[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: As of 2.7.15 (finally!) all current python.org macOS installers now provide their own copies of OpenSSL: 1.0.2x for 3.6.x and 2.7.15. 1.1.0x for the upcoming 3.7.0 release. Until a better solution for root certificates is implemented, all of the

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: New changeset 93c91ac8f67ef0819ddacdcca12ef0ae88e5802e by Ned Deily in branch '2.7': [2.7] Fix errant NEWS item: bpo-19019 -> bpo-17128 (GH-6470) https://github.com/python/cpython/commit/93c91ac8f67ef0819ddacdcca12ef0ae88e5802e --

[issue17128] OS X system openssl deprecated - installer should build local libssl

Change by Ned Deily : -- pull_requests: +6169 status: pending -> open ___ Python tracker ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: Ned, is this issue still relevant? It targets 3.5 and hasn't seen much activity since 2016. -- status: open -> pending ___ Python tracker

[issue17128] OS X system openssl deprecated - installer should build local libssl

Cosimo Lupo added the comment: Hello, I see that the official Python.org OSX 10.6+ installers are still linking with OSX outdated OpenSSL (0.9.8zh 14 Jan 2016; I'm using macOS High Sierra 10.13.2). In the installer's README, they motivates this because: > Apple's 0.9.8

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Christian Heimes : -- components: +SSL ___ Python tracker ___ ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Roundup Robot added the comment: New changeset bfd0a73cf907 by Ned Deily in branch 'default': Issue #17128: Build OS X installer for 3.6 with private copy of OpenSSL. https://hg.python.org/cpython/rev/bfd0a73cf907 -- ___ Python tracker

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Brian Curtin : -- nosy: -brian.curtin ___ Python tracker ___ ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Kevin Ollivier added the comment: The OpenSSL included with OS X, still at 0.9.8, has become very dated and a growing number of servers (including openssl.org) now fail the handshake because they no longer support any of the protocols and ciphers included with that build. It is reaching the

[issue17128] OS X system openssl deprecated - installer should build local libssl

Roundup Robot added the comment: New changeset 288b03b5c60d by Ned Deily in branch '3.4': Issue #17128: Use private version of OpenSSL for 3.x OS X 10.5+ installers. https://hg.python.org/cpython/rev/288b03b5c60d New changeset 1c249d0cab5d by Ned Deily in branch 'default': Issue #17128: Merge /

[issue17128] OS X system openssl deprecated - installer should build local libssl

Roundup Robot added the comment: New changeset 31f506f4e2d2 by Ned Deily in branch '2.7': Issue #17128: Use private version of OpenSSL for 2.7.9 OS X 10.5+ installer. https://hg.python.org/cpython/rev/31f506f4e2d2 -- nosy: +python-dev ___ Python

[issue17128] OS X system openssl deprecated - installer should build local libssl

Roundup Robot added the comment: New changeset 2b5fa8651bd0 by Ned Deily in branch '2.7': Issue #17128: Use private version of OpenSSL for 2.7.9 OS X 10.5+ installer. https://hg.python.org/cpython/rev/2b5fa8651bd0 -- ___ Python tracker

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: The link below contains a script for building fat binaries for openssl. There's nothing surprising in the script, just building multiple times and then merging the result using lipo. https://gist.github.com/foozmeat/5154962 BTW. I'm not proposing to use

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Piotr Dobrogost p...@bugs.python.dobrogost.net: -- nosy: +piotr.dobrogost ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___ ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: Thanks to Hynek we were able to dig deeper into Apple's modifications. OpenSSL on OSX uses TEA (TrustEvaluationAgent) to verify cert chains. TEA is pretty much undocumented on the internet but perhaps we can use it to verify certs with OpenSSL 1.x, too?

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: Crys, as Ronald noted above: Now that I look at that code again: we can't extract that code and use it to patch upstream OpenSSL, the TrustEvaluationAgent framework is a private framework and hence off limits. It doesn't seem like a good idea to be trying to base

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: AFAIK OpenSSL has hooks that can be called when a certificate needs to be validated. If I my memory is correct this could be used to validate certificates using a public API (basically doing the same as Apple's patch, but using public APIs for the system and

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: Update: the MacPorts certsync daemon has matured and is now included as an optional MacPorts port. It's not a perfect solution as noted in the macports-devel thread: The only catch is that custom added certificates or trust anchors need to be in the system keychain

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Donald Stufft donald.stu...@gmail.com: -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___ ___ Python-bugs-list

[issue17128] OS X system openssl deprecated - installer should build local libssl

Mateusz Lenik added the comment: I finally managed to find some time to clean up the script I used to compile multiarch openssl. The diff is available at https://bitbucket.org/_mlen/cpython/commits/319f10362eb4b947b12750a6eb66fb622bbb0079 For 10.8 I had to comment out Tk related part and use

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: The file not even empty, it doesn't even exist in default installations. As Ned mentioned the CA roots on OSX are stored in a system database (the keychain). The situation is more or less the same as on Windows: their either needs to be code that queries the

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: How about we include certsync [1] as an external program then? It's not as elegant as an internal API but it's not going to cause trouble with forking servers. The first time a root CA cert is require, some new code in Python's SSL module runs certsync and

[issue17128] OS X system openssl deprecated - installer should build local libssl

Mateusz Lenik added the comment: The other way to solve problem with CA certs may be this script[1] that can be used to generate pem files from mozilla CA cert bundle[2] during compilation or installation. [1]: http://curl.haxx.se/docs/caextract.html [2]:

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: Mateusz, we would like to avoid that path and use the operating system's root CAs list when the OS provides one. It gives better user experience and the OS' root CA list gets updates through the OS. -- ___ Python

[issue17128] OS X system openssl deprecated - installer should build local libssl

Mateusz Lenik added the comment: I managed to build Python with OpenSSL 1.0.1e on Mac OS 10.8.4 using build-installer.py script during Europython sprint. I'll attach patches in few days, as I'll try to clean the code a bit. Currently the build works only for intel. Here is an example output:

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: Can you please run the unit test to see if it actually works? arch -i386 python -m test -unetwork test_ssl That commands runs the unit test suite and tries to connect to a couple of HTTPS servers, too. By the way do you know how well supported and up to

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: Chrys, /System/Library/OpenSSL/certs/cert.pem is empty on current OS X systems. As mentioned above, cert management is handled through Apple APIs. See

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: The RVM issue is wrong, ML still includes OpenSSL. Apple has deprecated the use of the system install of OpenSSL, but the library and include files are still there. There are two paths for avoiding the deprecated library: either ship your own build of

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: The one difference between the system openssl and a separately compiled one is that the former can use the CA root from the KeyChain (and uses a private API to do that, as noted earlier). I just stumbled across a utility that can sync the KeyChain to an

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Stefan Drees ste...@drees.name: -- nosy: +dilettant ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___ ___ Python-bugs-list

[issue17128] OS X system openssl deprecated - installer should build local libssl

Senthil Kumaran added the comment: Ronald: Sorry for the delay in response. I was referring to this: https://github.com/capistrano/capistrano/issues/250#issuecomment-8055991 Mountain Lion no longer includes OpenSSL as it uses a different SSL implementation. So, you need to have RVM install

[issue17128] OS X system openssl deprecated - installer should build local libssl

Senthil Kumaran added the comment: It should be noted that latest OSX Mountain Lion has caused problems for other language libraries too (specifically ruby, which I use at work). Ease the support of correct openssl in OSX may help a long way in all versions of python. -- nosy:

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: What other problems? Do you have more information on that? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: After spending some time on this, I'm downgrading this from release blocker status. First, no one has yet identified any immediate need for openssl 1.0.x features to support possible PyPI enhancements, which was my original concern. Second, since the openssl

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: See also: issue 15740 A version of OpenSSL as included in some versions of OSX can be downloaded from http://opensource.apple.com/tarballs/OpenSSL098/, as mentioned in issue 15740 the versions as included in the most recent OS updates doesn't seem to be

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___ ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Christian Heimes added the comment: On Windows urllib.request.urlopen(http://www.google.com;, cadefault=True) fails with certificate verify failed. (tested with Python 3.3 64bit) -- ___ Python tracker rep...@bugs.python.org

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: It doesn't raise an exception on OSX (close to the tip of the default branch), both for http://www.google.com/ and https://www.google.com/ -- ___ Python tracker rep...@bugs.python.org

[issue17128] OS X system openssl deprecated - installer should build local libssl

New submission from Ned Deily: Apple has deprecated use of openssl in OS X due to its unstable API between versions: If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app

[issue17128] OS X system openssl deprecated - installer should build local libssl

Changes by Ed Campbell drescampb...@gmail.com: -- nosy: +esc24 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___ ___ Python-bugs-list

[issue17128] OS X system openssl deprecated - installer should build local libssl

Benjamin Peterson added the comment: As you are the MacOSX expert, I'm going to defer your judgement (and/or Ronald's). I don't think the release will be for several days at least, so you should have time to test. -- ___ Python tracker

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: I'm not sure if it is worthwhile to switch right now. Apple does deprecate the use of OpenSSL, but there version does offer a feature that's not in the default tree: it verifies SSL certificates against the CA list in the system keychain. This means

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: Yes, as we've discussed, using the Apple Crypto APIs would be nice longer-term assuming the compatibility issues can be managed: the set of available APIs appear to have been evolving over the past several OS X releases. But moving away from openssl seems out of

[issue17128] OS X system openssl deprecated - installer should build local libssl

Éric Araujo added the comment: Using the CA bundle from the OS sounds great, not only for Macs :) -- nosy: +eric.araujo, pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128 ___

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ned Deily added the comment: Somewhat coincidentally, Issue17129 addresses the topic of certificate management across multiple platforms. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17128

[issue17128] OS X system openssl deprecated - installer should build local libssl

Ronald Oussoren added the comment: Replacing openssl by the supported crypto api's is something for 3.4 or even 3.5. There is a way to keep the current functionality while still shipping a build of openssl: apply the patch that implements the feature to the upstream version when building it