<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 10, 2017, at 3:47 PM, Ned Deily <<a href="mailto:nad@python.org" class="">nad@python.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On Jan 10, 2017, at 15:07, Ronald Oussoren <<a href="mailto:ronaldoussoren@mac.com" class="">ronaldoussoren@mac.com</a>> wrote:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">On 10 Jan 2017, at 21:02, Donald Stufft <<a href="mailto:donald@stufft.io" class="">donald@stufft.io</a>> wrote:<br class=""><blockquote type="cite" class="">On Jan 10, 2017, at 3:01 PM, Ronald Oussoren <<a href="mailto:ronaldoussoren@mac.com" class="">ronaldoussoren@mac.com</a>> wrote:<br class=""><blockquote type="cite" class="">On 10 Jan 2017, at 14:24, Donald Stufft <<a href="mailto:donald@stufft.io" class="">donald@stufft.io</a>> wrote:<br class="">[…] Past that, macOS is going to be the<br class="">largest casualty since their system Python does not support TLSv1.2 yet in any<br class="">version of their OS.<br class=""></blockquote>Not just the system Python on OSX, this also affects all <a href="http://Python.org" class="">Python.org</a> installers for OSX except 3.6. The 3.6 installer is the first one that doesn’t use the system installation of OpenSSL.<br class=""></blockquote></blockquote></blockquote><br class="">That's not quite accurate. The 32-bit-only macOS <a href="http://python.org" class="">python.org</a> installers for recent 2.7.x and 3.x releases are also linked with a private current set of OpenSSL libraries. For 3.6, we no longer supply the 32-bit-only installer and the 64-bit/32-bit installer is now linked with the private OpenSSL as you note.<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Annoyingly with OpenSSL on OSX you have to options: either use an up-to-date release or have OpenSSL use the system CA trust store, but not both. Sigh…<br class=""></blockquote></blockquote></blockquote><br class="">It would be nice if someone would do the work to figure out whether it is feasible to use Apple's own Crypto and TLS API's as apparently libcurl does.<br class=""></div></div></blockquote><div><br class=""></div><div>It would be really nice if we could deprecate `ssl` (which has a bunch of OpenSSL specific stuff in it) and add a new `tls` module that served as an implementation agnostic library that would use OpenSSL on *nix, SecureTransport on macOS, and SChannel on Windows. However, in the mean time there are some folks poking to see about making something pip suitable that will enable us to use SecureTransport at least.</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">I have no idea how may users use the <a href="http://Python.org" class="">Python.org</a> installers on OSX, but this has the potential to affect a largish number of users on OSX including newbies (but far from all users on OSX, there’s also a sizeable population using Homebrew or Anaconda).<br class=""></blockquote></blockquote></blockquote><br class="">And MacPorts. I don't know about Anaconda but the other two already use their own private versions of OpenSSL AFAIK.<br class=""><br class="">--<br class=""> Ned Deily<br class=""> <a href="mailto:nad@python.org" class="">nad@python.org</a> -- []<br class=""><br class="">_______________________________________________<br class="">Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org" class="">Distutils-SIG@python.org</a><br class=""><a href="https://mail.python.org/mailman/listinfo/distutils-sig" class="">https://mail.python.org/mailman/listinfo/distutils-sig</a><br class=""></div></div></blockquote></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class="">—<br class="">Donald Stufft<br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""></body></html>