ssl error with the python mac binary

Ned Deily nad at acm.org
Mon Nov 10 23:51:02 CET 2014


In article 
<CACgdh2iG9+cLjj7mZ7qeALQd==pCRknnv8i_EeRj6AHjvg3cRQ at mail.gmail.com>,
 Paul Wiseman <poalman at gmail.com> wrote:
> I've been using the latest mac ppc/i386 binaries from python.org
> (https://www.python.org/ftp/python/2.7.8/python-2.7.8-macosx10.5.dmg).
> From what I can tell this version is linked against a pretty old
> version of OpenSSL (OpenSSL 0.9.7l 28 Sep 2006) which doesn't seem to
> be able to handle new sha-256 certificates.
> 
> For example I'm unable to use pip (I guess the certificate was updated 
> recently)

Yes, the current python.org certificate does seem to cause problems for 
that version of OpenSSL, unfortunately.

> Am I right in thinking this is an issue with the build of python
> itself? Is there a way I can upgrade the version of OpenSSL linked
> with python- or force the python build to look elsewhere for the
> library? Or will I have to build my own from source?

In the Pythons from the python.org OS X installers, the Python _ssl and 
_hashlib extension modules are dynamically linked with the 
system-supplied OpenSSL libraries.  If actually running on OS X 10.5, 
one would have to rebuild _ssl.so and _hashlib.so, linking them with a 
locally-supplied version of a newer OpenSSL, since different versions of 
OpenSSL are not ABI-compatible, e.g. 0.9.7 vs 0.9.8 vs 1.0.1.  If 
running on OS X 10.6 or later, another option might be to install from 
the 64-bit/32-bit installer which is a good idea to do anyway.  For pip 
usage, a workaround would be to manually download distributions from 
PyPI (or elsewhere) using a web browser and then use pip to install from 
the downloaded file.   The next version of pip is expected to have a 
--no-check-certificate option that bypasses the certificate check at the 
cost of reduced security.  For the upcoming Python 2.7.9 release 
(planned for early December), I intend to have the Pythons in the 
python.org OS X installers use their own versions of OpenSSL and thus no 
longer depend on the now-deprecated system OpenSSL.

-- 
 Ned Deily,
 nad at acm.org




More information about the Python-list mailing list