Time to Upgrade Your Python: TLS v1.2 Will Soon Be Mandatory

Test procedure that doesn&#x27;t require 3rd-party libs:<p>* For Python 2:<p><pre><code> $ python -c &quot;import json, urllib2; print json.load(urllib2.urlopen(&#x27;https:&#x2F;&#x2F;www.howsmyssl.com&#x2F;a&#x2F;check&#x27;))[&#x27;tls_version&#x27;]&quot; </code></pre> * For Python 3:<p><pre><code> $ python3 -c &quot;import json, urllib.request; print(json.loads(urllib.request.urlopen(&#x27;https:&#x2F;&#x2F;www.howsmyssl.com&#x2F;a&#x2F;check&#x27;).read().decode(&#x27;UTF-8&#x27;))[&#x27;tls_version&#x27;])&quot;</code></pre>

Over the past two years I&#x27;ve been working on a cross-platform crypto library for Python. One of the aspects of it is that it doesn&#x27;t require a compiler (it uses ctypes or cffi), and works with the cryptography libraries shipped via your OS.<p>Part of this library is a TLS implementation that uses SecureTransport on OS X. If someone is inclined to get requests (and pip, etc) running on the system Python on OS X, it should be possible with the guidance outlined at <a href="https:&#x2F;&#x2F;github.com&#x2F;wbond&#x2F;oscrypto&#x2F;issues&#x2F;10" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;wbond&#x2F;oscrypto&#x2F;issues&#x2F;10</a>. Unfortunately, it isn&#x27;t something I have time to work on right now.

I like better security but let&#x27;s be honest it&#x27;s a smokescreen. Python can migrate to a non-PCI CDN if _really_ needed. It is more an excuse (and a good one, I like how it sounds if I will have to tell it to my boss – we use Python 3 anyway, so it&#x27;s unlikely).<p>I was also surprised not to find this on the page. As I understand, it will vary not only across Python versions but also on systems where it&#x27;s installed. A lot of fun is about to come, I think (especially from RHEL 6 where people are stuck with Python 2.6).

The most interesting bit about this is the mention that PCI compliance now requires this. As much as PCI seems like security theater, that change in particular may help move people forward.

On macOS, Homebrew&#x27;s Python links against it&#x27;s own openssl which is currently @1.1, so that is the easiest way to avoid this problem (unless one is a homebrew hater).

I am running a Python 2.7.13 installed with official Python installer on macOS Sierra (10.12.3). Besides the built-in openssl (0.9.8zh) which came along with the macOS (&#x2F;usr&#x2F;bin&#x2F;openssl), I have a newer version (1.0.2j) installed with macports (&#x2F;opt&#x2F;local&#x2F;bin&#x2F;openssl).<p>However, even though I have configured my path variables that it will use the macports openssl-files, the Python installer seems to link by default to the &#x2F;usr&#x2F;... openssl-files.<p>I&#x27;ve tried quite a bit re-installing Python (with the installer and building it from source; the latter failed with some obscure error I wasn&#x27;t able to resolve), so I was wondering whether there are any better options. Upgrading via homebrew seems simple enough, but due to using macports, I&#x27;d rather not use homebrew. Furthermore, I am a bit reluctant to use the macports-python, but might do that if you were to suggest me that this is the only viable solution.<p>I&#x27;d be happy to hear your suggestions on this!

There is so much legacy code written in Python 2 that I can&#x27;t imagine someone isn&#x27;t going to have a large enough need that they will backport TLS support. Am I missing something on why that wouldn&#x27;t work?

the article points to <a href="http:&#x2F;&#x2F;docs.python-guide.org&#x2F;en&#x2F;latest&#x2F;starting&#x2F;install&#x2F;osx&#x2F;" rel="nofollow">http:&#x2F;&#x2F;docs.python-guide.org&#x2F;en&#x2F;latest&#x2F;starting&#x2F;install&#x2F;osx&#x2F;</a> which tells you to &quot;You do not need to install or configure anything else to use Python.&quot; However, it suggest to install python via homebrew. Just for reference, if you install it with `brew install python` then you may also need to do a `brew link --overwrite python` then it works.

Be nice if pypi stopped using MD5 for integrity checking as well.

what is the minimum version then? 2.7.x &lt;- what x?

I&#x27;m getting TLS 1.2 using anaconda on the latest update of Mac Sierra (10.12.3). The openssl is one installed by the conda command of anaconda, openssl version: 1.0.2j-0<p>I also have homebrew on the system, but not used in this case. Is there any reason not to use anaconda on Mac?