Author clupo
Recipients Kevin Ollivier, benjamin.peterson, christian.heimes, clupo, dilettant, dstufft, eric.araujo, esc24, georg.brandl, larry, loewis, mlen, ned.deily, orsenthil, piotr.dobrogost, pitrou, python-dev, ronaldoussoren
Date 2018-01-11.11:14:27
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1515669267.68.0.467229070634.issue17128@psf.upfronthosting.co.za>
In-reply-to
Content
Hello,

I see that the official Python.org OSX 10.6+ installers are still linking with OSX outdated OpenSSL (0.9.8zh 14 Jan 2016; I'm using macOS High Sierra 10.13.2).

In the installer's README, they motivates this because:

> Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in /System/Library/OpenSSL, the certificates managed by the system security framework in the user and system keychains are also consulted (using Apple private APIs)

However, because of this outdated OpenSSL version, I cannot use pip to install from the TestPyPI server https://test.pypi.org.

When I try (even with --trusted-host) I get this error:

```
$ pip install --trusted-host --index-url https://test.pypi.org/simple afdko
Collecting https://test.pypi.org/simple
Exception:
Traceback (most recent call last):
...
SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:661)
```

A similar issue on pypa/pip repository was closed as

> There's no actionable item here. People with old versions of openssl that don't support sha1 SSL certificates need to upgrade or else they are insecure. If they wish to be insecure they can continue using pip 1.2

https://github.com/pypa/pip/issues/829#issuecomment-20931050

~~~

Well, I find it particularly odd that the official binary distribution for the latest Python 2.7.14 has a broken (or insecure) _ssl module, even when running the latest macOS version.

Of course, using pyenv or homebrew fixes the problem (as they require and link with the latest openssl 1.0.2), but I would like to recommend installing python from the official binaries to my less technically-skilled colleagues of mine.

Please consider embedding the latest openssl on the 10.6+ installers like you already do on 10.5 32bit ones and the Windows ones, thank you.

Cosimo Lupo
History
Date User Action Args
2018-01-11 11:14:27cluposetrecipients: + clupo, loewis, georg.brandl, ronaldoussoren, orsenthil, pitrou, larry, christian.heimes, benjamin.peterson, ned.deily, eric.araujo, python-dev, piotr.dobrogost, esc24, dilettant, dstufft, mlen, Kevin Ollivier
2018-01-11 11:14:27cluposetmessageid: <1515669267.68.0.467229070634.issue17128@psf.upfronthosting.co.za>
2018-01-11 11:14:27clupolinkissue17128 messages
2018-01-11 11:14:27clupocreate