Fastly has announced plans to disable TLSv1.0 and TLSv1.1 on their CDN endpoints

which will include PyPI (as well as other Python properties). You can see their

timeline at https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan.

There are two hard cut off dates to remember:

* April 30, 2017, which is when any Python.org site you see that does *not*

  have an EV certificate that is hosted by Fastly will no longer support

  TLSv1.0 and TLSv1.1 (testpypi.python.org, test.pypi.org,

  files.pythonhosted.org, etc). This will affect Warehouse since that uses

  files.pythonhosted.org to serve files.

* June 30, 2018, which is when any Python.org site you see that has an EV

  certificate that is hosted by Fastly will no longer support TSLv1.0 and

  TLSv1.1 (pypi.python.org, pypi.org, etc).

I am going to see about possibly organizing some scheduled "brown outs" of

TLSv1.0 and TLSv1.1 prior to the cut off dates to try and help folks find places

that will need updates. Any scheduled brownouts will be posted to

status.python.org prior to happening.

Looking at the download numbers, the absolute largest driver of TLSv1.0 and

TLSv1.1 traffic to PyPI are old versions of pip or other clients where I cannot

tell the OS that they are being run on. Past that, macOS is going to be the

largest casualty since their system Python does not support TLSv1.2 yet in any

version of their OS.

If you have a Python and you want to check to see if it supports TLSv1.2 or not,

the easiest way to do that is by running:

    python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

    OR

    python3 -c "import urllib.request,json; print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

If you get something other than TLS 1.2, then I suggest making plans to deal

with the inevitable breakage which may start occurring on or before April 30,

2017.

—
Donald Stufft