hg/python issues on Sierra(OS X 10.12.6)

Lance Andersen lance.andersen at oracle.com
Sun Jul 14 20:55:59 UTC 2019 

Hi,

I have run into a problem  that appears to be an issue with a recent change somewhere now needs  python to use TLS 1.2 and the MAC version on OS X 10.12.6 (Sierra) of Python uses TLS 1.0.  

I am running the following version of hg:
—————
$ hg --version
Mercurial Distributed SCM (version 4.0.1)
(see https://mercurial-scm.org for more information)

Copyright (C) 2005-2016 Matt Mackall and others
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ljanders-mac:JDK13-examples ljanders$
——

When I tried to do an hg pull, I started receiving the following error last week:
—————
$ sh get_source.sh
pull_default_tail jdk/jdk
No repositories to process.
# Repositories:  . open
                   .:   cd . && hg pull -u
                open:   cd open && hg pull -u
                   .:   pulling from http://closedjdk.us.oracle.com/jdk/jdk
                open:   pulling from http://hg.openjdk.java.net/jdk/jdk
                open:   searching for changes
                open:   adding changesets
                   .:   searching for changes
                open:   adding manifests
                   .:   adding changesets
                   .:   adding manifests
                   .:   adding file changes
                   .:   added 64 changesets with 141 changes to 104 files
                open:   adding file changes
                   .:   error: pretxnchangegroup hook raised an exception: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>
                   .:   transaction abort!
                   .:   rollback completed
                   .:   abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
                open:   added 226 changesets with 1670 changes to 1471 files
                open:   error: pretxnchangegroup hook raised an exception: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>
                open:   transaction abort!
                open:   rollback completed
                open:   abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
WARNING: open exited abnormally (255)
——

The version of python on Sierra is:
————
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -V
Python 2.7.10

/usr/bin/python -V
Python 2.7.10

—

It appears that hg uses the following python path in the hg script.
————
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python 
——

So I tried to install a newer version of python2 vis brew and then from https://www.python.org/downloads/release/python-2716/

This does not seem to update version of python at 
---------
/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python 
————

and updates /usr/local/bin

I verified that using the latest version of python that it should resolve the jcheck.py  issue via the attached python script which emulates what jheck.py does for accessing https://db.openjdk.java.net/people

Also, it appears from googling it is not possible to update the OS X version of Python, I tried to update the hg script to point to the newer version of  python but received the following error:

————————
$ hg.new pull
abort: couldn't find mercurial libraries in [/usr/Library/Python/2.7/site-packages /usr/local/bin /Library/Frameworks/Python.framework/Versions/2.7/lib/python27.zip /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7 /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/plat-darwin /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/plat-mac /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/plat-mac/lib-scriptpackages /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-tk /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-old /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages]
(check your install and PYTHONPATH)

————
Not sure how to resolve the above.


Best
Lance

p.s

 you install python from https://www.python.org/downloads/release/python-2716/, you will also need to do the following:

———
$ pwd
/Applications/Python 2.7
ljanders-mac:Python 2.7 ljanders$ ls
Extras				Icon?				License.rtf			Python Launcher.app		Update Shell Profile.command
IDLE.app			Install Certificates.command	Python Documentation.html	ReadMe.rtf
ljanders-mac:Python 2.7 ljanders$ ./Install\ Certificates.command 
 -- pip install --upgrade certifi
Collecting certifi
  Downloading https://files.pythonhosted.org/packages/69/1b/b853c7a9d4f6a6d00749e94eb6f3a041e342a885b87340b79c1ef73e3a78/certifi-2019.6.16-py2.py3-none-any.whl (157kB)
    100% |████████████████████████████████| 163kB 2.4MB/s 
Installing collected packages: certifi
Successfully installed certifi-2019.6.16
You are using pip version 18.1, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
 -- removing any existing file or link
 -- creating symlink to certifi certificate bundle
 -- setting permissions
 -- update complete
ljanders-mac:Python 2.7 ljanders$
—

If you do not you will receive the following error accessing an https URL (you could also work around it by:
 export PYTHONHTTPSVERIFY=0), for example:

$ python URLTest.py 
Testing urllib2!
Loading author names ...

accessing db.open.jdk.java.net/people.
calling urlopen
Traceback (most recent call last):
  File "URLTest.py", line 28, in <module>
    load_authors()
  File "URLTest.py", line 17, in load_authors
    f = urllib2.urlopen(req)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>
ljanders-mac:JDK13-examples ljanders$





 <http://oracle.com/us/design/oracle-email-sig-198324.gif>
 <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
 <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037
Oracle Java Engineering 
1 Network Drive 
Burlington, MA 01803
Lance.Andersen at oracle.com <mailto:Lance.Andersen at oracle.com>

More information about the build-dev mailing list