ssl error with the python mac binary

Paul Wiseman poalman at gmail.com
Wed Nov 12 05:10:23 EST 2014 

On 10 November 2014 22:51, Ned Deily <nad at acm.org> wrote:
> In article
> <CACgdh2iG9+cLjj7mZ7qeALQd==pCRknnv8i_EeRj6AHjvg3cRQ at mail.gmail.com>,
>  Paul Wiseman <poalman at gmail.com> wrote:
>> I've been using the latest mac ppc/i386 binaries from python.org
>> (https://www.python.org/ftp/python/2.7.8/python-2.7.8-macosx10.5.dmg).
>> From what I can tell this version is linked against a pretty old
>> version of OpenSSL (OpenSSL 0.9.7l 28 Sep 2006) which doesn't seem to
>> be able to handle new sha-256 certificates.
>>
>> For example I'm unable to use pip (I guess the certificate was updated
>> recently)
>
> Yes, the current python.org certificate does seem to cause problems for
> that version of OpenSSL, unfortunately.
>
>> Am I right in thinking this is an issue with the build of python
>> itself? Is there a way I can upgrade the version of OpenSSL linked
>> with python- or force the python build to look elsewhere for the
>> library? Or will I have to build my own from source?
>
> In the Pythons from the python.org OS X installers, the Python _ssl and
> _hashlib extension modules are dynamically linked with the
> system-supplied OpenSSL libraries.  If actually running on OS X 10.5,
> one would have to rebuild _ssl.so and _hashlib.so, linking them with a
> locally-supplied version of a newer OpenSSL, since different versions of
> OpenSSL are not ABI-compatible, e.g. 0.9.7 vs 0.9.8 vs 1.0.1.  If
> running on OS X 10.6 or later, another option might be to install from
> the 64-bit/32-bit installer which is a good idea to do anyway.

I'm currently using the installer with py2app to make a distributable
app that targets 10.5+ (including ppc). To save having more than one
build I use this for all downloads. Although I'm starting to consider
making a second 32/64 distributable. Are there many major drawbacks
for distributing this i386/ppc binary for all versions of OSX up 10.9
and 10.10?

> For pip
> usage, a workaround would be to manually download distributions from
> PyPI (or elsewhere) using a web browser and then use pip to install from
> the downloaded file.   The next version of pip is expected to have a
> --no-check-certificate option that bypasses the certificate check at the
> cost of reduced security.

Unfortunately the app is contacting a service which I'm unable to
contact via plain http, which also happens to have the same type of
certificate resulting in the same ssl error. (I have been going
directly to pypi though :)

> For the upcoming Python 2.7.9 release
> (planned for early December), I intend to have the Pythons in the
> python.org OS X installers use their own versions of OpenSSL and thus no
> longer depend on the now-deprecated system OpenSSL.
>

That's great news! Thanks for this! I've always found building things
on mac a huge pain and wasn't much looking forward to the prospect of
trying to build a 32/ppc python build on a 64 bit 10.10 machine (would
that even be possible?).

> --
>  Ned Deily,
>  nad at acm.org
>
> --
> https://mail.python.org/mailman/listinfo/python-list

More information about the Python-list mailing list