On Wed, Mar 3, 2021 at 8:08 AM Christian Heimes <christian@python.org> wrote:
On 03/03/2021 16.06, Senthil Kumaran wrote:
> On Tue, Mar 2, 2021 at 8:29 PM Gregory P. Smith <greg@krypto.org> wrote:
>>
>> For lack of better things to do with that... https://bugs.python.org/issue43382 filed to track it.
>
> Actually, that turned out to be useful. Thank you!
>
> The discussion with the default minimal level TLS, and way it is
> configured in distributions like Ubuntu, Debian, Fedora, and it's
> usage with Python is  bit _unsettling_ from a users perspective.
> OpenSSL, Ubuntu, Python are heavily relied upon pieces of
> infrastructure. I wouldn't be surprised if more projects noticed this
> problem with the update to Ubuntu 20.02.

Hi,

for the record, the issue started when GitHub Actions updated
"ubuntu-latest" was updated from 18.04 to 20.04. A user reported a
similar issue on BPO last year in August and with Ubuntu last year in
October. Only Ubuntu is affected. Debian, standard OpenSSL, and other
distros use a different approach set minimum protocol version:

https://bugs.python.org/issue41561
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625


PEP 644 (not approved yet)

Has this been submitted to the SC yet? I can't find an email or anything at https://github.com/python/steering-council/issues?q=is%3Aissue+is%3Aopen+644.

-Brett
 
and a soon-to-be-published PEP will hopefully
get rid of the problem once and for all. PEP 644 removes support for
OpenSSL < 1.1 and the new PEP will remove support for TLS 1.0 and 1.1
from stdlib.

https://www.python.org/dev/peps/pep-0644/


By the way, all major distributions disable TLS 1.0 and 1.1. They also
set a higher security level to block weak RSA, DH, and signatures. You
can find more information about Fedora crypto policies at:

https://fedoraproject.org/wiki/Changes/CryptoPolicy
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2


Here are some of my fixes for crypto policies, TLS 1.0/1.1 deprecation,
and FIPS:

https://bugs.python.org/issue34399
https://bugs.python.org/issue38275
https://bugs.python.org/issue38271
https://bugs.python.org/issue34542

Christian
_______________________________________________
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-leave@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/JO3PCRIIG36GW2ZBRCSWUHNBXPUURYUW/
Code of Conduct: https://www.python.org/psf/codeofconduct/