[PSA] OpenSSL 3.0 support is preliminary and experimental
Hi, I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities. Due to the experimental state I advise against using Python with OpenSSL 3.0 in production. It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM. My work time is currently limited, too. Christian [1] https://docs.python.org/3/whatsnew/3.10.html#ssl
Is there an issue that keeps track of all the missing pieces? A "remaining tasks" list would be useful for involving more devs (and of course useful when resuming development, "now, where was I..."). A quick search on BPO revealed some info: - bpo-46313: SSLObject does not raise SSLEOFError on OpenSSL 3 - bpo-40479: Port _hashlib to OpenSSL 3.0.0 - bpo-46114: OpenSSL 3.0 uses different version scheme - bpo-38820: Make Python compatible with OpenSSL 3.0.0 Thank you for all the work you've put into this already, Christian! Erlend
On 9 Jan 2022, at 19:39, Christian Heimes <christian@python.org> wrote:
Hi,
I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities.
Due to the experimental state I advise against using Python with OpenSSL 3.0 in production.
It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM. My work time is currently limited, too.
Christian
[1] https://docs.python.org/3/whatsnew/3.10.html#ssl _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-leave@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/ATO4DM6Q... Code of Conduct: http://python.org/psf/codeofconduct/
On 09. 01. 22 19:39, Christian Heimes wrote:
Hi,
I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities.
Due to the experimental state I advise against using Python with OpenSSL 3.0 in production.
It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM. My work time is currently limited, too.
Hello Christian. Do you think we should switch Python in Fedora 36 to OpenSSL 1.1.1? Python was naturally rebuilt with OpenSSL 3.0 when the distro upgraded OpenSSL. But the older version is still available. Note that Fedora 36 is also "preliminary" so we still have time to make this decision until +- the beta freeze/release (end of February, early March this year). -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok
Hi Christian, On Sun, 9 Jan 2022 19:39:06 +0100 Christian Heimes <christian@python.org> wrote:
Hi,
I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities.
Due to the experimental state I advise against using Python with OpenSSL 3.0 in production.
It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM.
Sounds reasonable :-) Out of curiosity, what are the performance regressions about? Regards Antoine.
On 11/01/2022 12.02, Antoine Pitrou wrote:
Hi Christian,
On Sun, 9 Jan 2022 19:39:06 +0100 Christian Heimes <christian@python.org> wrote:
Hi,
I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities.
Due to the experimental state I advise against using Python with OpenSSL 3.0 in production.
It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM.
Sounds reasonable :-)
Out of curiosity, what are the performance regressions about?
OpenSSL 3.0 introduced a new context, provider, and algorithm fetch system. It is not optimized yet and has an impact on performance. I noticed that hashlib.sha512(b'12345678') is more than 20% slower with new EVP_MD_fetch() API. Impact on multi threading applications is even bigger due to lock congestion. https://github.com/openssl/openssl/issues/17064
On 10/01/2022 17.01, Miro Hrončok wrote:
On 09. 01. 22 19:39, Christian Heimes wrote:
Hi,
I would like to remind everybody that Python's support for OpenSSL 3.0 is preliminary [1]. Python compiles with OpenSSL 3.0.0 and simple code kinda works. However there are known performance regressions, missing features (e.g. usedforsecurity flag), and potential bugs cause by API incompatibilities.
Due to the experimental state I advise against using Python with OpenSSL 3.0 in production.
It may take a while until Python gains full support for the next version of OpenSSL. I have shifted my personal OSS time to more fun topics like performance and WASM. My work time is currently limited, too.
Hello Christian.
Do you think we should switch Python in Fedora 36 to OpenSSL 1.1.1? Python was naturally rebuilt with OpenSSL 3.0 when the distro upgraded OpenSSL. But the older version is still available.
Note that Fedora 36 is also "preliminary" so we still have time to make this decision until +- the beta freeze/release (end of February, early March this year).
Hi Miro, I suggest to wait and re-evaluate the situation in a month from now. The situation might improve by then. OpenSSL Upstream is working on performance improvements. I have a pending fix for the hashlib usedforsecurity feature. For the other issues, somebody has to put in the work and review all differences between OpenSSL 1.1.1 and 3.0. Christian
participants (4)
-
Antoine Pitrou
-
Christian Heimes
-
Erlend Aasland
-
Miro Hrončok