Hi, I reviewed and merged pull requests written by my colleague Charalampos Stratakis to backport OpenSSL 1.1.1 fixes into the future Python 2.7.16. Benjamin Peterson (Python 2.7 release manager) wrote me: "I would very much like to see 1.1.1 support in a Python 2.7 release." These changes are backports of Python 3.6 changes written by Christian Heimes. With these changes, Python 2.7 becomes more secure and should be closer to Python 3.6 security. I apologize for merging these changes late in 2.7.16 devcycle, but we were very busy with higher priority issues :-( I hope that 2.7.16 release candidate will provide enough time to test properly these changes (and fix regressions if any). So far, I'm only aware of one issue on one specific buildbot worker, but I'm not sure that the test failures are regressions caused by merged ssl changes (the worker was offline for 1 month for an unknown reason): https://bugs.python.org/issue33570 Summary of the ssl changes: (*) ssl.SSLContext is now created with secure default values. The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only "HIGH" ciphers, no "NULL" ciphers and no "MD5" ciphers (except for PROTOCOL_SSLv2). (*) OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites cannot be disabled with SSLContext.set_ciphers(). (*) Add a new ssl.OP_ENABLE_MIDDLEBOX_COMPAT constant (*) Tools/ssl/multissltests.py has been updated for OpenSSL 1.1.1. I merged 4 changes into 2.7: commit c49f63c1761ce03df7850b9e0b31a18c432dac64 Author: stratakis <cstratak@redhat.com> Date: Fri Feb 15 14:17:12 2019 +0100 [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) (GH-8760) (GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) Co-authored-by: Christian Heimes <christian@python.org> commit b8eaec697a2b5d9d2def2950a0aa50e8ffcf1059 Author: stratakis <cstratak@redhat.com> Date: Fri Feb 15 15:24:11 2019 +0100 [2.7] bpo-28043: improved default settings for SSLContext (GH-10608) The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). (cherry picked from commit 358cfd426ccc0fcd6a7940d306602138e76420ae) commit 28eb87f4f558952f259fada7be1ab5b31b8a91ef (upstream/2.7, 2.7) Author: stratakis <cstratak@redhat.com> Date: Fri Feb 15 17:18:58 2019 +0100 Fixup from test_ssl test_default_ecdh_curve (GH-11877) Partial backport from cb5b68abdeb1b1d56c581d5b4d647018703d61e3 Co-authored-by: Christian Heimes <christian@python.org> commit 2149a9ad7a9d39d7d680ec0fb602042c91057484 (HEAD -> 2.7, upstream/2.7) Author: stratakis <cstratak@redhat.com> Date: Fri Feb 15 18:27:44 2019 +0100 [2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876) Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826) And there is a minor multissltests update that's going will be merged as well: https://github.com/python/cpython/pull/11879 Victor -- Night gathers, and now my watch begins. It shall not end until my death.