Unable to get TLS 1.2 working on Mac OS

[NP]

1) I'm running Google App Engine SDK on Mac OS X El Capitan. I have Python 2.7.13

2) While trying to test my app with Stripe, I get the following error

     Request req_ApPsfecKnLFJxb: Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later. You can learn more about this        at https://stripe.com/blog/upgrading-tls.

3) I did some Googling and based on what I found, I did the following

•  Used brew to upgrade my OpenSSL
  
• Confirmed that when I do 'which openssl', I get
  

     /usr/local/opt/openssl/bin/openssl

     and when I do 'openssl version', I get

    OpenSSL 1.0.2l

• If I do
  

           >>> import ssl

          >>> ssl.OPENSSL_VERSION, I get

          >>> 'OpenSSL 1.0.2l 23 May 2017'

But I still get the error from Stripe about not using TLS 1.2.

I found this SO question but it didn't solve my problem. I also found this Google Group Discussion and after running the steps in #5, it shows app engine is still pointing to the old version of OPENSSL because the output shows 'OpenSSL 0.9.8zh 14 Jan 2016'

4) Based on the earlier referenced Google Group Discussion, I ran the following code in both GAE Dev and directly in my python intepreter

    import ssl 

    print ssl.__file__ 

GAE DEV: /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc

Python Interpreter: /usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc

They're pointing to different files. How do I fix this? How do I get App Engine to use the newer version of OpenSSL that I've installed?

[NP]

Can anybody help out here....?

Thanks

[Brian de Alwis]

Do you have a PYTHONPATH, PYTHONSTARTUP, or PYTHONHOME?

Probably worth trying to launch your python with `-v -v -v` and see where it's loading its files from.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f8b1c84a-5799-479a-b4c0-1867ba10cbb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[NP]

When you say python path, do you mean?

>>> python

>>> import sys

>>> sys.path

[Brian de Alwis]

I apologize: I misinterpreted what you wrote.  I thought you meant your Python interpreter was loading the system ssl.py instead of the version in your /usr/local/Cellar.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/a13e19f1-84a1-4932-a56c-ee1d246934ab%40googlegroups.com.

[NP]

I figured out the problem and my understanding is

1) GAE was still referring to the old python installation (the one that comes shipped with Mac). When I open the GAE Launcher, 

GAE > Preferences > Python Path is blank.

2) What I needed to do was force GAE to use the newly installed Python (the one I installed with Brew with the direction to use the upgraded OpenSSL). So I have now set

GAE > Preferences > Python Path = /usr/local/bin/python.

Everything now works and running the code below from within GAE tells me my TLS is OKAY

import urllib2

r = urllib2.urlopen("https://howsmyssl.com/").read()

return r

Also running the code below now gives me the updated version of OpenSSL

 import ssl 

return ssl.OPENSSL_VERSION 

[Attila-Mihaly Balazs]

We also had lots of issues with development on Mac (my FE colleague insists on using a Mac, even though GNU/Linux is a more productive environment for development :-)).

What we settled on was a docker container with Ubuntu installed in it and running all the python / google app engine code inside of it instead of trying to get the Mac into a usable state.

Attila

[Scott DeSapio]

NP, thank you, thank you, thank you.