Mar 202016

python-lockHello World!

It’s been a while since my last post, so I’ve decided to make a magnificent one 🙂

Jokes apart, this setup took me a full sunday hence I thought to recap for future references.

The whole story started with a Python script on my Mac OS X unable to retrieve a JSON response from a specific https site, whereas the exact same script run like a champ in Kali Linux.

And to make things even more complicated, the same URL was working fine using cURL or wget on OS X!

Comparing two network packet captures, I’ve found that the issue was in the Client Hello part of the SSL handshake: the Python script was proposing a TLSv1.0 encrypted communication that the server was not available to accept. The correctly working commands and scripts were all using TLSv1.2.

This led me to discover that OS X El Capitan includes by default an old (and vulnerable) version of OpenSSL: 0.9.8zg, not supporting TLSv1.2 I needed. Consequently, also Python 2.7.10 included in El Capitan was having issues with TLS since the bundled pyOpenSSL module was linked to that OpenSSL version.

To upgrade, I did the following:

  • Upgrade OpenSSL
    Not that easy, since you have first to install latest OpenSSL via install (this is the easy part, go brew update and brew install openssl).
    But then you need to rename the system openssl (/usr/bin/openssl) into something else and sudo ln -s <your brew openssl executable> /usr/bin/openssl
    Before you can do it, you need to reboot your Mac in recovery mode (CMD+R when you hear the chimes at boot), then select the Terminal from the Utilities menu and type in csrutil disable. With this command you will disable the System Integrity Protection and lowering your system security level until you reverse the change.
    Type also the command reboot to restart your machine, open a Terminal and proceed with the linking described above.
    Reboot again, access to Recovery Mode and restore the System Protection Utility with the commands:
    csrutil enable
  • Upgrade Python to 2.7.11
    This is trivial… just grab your version here and install from DMG image.
  • Upgrade pyOpenSSL module to one linked with TLSv1.2 support
    It took me a while to find the right command, since you need to issue it with the proper user indication:
    pip install –upgrade pyopenssl==0.15.1 –user python

That should give you an OS X environment fully enable with upgraded OpenSSL (at the time of writing mine is 1.0.2g) and your python environment correctly supporting TLSv1.2

Happy encryption!

  3 Responses to “Python 2.7.11 on El Capitan with TLS 1.2 support”

  1. Awesome! Thanks Simon!!!

  2. Macports can be installed without disabling SIP. You need to install Xcode (free Developer account is all you need) to use macports’.

    $ port installed python27 openssl # (as of 24 Dec., 2016)
    The following ports are currently installed:
    openssl @1.0.2j_0 (active)
    python27 @2.7.13_0 (active)

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>