Python + OSX OpenSSL Issue

I recently ran into an issue with the requests library in Python and TLS 1.1 and 1.2. I was trying to build out some scripts to configure some stuff in Cisco ACI but was getting errors when using HTTPS. Using HTTP, the script would execute just fine. Okay so that’s pretty obvious that the issue is around the encryption bits, but my good friend Google kind of let me down while searching for a fix. So I started dorking about in ACI to see if there was anything I could do (who knows what!), and experimented with disabling TLS 1.1 and 1.2, leaving only TLS 1.0 enabled. This got me an SSLv3 error about invalid cert I believe. I started going down the path of forcing my script to use SSLv2 but got stymied pretty quickly there by my lack of Python skills. Okay so flipping TLS 1.1 and 1.2 back on I got a different error than with 1.0 on — which I guess is a good thing since its something new to search on… that error was about “connection error: error 54” or something like that. Eventually I tested this same script out on an Ubuntu 15.10 box and it worked (with TLS 1.2) no problem… okay so whats the difference between OSX and Ubuntu? Python was the same version on both boxes, so that ruled that out, same script, so no issue there, what else? After a bit of thinking (and Googling) I realized that it wasn’t any of those things, but the problem lied with OpenSSL! On my Macbook, I ran the command:

openssl version

This just displays the version — I was getting something like this:

OpenSSL 0.9.8zg 14 July 2015

Doesn’t take much Googling to realize that is a bit old since we are in 2016! So I started trying to figure out how to update that, turns out its nice and easy with brew:

brew update
brew install openssl

This installed the new version for me, but when I checked the version again it was still using the old one. So some more Googling and I discovered how to force the new version:

brew link openssl --force

Note that until the terminal window gets closed it will still show the old version when you do:

openssl version

After opening a new terminal window I’m showing:

OpenSSL 1.0.2f 28 Jan 2016

However I was still having issues with Python not connecting to my APIC. Turns out that Python was stuck tied to an older version, you can check that by hopping into the interpreter and importing the SSL library:

python
 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 0.9.8zg 14 July 2015
 >>> exit()

Okay, so that’s not cool. Guess Python is compiled against the older version, so lets update that and hook it to the newer OpenSSL:

brew install python --with-brewed-openssl

Now Python OpenSSL Version should be good:

python
 >>> import ssl
 >>> print ssl.OPENSSL_VERSION
 OpenSSL 1.0.2f 28 Jan 2016
 >>> exit()

For some reason had to close out of terminal and load it back up then things worked. I also unlinked openssl with:

brew unlink openssl

Not entirely sure that’s needed or maybe I just wasn’t supposed to do that in the first place 🙂 In any case, my scripts are now working on my Macbook with TLS 1.1 and 1.2!

Hopefully this will help somebody else out since it took me entirely too long to figure this all out!

Advertisements

6 thoughts on “Python + OSX OpenSSL Issue

  1. When I ran
    ———————————————
    ~ % brew link –force openssl
    ———————————————

    I get the following Warning:
    ————————————————————————————————————————
    Warning: Refusing to link: openssl
    Linking keg-only openssl means you may end up linking against the insecure,
    deprecated system OpenSSL while using the headers from Homebrew’s openssl.
    Instead, pass the full include/library paths to your compiler e.g.:
    -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib
    ————————————————————————————————————————

    How do you suggest I fix this?

  2. Have you guys ran brew update? I wonder if it is trying to link to deprecated/old versions and is throwing a fit… other than that offhand I’ve got no idea, sorry!

  3. I got this error when trying to install python3 –with-brewed-openssl:

    Warning: python3: this formula has no –with-brewed-openssl option so it will be ignored!

  4. I’m having a similar problem – trying to get a newer version of SSL working in Enthought/Canopy Python 2.7. I try to update python using brew but it doesn’t affect the Enthought/Canopy version of Python and I end up with python
    Enthought Canopy Python 2.7.11 | 64-bit | (default, Jun 11 2016, 03:41:56)
    [GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)] on darwin
    Type “help”, “copyright”, “credits” or “license” for more information.
    >>> import ssl
    >>> print ssl.OPENSSL_VERSION
    OpenSSL 0.9.8zh 14 Jan 2016

    This is preventing me from being able to download essential components of spiceypy

    Any suggestions?

  5. Python 3.6:
    My SSL problem got me here. Did not solve the entire problem.
    Just wanted to share the last piece of my solution, done after reinstalling python3 with the
    `brew install python3 –with-brewed-openssl`
    i ran the script at
    https://stackoverflow.com/questions/44649449/brew-installation-of-python-3-6-1-ssl-certificate-verify-failed-certificate/44649450#44649450?newreg=74068e4e59d34adbbeefc46bb386b2a8

    Seems brew does not include the `Install Certificates.command` to link OpenSSL with the keychain on OSX/MacOS. The script solves this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s