1

When executing different scripts with Python 2.7.14, I keep running into Errors that seem to lead back to my OpenSSL installation.

E.g. when using requests:

requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)

I'm on:

  • Python 2.7.14
  • MacOS Mojave Version 10.14.3
  • NOT using homebrew ! (and would prefer not to)

Mac OS uses LibreSSL:

$ openssl version -a
LibreSSL 2.6.5
built on: date not available
platform: information not available
options:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

$ which openssl
/usr/bin/openssl

However, my Python installations (from source) both use OpenSSL - two different versions:

$ python2.7 -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 0.9.8zh 14 Jan 2016

$ python3.7 -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.1.0i  14 Aug 2018

I want to update the OpenSSL used with Python 2.7 without using homebrew (nor Anaconda), and without using an additional package, such as pyOpenSSL.

Most solutions I can find online suggest using homebrew and therefore don't answer my question:

None of my Python versions are installed using homebrew and I'd like to stay clean from further complicating my OS setup.

Considering that different versions of OpenSSL are installed, should I follow this suggestion and link Python 2.7 to the newer OpenSSL version?

  • Is that the best way to move forward?
  • What can go wrong?
  • What are viable alternatives?
  • Any good resource for learning to navigate the SSL-Python-jungle on Mac?
martin-martin
  • 3,274
  • 1
  • 33
  • 60
  • After checking with [SSLLabs](https://www.ssllabs.com/ssltest/), I think it might related to the issue [described here](https://stackoverflow.com/a/46188850/5717580) - even though [the page supports TLS 1.0](https://www.ssllabs.com/ssltest/analyze.html?d=free-proxy-list.net&s=104.27.149.235), which should thus work with my OpenSSL 0.9.8zh version that Python 2.7 is using? – martin-martin Jun 21 '19 at 03:20
  • *"None of my Python versions are installed using homebrew and I'd like to stay clean from further complicating my OS setup."* - it is unclear how your existing versions where installed. If updated versions can not be installed the same way then you need to recompile everything by hand, which definitely complicates your OS setup more than just using homebrew or Anaconda. – Steffen Ullrich Jun 21 '19 at 05:10
  • They are downloaded from the official Python download page: https://www.python.org/downloads/ and installed using the installer that comes with it. – martin-martin Jun 21 '19 at 08:50

1 Answers1

0

Given that the currently installed versions were the ones provided by python.org itself it should be sufficient to simply download and install the latest version again. Given the old version of OpenSSL on the 2.7.14 binary it looks like that this was compiled against the old version shipped with MacOS. With 2.7.15 this was changed as can be seen on the download page:

Attention macOS users: as of 2.7.15, all python.org macOS installers ship with a builtin copy of OpenSSL.

Thus, you can expect to have a recent OpenSSL in Python 2.7 just by installing the official version of 2.7.15 provided by python.org. Note that this is also the case for the Python 3.7 you already have.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172