[Twisted-Python] OpenSSL versions
Hello, Users of Twisted and OpenSSL 1.1 and 1.0.2 cannot connect to all HTTPS sites because Twisted sets its own ECDH curve instead of using the defaults selected by these versions of OpenSSL. The gory details are here: https://twistedmatrix.com/trac/ticket/9210 https://github.com/twisted/twisted/pull/927 The solution to this bug favored by an OpenSSL maintainer is to drop support for OpenSSL versions before 1.0.2. I'm also in favor of this because: - 1.0.2 is the oldest supported version of OpenSSL - The ECDH curve selection code would be much simpler if we only supported OpenSSL 1.0.2 - cryptography wheels installed from PyPI include OpenSSL 1.1 Do you use the latest version of Twisted with OpenSSL 1.0.1? If so, do the above reasons satisfy your concerns? Thanks! -- Mark Williams mrw@enotuniq.org
On Nov 21, 2017, at 11:56 AM, Mark Williams <mrw@enotuniq.org> wrote:
Hello,
Users of Twisted and OpenSSL 1.1 and 1.0.2 cannot connect to all HTTPS sites because Twisted sets its own ECDH curve instead of using the defaults selected by these versions of OpenSSL.
The gory details are here: https://twistedmatrix.com/trac/ticket/9210 https://github.com/twisted/twisted/pull/927
The solution to this bug favored by an OpenSSL maintainer is to drop support for OpenSSL versions before 1.0.2. I'm also in favor of this because:
- 1.0.2 is the oldest supported version of OpenSSL - The ECDH curve selection code would be much simpler if we only supported OpenSSL 1.0.2 - cryptography wheels installed from PyPI include OpenSSL 1.1
Do you use the latest version of Twisted with OpenSSL 1.0.1? If so, do the above reasons satisfy your concerns?
Thanks!
I have one question: When I `pip install cryptography` on linux, do I presently get a self-contained manylinux1 wheel right now with a built-in OpenSSL, or do I need to care what my "distro" (or Docker base image) is shipping? -glyph
participants (2)
-
Glyph -
Mark Williams