[Python-Dev] dynamic linking, libssl.1.0.0.dylib, libcrypto.1.0.0.dylib and Mac OS X

Cory Benfield cory at lukasa.co.uk
Thu Dec 24 11:27:43 EST 2015 

> On 24 Dec 2015, at 14:40, Chris Withers <chris at simplistix.co.uk> wrote:
> Hi Cory,
> 
> I'm not not sure, _ssl included in a Python distribution works and does the right thing, it's third party packages built on the machines that appear to have the problem.
> 
> How does Python itself "get it right" and how could psycopg2 and cryptography mirror that?
> 
> This feels like a dynamic linking problem rather than something ssl-specific.

Chris,

Nope, it’s SSL-specific.

OS X El Capitan ships a version of OpenSSL (specifically, OpenSSL 0.9.8zg). The library for this is where you’d expect to find it (/usr/lib/libssl.dylib): however, it ships without header files (that is, there is no /usr/include/ssl directory).

Python distributions from python.org get around this problem by compiling and linking against, and including in the distribution, their own copy of libssl. This in principle works fine.

Cryptography ordinarily does this too. If you use a remotely modern pip, ‘pip install cryptography’ on OS X will install a Python wheel. The wheel is a binary distribution, and it too includes a compiled copy of libssl. For this reason, I’d argue that cryptography *does* get it right, in the mainline case: a modern Python installation should get a perfectly functional copy of cryptography without requiring a compiler or encountering any problems like the one you’re discussing.

The situations where it can go wrong are where cryptography is installed as a source distribution. This will require compilation on install, and here things start to get really tricky. The basic upshot of it, though, is that the OpenSSL shipped with OS X itself is simply not supported by cryptography: it’s ancient, and Apple doesn’t want people to use it, as shown by the fact that they don’t ship development headers for it.

If you insist on installing cryptography from source, you’ll need to follow their installation instructions to do that: https://cryptography.io/en/latest/installation/#building-cryptography-on-os-x

The TL;DR is: for cryptography on OS X, you either need a modern enough Python to support wheels, or you need to provide your own OpenSSL.

Cory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20151224/cfe370a8/attachment.sig>

More information about the Python-Dev mailing list