MacOS pkg bundles openssl, but doesn't include a cert bundle?
Hi, installing the latest 2.7.16 MacOS installer, functions in urllib will attempt to load trusted certs from: /Library/Frameworks/Python.framework/Versions/2.7/etc/openssl/cert.pem But this file is not shipped with the installer package - this makes urlretrieve and friends fail on https hosts - perhaps the installer should ship a bundle or enable using something like certifi if it's installed? AFAIK Apple has deprecated openssl libs as shipped with the OS a long time ago and only support their proprietary framework crypto apis and on MacOS Catalina and newer. thx m -- Matt Billenstein matt@vazor.com http://www.vazor.com/
On Mar 23, 2020, at 20:30, Matt Billenstein via Python-Dev <python-dev@python.org> wrote:
Hi, installing the latest 2.7.16 MacOS installer, functions in urllib will attempt to load trusted certs from:
/Library/Frameworks/Python.framework/Versions/2.7/etc/openssl/cert.pem
But this file is not shipped with the installer package - this makes urlretrieve and friends fail on https hosts - perhaps the installer should ship a bundle or enable using something like certifi if it's installed?
Python 2.7.17 is the most recent 2.7.x release. You should be using it instead of 2.7.16. When you open one of the current macOS Installer packages from python.org, the first (Welcome) display includes the following text: "At the end of this install, click on Install Certificates to install a set of current SSL root certificates." The second display (ReadMe) in the Installer includes the following section: "Certificate verification and OpenSSL This package includes its own private copy of OpenSSL 1.0.2. The trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility are not used as defaults by the Python ssl module. A sample command script is included in /Applications/Python 2.7 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.org/project/certifi/). Double-click on Install Certificates to run it. The bundled pip has its own default certificate store for verifying download connections." By default, a copy of that ReadMe is saved as a file in /Application/Python 2.7/ should you need to refer to it, along with the "Install Certificates.command" file. We do not currently ship a set of certificates with the installer directly because any of them could be replaced or invalidated over the lifetome of the installer package. Hope that helps. -- Ned Deily nad@python.org -- []
Thanks Ned - confirmed that works in 2.7.17 - maybe it was there in 2.7.16 and I just overlooked that messaging in the last step. m On Mon, Mar 23, 2020 at 09:11:09PM -0400, Ned Deily wrote:
On Mar 23, 2020, at 20:30, Matt Billenstein via Python-Dev <python-dev@python.org> wrote:
Hi, installing the latest 2.7.16 MacOS installer, functions in urllib will attempt to load trusted certs from:
/Library/Frameworks/Python.framework/Versions/2.7/etc/openssl/cert.pem
But this file is not shipped with the installer package - this makes urlretrieve and friends fail on https hosts - perhaps the installer should ship a bundle or enable using something like certifi if it's installed?
Python 2.7.17 is the most recent 2.7.x release. You should be using it instead of 2.7.16.
When you open one of the current macOS Installer packages from python.org, the first (Welcome) display includes the following text:
"At the end of this install, click on Install Certificates to install a set of current SSL root certificates."
The second display (ReadMe) in the Installer includes the following section:
"Certificate verification and OpenSSL
This package includes its own private copy of OpenSSL 1.0.2. The trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility are not used as defaults by the Python ssl module. A sample command script is included in /Applications/Python 2.7 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.org/project/certifi/). Double-click on Install Certificates to run it.
The bundled pip has its own default certificate store for verifying download connections."
By default, a copy of that ReadMe is saved as a file in /Application/Python 2.7/ should you need to refer to it, along with the "Install Certificates.command" file.
We do not currently ship a set of certificates with the installer directly because any of them could be replaced or invalidated over the lifetome of the installer package.
Hope that helps.
-- Ned Deily nad@python.org -- []
-- Matt Billenstein matt@vazor.com http://www.vazor.com/
participants (2)
-
Matt Billenstein -
Ned Deily