"the system Python shipped with MacOS does not yet support TLSv1.2 in any MacOS version;" (and notes on installing current Python 2.7 or 3.6 alongside the system version)
"Python's TLS implementation is falling behind on macOS is that Python continues to use OpenSSL, which Apple has stopped updating on macOS." It's unclear what the fix for this is going to end up being.
> It's unclear what the fix for this is going to end up being.
Is there some reason why `brew install python` doesn't work? (I do this on every system, and mine is TLS 1.2)
Otherwise, if you're bundling stuff to give to an end user, bundle up Python, since Apple seems intent on letting most of the core utils (not just Python) bitrot?
As it says in the article, Apple has not updated their system Python in a long time, so soon you will not be able to Pip install packages using system python.
The real issue is not that Apple has not updated Python, but rather that about 4 years ago Apple depreciated OpenSSL. So the OpenSSL library included on MacOS has not seen a major update since then (only back-ported fixes). The article does an o.k. job of explaining this in note 2, but fails to mention that this has been a known problem for over 4 years, and little has been done in the mean time. Only now that there is a looming deadline does there seem to be any motion on it, and it is obvious that they are going to miss the deadline.
I do think that they are missing a fairly simple solution for the majority of use cases: move things like `urllib2` to use `libcurl` underneath rather than OpenSSL. The CURL project has already solved this problem by being portable to things like Apple's CommonCrypto library and Window's security libraries.
I should also note that the article's suggested workarounds are less then ideal as both use versions of OpenSSL that do not consult the system keychain for root certificates, and so create strange problems that most people will not understand.
I do think that they are missing a fairly simple solution
That doesn't sound very simple at all. For one thing, it means the python runtime loses control over the http implementation it ships. It's also not obvious that libcurl provides an API that can do everything something like http.client can do. I think this is somewhere between 'not simple' and 'non-starter'.
Does libcurl provide the abstractions to make that transition simpler than directly adding support for the platform libraries to Python's TLS implementation?
I can't say for certain regarding this case specifically, but CURLOPT_CONNECT_ONLY (as I recall) does the TLS and proxy shenanigans, and then waits for you to say "HTTP 1.1" and so on. You can send and receive data using a BSD_socket-a-like API.
Yes, the solution is to use a package manager that builds Python with an up-to-date version of OpenSSL. The long term solution is to patch Python to use SecureTransport, but I don't see anyone rushing to do that.
I think I'd rather use a third party library than a third party service though, if that was what I could pick between. I see that you just modified the code mentioned in the article so it's not criticism towards you.
* For Python 2:
* For Python 3: