On Jan 10, 2017, at 3:47 PM, Ned Deily <nad@python.org> wrote:

On Jan 10, 2017, at 15:07, Ronald Oussoren <ronaldoussoren@mac.com> wrote:

On 10 Jan 2017, at 21:02, Donald Stufft <donald@stufft.io> wrote:

On Jan 10, 2017, at 3:01 PM, Ronald Oussoren <ronaldoussoren@mac.com> wrote:

On 10 Jan 2017, at 14:24, Donald Stufft <donald@stufft.io> wrote:
[…] Past that, macOS is going to be the
largest casualty since their system Python does not support TLSv1.2 yet in any
version of their OS.

Not just the system Python on OSX, this also affects all Python.org installers for OSX except 3.6. The 3.6 installer is the first one that doesn’t use the system installation of OpenSSL.

That's not quite accurate.  The 32-bit-only macOS python.org installers for recent 2.7.x and 3.x releases are also linked with a private current set of OpenSSL libraries.  For 3.6, we no longer supply the 32-bit-only installer and the 64-bit/32-bit installer is now linked with the private OpenSSL as you note.

Annoyingly with OpenSSL on OSX you have to options: either use an up-to-date release or have OpenSSL use the system CA trust store, but not both.  Sigh…

It would be nice if someone would do the work to figure out whether it is feasible to use Apple's own Crypto and TLS API's as apparently libcurl does.

I have no idea how may users use the Python.org installers on OSX, but this has the potential to affect a largish number of users on OSX including newbies (but far from all users on OSX, there’s also a sizeable population using Homebrew or Anaconda).

And MacPorts.  I don't know about Anaconda but the other two already use their own private versions of OpenSSL AFAIK.

--
 Ned Deily
 nad@python.org -- []

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig