Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.004 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'scripts': 0.03; 'root': 0.05; 'failing': 0.07; 'modified': 0.07; 'valueerror:': 0.09; 'python': 0.11; '2.7': 0.14; 'accepting': 0.14; 'ah,': 0.16; 'deprecated,': 0.16; 'sha1': 0.16; 'ssl,': 0.16; 'subject:broken': 0.16; 'suddenly,': 0.16; 'underlying': 0.16; 'wrote:': 0.18; 'library': 0.18; 'thu,': 0.19; 'to:name:python-list@python.org': 0.22; 'install': 0.23; 'ssl': 0.24; "i've": 0.25; 'possibly': 0.26; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; 'announced': 0.31; 'away.': 0.31; "d'aprano": 0.31; 'larry': 0.31; 'microsoft,': 0.31; 'sep': 0.31; 'skip:/ 80': 0.31; 'steven': 0.31; 'this.': 0.32; 'probably': 0.32; 'running': 0.33; 'mac': 0.33; 'updated': 0.34; 'could': 0.34; 'problem': 0.35; "can't": 0.35; 'case,': 0.35; 'no,': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'google': 0.35; 'there': 0.35; 'really': 0.36; 'dates': 0.36; 'done': 0.36; "didn't": 0.36; 'apple': 0.38; 'needed': 0.38; 'to:addr:python-list': 0.38; 'anything': 0.39; 'expect': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'anything.': 0.68; 'soon.': 0.71; 'wheel': 0.84; 'old,': 0.85; 'imagine': 0.93; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=4iKQXCZsGCupe/8UthbYpPvoJoPx1osrMqOFnv4sW64=; b=sY5XQC00iT2YKfV+3+Xy7InuuZZ7AJ6UZFQHhFR+9Ya0CudZLjqDceukJTT+oFoqml HMowGZQwLaZZHdssIYajlZhG0iTdd8NOj/BcaYmw985nm2RjZX5NxviJGpXF8Eh+mm6t wcX1eI8qnoXtvFfFAz2lZju/njWB8x0BdW7NTg5T7IqM7CDmgtybmKM6+3STUy5NT/yx O7LdpVaj2XrI8NXSowMM8SXNgxrf1xQDzwdlQl6ifG4+IMw/7P9VolcqNFGVOaKWIpKc 4s1qs//zw1Q69JZKHy+J71FKn+wNtGxPrxs16lqwJMbBNItd5kKICEMLWK8aJwwktYi9 86rw== MIME-Version: 1.0 X-Received: by 10.180.211.208 with SMTP id ne16mr2611071wic.71.1411068124414; Thu, 18 Sep 2014 12:22:04 -0700 (PDT) In-Reply-To: <541b1158$0$29967$c3e8da3$5496439d@news.astraweb.com> References: <541b1158$0$29967$c3e8da3$5496439d@news.astraweb.com> Date: Thu, 18 Sep 2014 13:22:04 -0600 Subject: Re: hashlib suddenly broken From: Larry Martell To: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 44 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1411068127 news.xs4all.nl 2951 [2001:888:2000:d::a6]:33064 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:78038 On Thu, Sep 18, 2014 at 11:07 AM, Steven D'Aprano wrote: > Larry Martell wrote: > >> I am on a mac running 10.8.5, python 2.7 >> >> Suddenly, many of my scripts started failing with: >> >> ValueError: unsupported hash type sha1 > [...] >> This just started happening yesterday, and I cannot think of anything >> that I've done that could cause this. > > Ah, the ol' "I didn't change anything, I swear!" excuse *wink* > > But seriously... did you perhaps upgrade Python prior to yesterday? Or > possibly an automatic update ran? No, I did not upgrade or install anything. > Check the creation/last modified dates on: > > /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py That was in my original post: $ ls -l /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py -rw-r--r-- 1 root wheel 5013 Apr 12 2013 /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py > but I expect that's probably not where the problem lies. My *wild guess* is > that your system updated SSL, and removed some underlying SHA-1 library > needed by hashlib. SHA-1 is pretty old, and there is now a known attack on > it, so some over-zealous security update may have removed it. > > If that's the case, it really is over-zealous, for although SHA-1 is > deprecated, the threat is still some years away. Microsoft, Google and > Mozilla have all announced that they will continue accepting it until 2017. > I can't imagine why Apple would removed it so soon. So you know how I could check and see if I have SHA-1 and when my SSL was updated?