Python referencing old SSL version

I have a Dropbox upload script on an old nas box I have, recently I've been getting the following error

SSL certificate error: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm

I think this is due to openssl being out of date on the box

So I download openssl, built it from source and installed it, now when I run the following it appears to be updated correctly.

openssl version
OpenSSL 1.0.1h 5 Jun 2014

But it would appear Python is still referencing an old version, how would I update this?

python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 0.9.7m 23 Feb 2007

Solution 1:

Got this working after several days. MAC OS X El Captian or greater

 sudo rm -rf /Library/Frameworks/Python.framework/Versions/2.7
 sudo rm -rf "/Applications/Python 2.7"
 cd /usr/local/bin/
 ls -l /usr/local/bin | grep '../Library/Frameworks/Python.framework/Versions/2.7' | awk '{print $9}' | tr -d @ | xargs rm
 brew uninstall python
 brew uninstall openssl
 brew link --force openssl

Now install python and openssl again using brew.

 brew install openssl
 brew install python --with-brewed-openssl

Add the following to the PATH in ~/.bash_profile on your MAC

 vi ~/.bash_profile
 export PATH=/usr/local/opt/openssl/bin:/usr/local/opt/python/libexec/bin:$PATH

restart the terminal

 python --version (verify if it is picking up the right version)
 openssl version -a (verify if it is picking up the right version)
 python -c "import ssl; print ssl.OPENSSL_VERSION"

(note: if you installed Python3, you'll have to update the print syntax in the inline compiler step)

python -c "import ssl; print(ssl.OPENSSL_VERSION)"

should give you the latest version OPEN SSL version

Solution 2:

2018 on MacOS
I tried with the other answers without success:

  • The --with-brewed-openssl option gives Warning: python: this formula has no --with-brewed-openssl option so it will be ignored!
  • and the command brew link openssl --force gives Warning: Refusing to link: openssl

I got it working with

brew install openssl
brew install python@2

Then

openssl version

and

python -c "import ssl; print ssl.OPENSSL_VERSION"

gave me the same OpenSSL version.

Solution 3:

Please refer to http://rkulla.blogspot.kr/2014/03/the-path-to-homebrew.html.

I got the same issue like you, and so I have searched several answers but it didn't help me.

  1. Updating openssl in python 2.7
  2. Update OpenSSL on OS X with Homebrew
  3. https://apple.stackexchange.com/questions/126830/how-to-upgrade-openssl-in-os-x

After upgrading openssl to 1.0.1j by homebrew on MAC, but system python still referred to old version 0.9.8. It turned out the python referred to openssl. So I have installed new python with brewed openssl and finished this issue on Mac, not yet Ubuntu.

On Mac OS X version 10.10 and system python version 2.7.6, my procedure is as follows.

  1. $ brew update
  2. $ brew install openssl. Then you can see openssl version 1.0.1j.
  3. $ brew link openssl --force
  4. $ brew install python --with-brewed-openssl. You have to install new python with brewed openssl. Then, you can see /usr/local/Cellar/python/2.7.8_2/bin/python.
  5. $ sudo ln -s /usr/local/Cellar/python/2.7.8_2/bin/python /usr/local/bin/python. Of course, /usr/local/* should be owned by $USER, not root, which is told by Ryan, but I used 'sudo'. And, before this instruction, I didn't have /usr/local/bin/python. After this instruction, you can use python version 2.7.8 not 2.7.6.

Finally, you can see as belows;

$ python --version

Python 2.7.8

$ python -c "import ssl; print ssl.OPENSSL_VERSION"

OpenSSL 1.0.1j 15 Oct 2014

Till now, I'm working on it on Ubuntu 12.04. If I have a solution for Ubuntu 12.04, then I will update my answer. I hope this procedure help you.

Solution 4:

I found I had to change the PATH to use the system (upgraded) SSL:

$ pip install --editable .

Obtaining file:///Users/jhlynch/Projects/flaskr
Collecting flask (from flaskr==0.0.0)
  Could not fetch URL https://pypi.python.org/simple/flask/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:661) - skipping
  Could not find a version that satisfies the requirement flask (from flaskr==0.0.0) (from versions: )
No matching distribution found for flask (from flaskr==0.0.0)

$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"

OpenSSL 0.9.8zh 14 Jan 2016                      <<< note older version


$ echo $PATH
/Library/Frameworks/Python.framework/Versions/2.7/bin:/Library/Frameworks/Python.framework/Versions/3.6/bin:/Users/jhlynch/.nix-profile/bin:/Users/jhlynch/.nix-profile/sbin:/Users/jhlynch/.nix-profile/lib/kde4/libexec:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/nix/var/nix/profiles/default/lib/kde4/libexec:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

$ PATH="/usr/local/bin:/usr/local/sbin:${PATH}"

$ export PATH

$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"

OpenSSL 1.0.2o  27 Mar 2018                       <<< note newer version

$ pip install --editable .

Obtaining file:///Users/jhlynch/Projects/flaskr
Collecting flask (from flaskr==0.0.0)
  Downloading https://files.pythonhosted.org/packages/77/32/e3597cb19ffffe724ad4bf0beca4153419918e7fa4ba6a34b04ee4da3371/Flask-0.12.2-py2.py3-none-any.whl (83kB)
...                <<< works this time!