Python + OSX OpenSSL Issue

I recently ran into an issue with the requests library in Python and TLS 1.1 and 1.2. I was trying to build out some scripts to configure some stuff in Cisco ACI but was getting errors when using HTTPS. Using HTTP, the script would execute just fine. Okay so that’s pretty obvious that the issue is around the encryption bits, but my good friend Google kind of let me down while searching for a fix. So I started dorking about in ACI to see if there was anything I could do (who knows what!), and experimented with disabling TLS 1.1 and 1.2, leaving only TLS 1.0 enabled. This got me an SSLv3 error about invalid cert I believe. I started going down the path of forcing my script to use SSLv2 but got stymied pretty quickly there by my lack of Python skills. Okay so flipping TLS 1.1 and 1.2 back on I got a different error than with 1.0 on — which I guess is a good thing since its something new to search on… that error was about “connection error: error 54” or something like that. Eventually I tested this same script out on an Ubuntu 15.10 box and it worked (with TLS 1.2) no problem… okay so whats the difference between OSX and Ubuntu? Python was the same version on both boxes, so that ruled that out, same script, so no issue there, what else? After a bit of thinking (and Googling) I realized that it wasn’t any of those things, but the problem lied with OpenSSL! On my Macbook, I ran the command:

openssl version

This just displays the version — I was getting something like this:

OpenSSL 0.9.8zg 14 July 2015

Doesn’t take much Googling to realize that is a bit old since we are in 2016! So I started trying to figure out how to update that, turns out its nice and easy with brew:

brew update
brew install openssl

This installed the new version for me, but when I checked the version again it was still using the old one. So some more Googling and I discovered how to force the new version:

brew link openssl --force

Note that until the terminal window gets closed it will still show the old version when you do:

openssl version

After opening a new terminal window I’m showing:

OpenSSL 1.0.2f 28 Jan 2016

However I was still having issues with Python not connecting to my APIC. Turns out that Python was stuck tied to an older version, you can check that by hopping into the interpreter and importing the SSL library:

 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 0.9.8zg 14 July 2015
 >>> exit()

Okay, so that’s not cool. Guess Python is compiled against the older version, so lets update that and hook it to the newer OpenSSL:

brew install python --with-brewed-openssl

Now Python OpenSSL Version should be good:

 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 1.0.2f 28 Jan 2016
 >>> exit()

For some reason had to close out of terminal and load it back up then things worked. I also unlinked openssl with:

brew unlink openssl

Not entirely sure that’s needed or maybe I just wasn’t supposed to do that in the first place 🙂 In any case, my scripts are now working on my Macbook with TLS 1.1 and 1.2!

Hopefully this will help somebody else out since it took me entirely too long to figure this all out!

10 thoughts on “Python + OSX OpenSSL Issue

  1. When I ran
    ~ % brew link –force openssl

    I get the following Warning:
    Warning: Refusing to link: openssl
    Linking keg-only openssl means you may end up linking against the insecure,
    deprecated system OpenSSL while using the headers from Homebrew’s openssl.
    Instead, pass the full include/library paths to your compiler e.g.:
    -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib

    How do you suggest I fix this?

  2. Have you guys ran brew update? I wonder if it is trying to link to deprecated/old versions and is throwing a fit… other than that offhand I’ve got no idea, sorry!

  3. I got this error when trying to install python3 –with-brewed-openssl:

    Warning: python3: this formula has no –with-brewed-openssl option so it will be ignored!

  4. I’m having a similar problem – trying to get a newer version of SSL working in Enthought/Canopy Python 2.7. I try to update python using brew but it doesn’t affect the Enthought/Canopy version of Python and I end up with python
    Enthought Canopy Python 2.7.11 | 64-bit | (default, Jun 11 2016, 03:41:56)
    [GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
    Type “help”, “copyright”, “credits” or “license” for more information.
    >>> import ssl
    >>> print ssl.OPENSSL_VERSION
    OpenSSL 0.9.8zh 14 Jan 2016

    This is preventing me from being able to download essential components of spiceypy

    Any suggestions?

    • If you’re using Mac’s default Python2.7 this is a nightmare to get working. Instead, use brew to install a new version of python 2 first.

      brew install openssl
      brew install python@2
      brew link –force openssl

      Took me a while to figure out.

  5. Python 3.6:
    My SSL problem got me here. Did not solve the entire problem.
    Just wanted to share the last piece of my solution, done after reinstalling python3 with the
    `brew install python3 –with-brewed-openssl`
    i ran the script at

    Seems brew does not include the `Install Certificates.command` to link OpenSSL with the keychain on OSX/MacOS. The script solves this.

  6. On MacOS High Sierra (10.13.4) I have managed to get python2 working with brewed openssl version 1.0.2o by manually creating directory /usr/local/Frameworks and manually giving myself write permission:
    $ sudo mkdir /usr/local/Frameworks
    $ sudo chmod go+w /usr/local/Frameworks

    Only after these two steps above, I was able to perform relinking python to brewed openssl library:
    $ brew link –force openssl

  7. Pingback: Python requests.exceptions.SSLError: EOF a avut loc prin încălcarea protocolului

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.