ssl module will require OpenSSL 1.0.2
For your information,
my ssl module improvement "Let OpenSSL verify hostname and IP address" will land either today or tomorrow. I'm just waiting for Alex to give me the final ACK on PR https://github.com/python/cpython/pull/3462.
Once the PR has landed, several issues with hostname and IP address verification will be solved. Python 3.7 will use OpenSSL's recommended API to match hostnames. The API is OpenSSL 1.0.2+ only. OpenSSL 0.9.8 and 1.0.1 are no longer supported.
LibreSSL does not yet implement these APIs yet, see https://github.com/libressl-portable/portable/issues/381 for my upstream bug and https://mail.python.org/pipermail/python-dev/2018-January/151824.html for Python-dev discussion.
I also like to get https://github.com/python/cpython/pull/5259 into 3.7. The PR adds support for OpenSSL's new API to set minimum and maximum TLS protocol version. It's require for compatibility with future versions of Debian. Debian has used the new APIs to disable TLS 1.0 and 1.1, see https://bugs.python.org/issue31453.
PR https://github.com/python/cpython/pull/5162 implements PEP 543 Certificate and PrivateKey classes, but it's not finished yet. The code works but it lacks tests and documentation.
My remaining TLS PRs are either bug fixes or can wait for 3.8. I'll merge them after beta 1 has been released.
Christian
2018-01-26 20:47 GMT+01:00 Christian Heimes christian@python.org:
LibreSSL does not yet implement these APIs yet
Does it mean that Python 3.7 will not support OpenBSD anymore? Well, it's not like OpenBSD support is perfect, but there are only few issues on OpenBSD.
Does other operating systems use LibreSSL as their system SSL library (instead of OpenSSL)?
Victor
On 2018-01-26 23:03, Victor Stinner wrote:
2018-01-26 20:47 GMT+01:00 Christian Heimes christian@python.org:
LibreSSL does not yet implement these APIs yet
Does it mean that Python 3.7 will not support OpenBSD anymore? Well, it's not like OpenBSD support is perfect, but there are only few issues on OpenBSD.
Does other operating systems use LibreSSL as their system SSL library (instead of OpenSSL)?
OpenBSD is still supported. But you either have to install OpenSSL, live without SSL support or get LibreSSL fixed. Python's test suite is passing without ssl available.
2018-01-26 23:09 GMT+01:00 Christian Heimes christian@python.org:
OpenBSD is still supported. But you either have to install OpenSSL, live without SSL support or get LibreSSL fixed. Python's test suite is passing without ssl available.
(Sure, if LibreSSL is fixed, the issue goes away, but right now https://github.com/libressl-portable/portable/issues/381 is still open.)
I'm not sure that it's possible to easily install OpenSSL on OpenBSD. OpenBSD is linked to the team who wrote LibreSSL and OpenBSD replaced OpenSSL with LibreSSL.
Python without ssl also means Python without pip. Python without pip... well, it's more limited than Python with pip :-)
Victor
On 2018-01-26 23:13, Victor Stinner wrote:
2018-01-26 23:09 GMT+01:00 Christian Heimes christian@python.org:
OpenBSD is still supported. But you either have to install OpenSSL, live without SSL support or get LibreSSL fixed. Python's test suite is passing without ssl available.
(Sure, if LibreSSL is fixed, the issue goes away, but right now https://github.com/libressl-portable/portable/issues/381 is still open.)
I'm not sure that it's possible to easily install OpenSSL on OpenBSD. OpenBSD is linked to the team who wrote LibreSSL and OpenBSD replaced OpenSSL with LibreSSL.
Python without ssl also means Python without pip. Python without pip... well, it's more limited than Python with pip :-)
We never officially supported LibreSSL, so we aren't breaking any promise. I supported LibreSSL as a best-effort approach.
You can still have TLS support with extra packages. Python requests and pip can also use PyOpenSSL.
Christian
2018-01-26 23:25 GMT+01:00 Christian Heimes christian@python.org:
We never officially supported LibreSSL, so we aren't breaking any promise. I supported LibreSSL as a best-effort approach.
You can still have TLS support with extra packages. Python requests and pip can also use PyOpenSSL.
I have no opinion on OpenBSD support.
It's good to know that the pip issue can be worked around (if PyOpenSSL can be easily installed on OpenBSD? I mean... without pip ;-))).
At least, if Python 3.7 doesn't work on OpenBSD anymore because of this issue, maybe LibreSSL will be more motivated to fix the issue? :-)
Victor
On 27 January 2018 at 09:23, Victor Stinner victor.stinner@gmail.com wrote:
At least, if Python 3.7 doesn't work on OpenBSD anymore because of this issue, maybe LibreSSL will be more motivated to fix the issue? :-)
Anyone using the Alpine Linux based Docker images (including Docker themselves) will also have a fair incentive to solve the problem (although in that case, their resolution might be "switch back to using OpenSSL given the improvement over the past couple of years").
Cheers, Nick.
On 2018-01-26 23:09, Christian Heimes wrote:
On 2018-01-26 23:03, Victor Stinner wrote:
2018-01-26 20:47 GMT+01:00 Christian Heimes christian@python.org:
LibreSSL does not yet implement these APIs yet
Does it mean that Python 3.7 will not support OpenBSD anymore? Well, it's not like OpenBSD support is perfect, but there are only few issues on OpenBSD.
Does other operating systems use LibreSSL as their system SSL library (instead of OpenSSL)?
OpenBSD is still supported. But you either have to install OpenSSL, live without SSL support or get LibreSSL fixed. Python's test suite is passing without ssl available.
According to https://en.wikipedia.org/wiki/LibreSSL#Adoption Alpine Linux, DragonFly BSD and OpenBSD are affected. https://distrowatch.com/table.php?distribution=openbsd still suggests that OpenBSD ships with OpenSSL 1.0.2l. Not sure if that is true, though.
All other distributions either have only OpenSSL (CentOS, Debian, Fedora, RHEL, Ubuntu), OpenSSL as default (Gentoo, FreeBSD) or none (Windows, macOS). NetBSD seems to support both.
Christian
participants (4)
-
Christian Heimes -
Christian Heimes -
Nick Coghlan -
Victor Stinner