On 03/03/2021 18.59, Senthil Kumaran wrote:
On Wed, Mar 3, 2021 at 8:08 AM Christian Heimes christian@python.org wrote:
PEP 644 (not approved yet) and a soon-to-be-published PEP will hopefully get rid of the problem once and for all. PEP 644 removes support for OpenSSL < 1.1 and the new PEP will remove support for TLS 1.0 and 1.1 from stdlib.
Thank you for all the efforts here, Christian. The PEP provides a good summary on the state. +1 vote to it and hope we will have a much simpler system to reason with soon.
It was hard for me (guess anyone) to track Libre/Open/Boring, TLS versions etc, and leave alone keeping it compatible like you have been doing. The premise of PEP-0644 is extremely reasonable.
Thanks! :)
It's actually easy:
- BoringSSL is irrelevant unless you have a product that bundles/vendors the library as an internal dependency, e.g. Chrome.
- LibreSSL is used by OpenBSD and DragonFly.
- Everyone (*) else uses OpenSSL or moved back to OpenSSL
(*) except for Windows, macOS, Android, Java, Firefox/Thunderbird, GnuPG, embedded systems, curl, and others. curl has something like 15 different TLS backends.