[Cryptography-dev] [Proposal] Deprecating and removing support for OpenSSL 0.9.8

Fri Jan 22 17:21:15 EST 2016

Uhhh, sorry, which includes OpenSSL *1.0.2*.

Alex

On Fri, Jan 22, 2016 at 5:21 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:

> On OS X and Windows we distribute a Cryptography wheel which includes
> OpenSSL 0.9.8.
>
> Alex
>
> On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <ronf at timeheart.net> wrote:
>
>> What impact will this have on MacOS systems? Even the latest MacOS El
>> Capitan (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for
>> the /usr/bin/openssl binary. They ship with a version of libressl for use
>> by OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that
>> library is available for other applications or libraries to use.
>>
>> On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
>>
>> Hi all,
>>
>> I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next
>> release, and remove support in the release after (we already emit warnings
>> in our current release, so this is consistent with our schedule).
>>
>> Rationale: OpenSSL 0.9.8 is old, does not support modern web security
>> (e.g. no TLS 1.2), and supporting it adds complexity, in the form of
>> hundreds of additional lines of code and configuration options.
>>
>> Supporting data: As of pip 8 (released this week, already used for
>> something like 1/3 of PyPI downloads), the user agent of pip includes the
>> system's OpenSSL version. Looking at the data (excluding Windows and OS X,
>> since on those platforms we include OpenSSL 1.0.2 in our wheels). The
>> overall distribution is:
>>
>>
>>
>> Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all
>> installations.
>>
>> Looking at per-package data, here are the percent of downloads using
>> OpenSSL 0.9.8 for some relevant packages:
>>
>> - unidecode: 7.6% (This is the package with the highest percent of 0.9.8
>> users)
>> - rsa: 3.3%
>> - pyasn1: 2.2%
>> - requests: 1.6%
>> - pycrypto: 0.8%
>> - pip: 0.6%
>> - pyopenssl: 0.4%
>> - letsencrypt-apache: 0.3%
>> - cryptography: 0.3%
>>
>>
>> I think these numbers are low enough that we can safely drop OpenSSL
>> 0.9.8 support.
>>
>> Platforms specifically known to be affected:
>> - RHEL/CentOS 5 and older
>> - Debian Squeeze (baed on OpenSSL version, this is where most of the
>> affected users will be).
>>
>>
>> Thoughts? Will you be affected by this?
>> Alex
>>
>> --
>> "I disapprove of what you say, but I will defend to the death your right
>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
>> "The people's good is the highest law." -- Cicero
>> GPG Key fingerprint: 125F 5C67 DFE9 4084
>>
>> --
>> Ron Frederick
>> ronf at timeheart.net
>>
>>
>>
>>
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
>

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160122/defe01dd/attachment.html>