2

So with the help of Graham I realize I need to rebuild the mod_ssl.so to point to the new OpenSSL version.

I found the following post with similar problem but not much suggested: https://stackoverflow.com/questions/36756641/rebuild-mod-ssl-so-on-apache2-on-macosx

  1. Is it possible to only rebuild the mod_ssl.so only or do I need to rebuild Apache?
  2. Any specific flags to use?
  3. Is homebrew the way o go and how do I avoid having two installations of Apache?
  4. I am on 10.11.6 and using MacOS Server 5.2 (If that has an impact)

I have integrated the following framework under a flask app and made it work. https://github.com/playingmedia/swish-python

So basically it makes a Request with pyopenssl with included certificates.

This is working fine in my flask app, but when I move it to my Apache Server (configured to be accessed through TLS - not sure if that is relevant) it gives me the following error: SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)

I am wondering if there is mod_wsgi setting I need to manipulate of there could be any permission issues...

I included another framework using Suds with TLS without on the Apache server any problem so wondering if there is any known issues with Request library and pyopenssl under mod_wsgi?

Have tried to google quite a lot but perhaps I am not typing in the right key words

Thx

Community
  • 1
  • 1
Starfish
  • 21
  • 2
  • 1
    Which Python distro are you using and on what OS platform and version? Some Python distros/versions are starting to bundle their own SSL libraries. The problem is that Apache will generally use the system SSL libraries. So Apache SSL libraries will be loaded first and then you get a conflict as they take precedence. This could cause strange behaviour. – Graham Dumpleton Mar 25 '17 at 19:54
  • I just upgraded to OpenSSL 1.0.2k. I am on OS X 10.11.6, Apache/2.4.18 and Python 2.7.13 – Starfish Mar 26 '17 at 12:12
  • That OpenSSL is from brew by the look of it. What is Apache and Python from. If you use brew Python you need to use brew Apache as well. You can't use Apple Apache with brew Python, or brew Apache with Apache Apache. IOW, don't mix. – Graham Dumpleton Mar 26 '17 at 19:41
  • Yeah, OpenSSL from brew and it seems my python is also form brew. Apache is out of the box from Apple. Seems to work fine when using Suds client though, but apparently not requests library. Will try to revert back to original openssl and python. – Starfish Mar 26 '17 at 20:16
  • Hmm, what the hell is Apache Apache. Meant can't mix brew Apache with Apple Python. – Graham Dumpleton Mar 26 '17 at 22:45
  • OpenSSL built from source OpenSSL 1.1.0e . But still does not work. How can I verify that Apache is using the new OpenSSL? I tried curl --head http://localhost but only see Server: Apache – Starfish Mar 27 '17 at 16:17
  • Also .dylib seem to point to the old version so I guess Apache is still using the old version: lrwxr-xr-x 1 root wheel 18 Feb 5 2016 /usr/lib/libssl.dylib -> libssl.0.9.8.dylib – Starfish Mar 27 '17 at 18:36
  • You can't force the existing Apple Apache to use a newer OpenSSL version. Only Apple can do that by releasing a new version with operating system and they aren't likely to do that as they are stuck with their old version of OpenSSL. You would have to use brew version of Apache, or build Apache yourself from source code and configure it at build time to use the brew version of OpenSSL. – Graham Dumpleton Mar 27 '17 at 19:28

0 Answers0