Install python ssl module on linux without recompiling

python ssl openssl

28,850

Solution 1

Is it possible to install the SSL module for python on a linux box that already has OpenSSL installed without recompiling python?

Yes. Python's setup.py uses the following logic to detect OpenSSL:

search_for_ssl_incs_in = [
                      '/usr/local/ssl/include',
                      '/usr/contrib/ssl/include/'
                     ]

ssl_incs = find_file('openssl/ssl.h', inc_dirs,
                     search_for_ssl_incs_in

ssl_libs = find_library_file(self.compiler, 'ssl',lib_dirs,
                             ['/usr/local/ssl/lib',
                              '/usr/contrib/ssl/lib/'
                             ] )

if (ssl_incs is not None and
    ssl_libs is not None):
    exts.append( Extension('_ssl', ['_ssl.c'],
                           include_dirs = ssl_incs,
                           library_dirs = ssl_libs,
                           libraries = ['ssl', 'crypto'],
                           depends = ['socketmodule.h']), )

The point is Python is not static linking against libssl and libcrypto. (Some static linking occurs with cctyes, but nothing else).

Now, the bad thing is that the project uses system paths before your locally installed paths. For example, the project uses inc_dirs (system) before search_for_ssl_incs_in (local). (See more on this below).

After you run configure, you will have a Modules/Setup with the following lines commented out:

# Socket module helper for SSL support; you must comment out the other
# socket line above, and possibly edit the SSL variable:
#SSL=/usr/local/ssl
#_ssl _ssl.c \
#   -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
#   -L$(SSL)/lib -lssl -lcrypto

Again, no static linking. (And this assumes the previous version of Python uncommented those lines).

So you should be able to build a binary compatible version of OpenSSL and use LD_LIBRARY_PATH or LD_PREOLAD to ensure Python uses your updated version of OpenSSL.

OpenSSL 0.9.7 and 0.9.8 are binary compatible. OpenSSL 1.0.0, 1.0.1 and 1.0.2 are binary compatible. OpenSSL 0.9.8 and 1.0.0 are not binary compatible.

----------

Here's the problem with Python's setup placing system includes before local includes:

export CFLAGS="-I/usr/local/ssl/darwin/include"; export LDFLAGS="-L/usr/local/ssl/darwin/lib"
<edit Setup search_for_ssl_incs_in and search_for_ssl_incs_in>
./configure
<edit Modules/Setup>
make
...
/Users/jww/Python-3.4.2/Modules/_ssl.c:390:9: warning: 
      'ERR_peek_last_error' is deprecated [-Wdeprecated-declarations]
    e = ERR_peek_last_error();
        ^
/usr/include/openssl/err.h:274:15: note: 'ERR_peek_last_error' declared here
unsigned long ERR_peek_last_error(void) DEPRECATED_IN_MAC_OS_X_VERSION_1...
              ^
/Users/jww/Python-3.4.2/Modules/_ssl.c:393:15: warning: 
      'SSL_get_error' is deprecated [-Wdeprecated-declarations]
        err = SSL_get_error(obj->ssl, ret);
...

Python used the down level version 0.9.8 version of OpenSSL provided by Apple, and not my recent OpenSSL 1.0.1k. That's despite me (1) exporting them in CFLAGS and LDFLAGS; (2) editing Setup; and (3) editing Modules/Setup.

And I still have runtime path problems to contend with, so I'll need to use LD_PRELOAD_PATH, DYNLIB_LIBRARY_PATH, etc.

Solution 2

NOTE: Python >= 2.6 already has SSL support built-in, there's no need to install ssl package.

Install package from pypi:

pip install ssl

If you're missing pip command, install it for your distribution:

RedHat/Centos:

yum install python-pip

Debian/Ubuntu

apt-get install python-pip

28,850

Author by

Phalse

Updated on July 23, 2022

Comments

Phalse almost 2 years

Is it possible to install the SSL module for python on a linux box that already has OpenSSL installed without recompiling python? I was hoping it would be as simple as copying over a few files and including them in the library path. Python version is 2.4.3. Thanks!
Phalse over 9 years

The ubuntu box I am using is not connected to the internet.
Phalse over 9 years

Doesn't this require the source for python? I am trying to do this with no source. You may have explained that, but I misunderstood.
VT_Drew over 9 years

Can you use a usb stick/external drive on the machine? If so just download the .tar.gz file to the usb stick on another machine (that can access the internet) then pop the usb stick into the ubuntu box and do "pip install /home/username/ssl-1.16.tar.gz". Obviously you need to replace /home/username with the path to the file.
Phalse over 9 years

pip is not installed on this version of linux, can you do something similar with yum?
Hassek about 8 years

It looks like there is no other way for python to use ssl without compiling it.
jww about 8 years

@Hassek - yes and no. If you use a binary compatible OpenSSL 0.9.8, then No, there's no need to recompile Python. However, OpenSSL 0.9.8 is End-of-Life (EOL) and it lack most ECC and TLS 1.2, so you probably want to avoid it. OpenSSL 1.0.2 and 1.1.0 are the way to proceed, and in case, Yes, you must recompile Python. Its easy to recompile once you know where to look for the SSL bits (as shown above).
Beldar over 6 years

This is useless, this is what happens when you run pip install ssl pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available. Shocker...