As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need to start looking at LibreSSL again - and that, if not already done - might be something "secure" for python as well.
Michael
On 8 March 2016 at 00:49, Michael Felt michael@felt.demon.nl wrote:
As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need to start looking at LibreSSL again - and that, if not already done - might be something "secure" for python as well.
According to the libressl website, one of the projects primary goals is to remain "backwards-compatible with OpenSSL", which is to say, to either have code work without changes or to fail gracefully when it uses the deprecated bits. It does seem it ships with OpenBSD. There is an issue open on bugs to address whatever incompatibilities remain between LibreSSL and OpenSSL[1]. Perhaps you might want to take a look at that? -- H 1. https://bugs.python.org/issue23177
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
Can look at it. There has been a lot of discussion, iirc, between OpenSSL and LibreSSL re: version identification. Thx for the reference.
On 08-Mar-16 14:55, Hasan Diwan wrote:
On 8 March 2016 at 00:49, Michael Felt <michael@felt.demon.nl mailto:michael@felt.demon.nl> wrote:
As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications. In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need to start looking at LibreSSL again - and that, if not already done - might be something "secure" for python as well.According to the libressl website, one of the projects primary goals is to remain "backwards-compatible with OpenSSL", which is to say, to either have code work without changes or to fail gracefully when it uses the deprecated bits. It does seem it ships with OpenBSD. There is an issue open on bugs to address whatever incompatibilities remain between LibreSSL and OpenSSL[1]. Perhaps you might want to take a look at that? -- H
https://bugs.python.org/issue23177
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org mailto:Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
-- OpenPGP: http://hasan.d8u.us/gpg.asc Sent from my mobile device Envoyé de mon portable
Don't forget BoringSSL.
On Wed, Mar 9, 2016 at 9:30 AM Michael Felt mamfelt@gmail.com wrote:
Can look at it. There has been a lot of discussion, iirc, between OpenSSL and LibreSSL re: version identification. Thx for the reference.
On 08-Mar-16 14:55, Hasan Diwan wrote:
On 8 March 2016 at 00:49, Michael Felt michael@felt.demon.nl wrote:
As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need to start looking at LibreSSL again - and that, if not already done - might be something "secure" for python as well.
According to the libressl website, one of the projects primary goals is to remain "backwards-compatible with OpenSSL", which is to say, to either have code work without changes or to fail gracefully when it uses the deprecated bits. It does seem it ships with OpenBSD. There is an issue open on bugs to address whatever incompatibilities remain between LibreSSL and OpenSSL[1]. Perhaps you might want to take a look at that? -- H
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
-- OpenPGP: http://hasan.d8u.us/gpg.asc Sent from my mobile device Envoyé de mon portable
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
Should people outside google pay attention to boringssl? The first thing it says on the website is:
"Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability."
On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith greg@krypto.org wrote:
Don't forget BoringSSL.
On Wed, Mar 9, 2016 at 9:30 AM Michael Felt mamfelt@gmail.com wrote:
Can look at it. There has been a lot of discussion, iirc, between OpenSSL and LibreSSL re: version identification. Thx for the reference.
On 08-Mar-16 14:55, Hasan Diwan wrote:
On 8 March 2016 at 00:49, Michael Felt michael@felt.demon.nl wrote:
As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need to start looking at LibreSSL again - and that, if not already done - might be something "secure" for python as well.
According to the libressl website, one of the projects primary goals is to remain "backwards-compatible with OpenSSL", which is to say, to either have code work without changes or to fail gracefully when it uses the deprecated bits. It does seem it ships with OpenBSD. There is an issue open on bugs to address whatever incompatibilities remain between LibreSSL and OpenSSL[1]. Perhaps you might want to take a look at that? -- H
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
-- OpenPGP: http://hasan.d8u.us/gpg.asc Sent from my mobile device Envoyé de mon portable
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
On Mon, Mar 14, 2016 at 4:56 PM Nathaniel Smith njs@pobox.com wrote:
Should people outside google pay attention to boringssl? The first thing it says on the website is:
"Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability."
Heh, good point. I guess not. :)
On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith greg@krypto.org wrote:
Don't forget BoringSSL.
On Wed, Mar 9, 2016 at 9:30 AM Michael Felt mamfelt@gmail.com wrote:
Can look at it. There has been a lot of discussion, iirc, between
OpenSSL
and LibreSSL re: version identification. Thx for the reference.
On 08-Mar-16 14:55, Hasan Diwan wrote:
On 8 March 2016 at 00:49, Michael Felt michael@felt.demon.nl wrote:
As a relative newcomer I may have missed a long previous discussion re: linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need
to
start looking at LibreSSL again - and that, if not already done -
might be
something "secure" for python as well.
According to the libressl website, one of the projects primary goals is
to
remain "backwards-compatible with OpenSSL", which is to say, to either
have
code work without changes or to fail gracefully when it uses the
deprecated
bits. It does seem it ships with OpenBSD. There is an issue open on
bugs to
address whatever incompatibilities remain between LibreSSL and
OpenSSL[1].
Perhaps you might want to take a look at that? -- H
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe:
https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
-- OpenPGP: http://hasan.d8u.us/gpg.asc Sent from my mobile device Envoyé de mon portable
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
-- Nathaniel J. Smith -- https://vorpus.org
I have no vested interest in this, other than the continuing work we have done to make Jython compatible with OpenSSL's model, warts and all.
But the fact that BoringSSL cleans up the OpenSSL API ( https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md), at the cost of possible backwards breaking API changes looks reasonable. I suppose there is some risk - perhaps the maintainers will decide that returning 1 should mean OK, but that's not going to happen, is it. The real issue here is that no direct exposure of BoringSSL to other packages. I don't think that happens with CPython. (Ironically it happens with Jython, due to how signed jars poorly interact with shading/Java namespace remapping.)
Maintaining security means dealing with the inevitable churn. Did I mention Jython's support of Python-compatible SSL? I think I did :p
- Jim
On Mon, Mar 14, 2016 at 6:06 PM, Gregory P. Smith greg@krypto.org wrote:
On Mon, Mar 14, 2016 at 4:56 PM Nathaniel Smith njs@pobox.com wrote:
Should people outside google pay attention to boringssl? The first thing it says on the website is:
"Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability."
Heh, good point. I guess not. :)
On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith greg@krypto.org wrote:
Don't forget BoringSSL.
On Wed, Mar 9, 2016 at 9:30 AM Michael Felt mamfelt@gmail.com wrote:
Can look at it. There has been a lot of discussion, iirc, between
OpenSSL
and LibreSSL re: version identification. Thx for the reference.
On 08-Mar-16 14:55, Hasan Diwan wrote:
On 8 March 2016 at 00:49, Michael Felt michael@felt.demon.nl wrote:
As a relative newcomer I may have missed a long previous discussion
re:
linking with OpenSSL and/or LibreSSL. In an ideal world this would be rtl linking, i.e., underlying complexities of *SSL libraries are hidden from applications.
In short, when I saw this http://bugs.python.org/issue26465 Title: Upgrade OpenSSL shipped with python installers, it reminded me I need
to
start looking at LibreSSL again - and that, if not already done -
might be
something "secure" for python as well.
According to the libressl website, one of the projects primary goals
is to
remain "backwards-compatible with OpenSSL", which is to say, to either
have
code work without changes or to fail gracefully when it uses the
deprecated
bits. It does seem it ships with OpenBSD. There is an issue open on
bugs to
address whatever incompatibilities remain between LibreSSL and
OpenSSL[1].
Perhaps you might want to take a look at that? -- H
Michael _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe:
https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
-- OpenPGP: http://hasan.d8u.us/gpg.asc Sent from my mobile device Envoyé de mon portable
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
-- Nathaniel J. Smith -- https://vorpus.org
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/jbaker%40zyasoft.com
On 15 Mar 2016, at 01:08, Jim Baker jim.baker@python.org wrote:
I have no vested interest in this, other than the continuing work we have done to make Jython compatible with OpenSSL's model, warts and all.
But the fact that BoringSSL cleans up the OpenSSL API (https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md), at the cost of possible backwards breaking API changes looks reasonable. I suppose there is some risk - perhaps the maintainers will decide that returning 1 should mean OK, but that's not going to happen, is it. The real issue here is that no direct exposure of BoringSSL to other packages. I don't think that happens with CPython. (Ironically it happens with Jython, due to how signed jars poorly interact with shading/Java namespace remapping.)
Maintaining security means dealing with the inevitable churn. Did I mention Jython's support of Python-compatible SSL? I think I did :p
It is *possible* to support BoringSSL: curl does. However, the BoringSSL developers *really* only target Chromium when they consider the possibility of breakage, so it costs curl quite a bit of development time[0]. curl accepts that cost because it supports every TLS stack under the sun: given that CPython currently supports exactly one, widening it to two is a very big risk indeed.
Cory
[0]: See https://github.com/curl/curl/issues/275, https://github.com/curl/curl/pull/524, https://github.com/curl/curl/pull/640
-
Cory Benfield -
Gregory P. Smith -
Hasan Diwan -
Jim Baker -
Michael Felt -
Michael Felt -
Nathaniel Smith