL_VERSION
>> 'OpenSSL 1.0.2m  2 Nov 2017'

Then, launching my dev server using newly installed python solves the SSLCertificateError:

python2 $appserver_path/dev_appserver.py ...