Sav's adventures in SSL land

sav_python_ssl.md

Started with me trying to resolve this error:

import requests
requests.get('https://www.salesforce.com')

SSLError('bad handshake', Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')]

And I believe this is the cause as per https://github.com/superfell/Beatbox:

Note that if you're on OSX, its bundled with an older version of openSSL than is required. If you see an error similar to ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure or UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https. you need to update your python and/or OpenSSL versions.

This issue persists inside and outside my virtual environment. In the terminal:

$ openssl version -v
OpenSSL 1.0.2g  1 Mar 2016

$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 0.9.8zh 14 Jan 2016

In a python terminal:

import ssl
ssl?

Type:        module
String form: <module 'ssl' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc'>
File:        /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py
Docstring:

Which is the ssl.py from the OSX default Python install And in /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py:

import _ssl             # if we can't import it, let the error propagate
from _ssl import OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_INFO, OPENSSL_VERSION))

I think my bug will be fixed if I can point ssl to OpenSSL 1.0.2 instead of 0.9.8 but I'm not sure where to make that change.

I posted this to StackOverflow: http://stackoverflow.com/questions/38406582/python-uses-wrong-openssl

And got redirected to this answer which I had not come across before: http://stackoverflow.com/a/27230127/3665478

$ brew unlink openssl
$ brew install openssl
$ brew link openssl --force

$ brew install python --with-brewed-openssl

$ sudo ln -s /usr/local/Cellar/python/2.7.12/bin/python /usr/local/bin/python

$ python --version
Python 2.7.12

$ openssl version -v
OpenSSL 1.0.2g  1 Mar 2016

$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.0.2g  1 Mar 2016

$ workon myvenv
(myvenv)$ python --version
Python 2.7.10

(myvenv)$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 0.9.8zh 14 Jan 2016

Great, now python is using the most up to date OpenSSL instead of the Mac standard

But my virtualenv is still using the old python and the old ssl

Solution? Make a new virtualenv that uses the newer python (you can also just have the old venv use the newer python build, but I wanted to start over)

$ mkvirtualenv -p /usr/local/bin/python cleanvenv
(cleanvenv)$ brew link openssl --force
(cleanvenv)$ pip install -r requirements.txt 
(cleanvenv)$ pip install -r requirements-debug.txt
(cleanvenv)$ python manage.py shell_plus

import requests
requests.get('https://www.salesforce.com')

<Response [200]>

Awesome right? Wrong.

(cleanvenv)$ python manage.py runserver_plus --cert=foo.cert
CommandError: Python OpenSSL Library is required to use runserver_plus with ssl support. Install via pip (pip install pyOpenSSL).

Why can't I run an ssl server locally? Oh, pyopenssl didn't get installed correctly. No big deal

(cleanvenv)$ pip install pyopenssl
(cleanvenv)$ python manage.py shell_plus

You are linking against OpenSSL 0.9.8, which is no longer support by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.

(cleanvenv)$ python manage.py runserver_plus --cert=foo.cert

You are linking against OpenSSL 0.9.8, which is no longer support by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.

http://stackoverflow.com/questions/27499747/how-to-use-latest-openssl-library-with-pyopenssl

We need to recompile cryptography with the correct openssl

How do we do that?

https://cryptography.io/en/latest/installation/

(cleanvenv)$ pip uninstall pyopenssl
(cleanvenv)$ pip uninstall cryptography
(cleanvenv)$ env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography
(cleanvenv)$ pip install pyopenssl
(cleanvenv)$ python manage.py shell_plus

[python]$ import ssl
[python]$ ssl.OPENSSL_VERSION
OpenSSL 1.0.2g  1 Mar 2016
[python]$ import requests
[python]$ requests.get('https://www.salesforce.com')
<Response [200]>

(cleanvenv)$ python manage.py runserver_plus --cert=foo.cert
July 18, 2016 - 13:57:06
Django version 1.8.9, using settings 'cordata.settings'
Starting development server at https://127.0.0.1:8000/
Using SSL certificate: /Users/Sav/Envs/myvenv/lib/python2.7/site-packages/sslserver/certs/development.crt
Using SSL key: /Users/Sav/Envs/myvenv/lib/python2.7/site-packages/sslserver/certs/development.key
Quit the server with CONTROL-C.

Sources:

• https://cryptography.io/en/latest/installation/
• http://stackoverflow.com/questions/18752409/updating-openssl-in-python-2-7
• http://stackoverflow.com/questions/37690054/python-and-openssl-version-reference-issue-on-osx
• http://stackoverflow.com/questions/27499747/how-to-use-latest-openssl-library-with-pyopenssl
• http://stackoverflow.com/questions/38406582/python-uses-wrong-openssl
• phusion/passenger#1630
• https://github.com/superfell/Beatbox
• https://github.com/kennethreitz/requests/issues/2627
• https://github.com/kennethreitz/requests/issues/2022

I also had to run pip uninstall cffi after removing pyopenssl and cryptography. This is really great info and helped me solve my problem on a WIndows 10 machine.