[Cryptography-dev] [Proposal] Deprecating and removing support for OpenSSL 0.9.8

Paul Kehrer paul.l.kehrer at gmail.com
Fri Jan 22 17:27:07 EST 2016


We assume nobody has it installed, which is why the wheel statically links it. It, unfortunately, shifts the upgrade burden to "remember to upgrade your python package", but there's no way around that.

On January 22, 2016 at 4:25:46 PM, Ron Frederick (ronf at timeheart.net) wrote:

Gotcha, thanks.

On my OS X system, I have 1.0.2e installed from MacPorts, but I imagine many Mac users don’t.

On Jan 22, 2016, at 2:21 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
Uhhh, sorry, which includes OpenSSL *1.0.2*.

Alex

On Fri, Jan 22, 2016 at 5:21 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
On OS X and Windows we distribute a Cryptography wheel which includes OpenSSL 0.9.8.

Alex

On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <ronf at timeheart.net> wrote:
What impact will this have on MacOS systems? Even the latest MacOS El Capitan (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for the /usr/bin/openssl binary. They ship with a version of libressl for use by OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that library is available for other applications or libraries to use.

On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
Hi all,

I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next release, and remove support in the release after (we already emit warnings in our current release, so this is consistent with our schedule).

Rationale: OpenSSL 0.9.8 is old, does not support modern web security (e.g. no TLS 1.2), and supporting it adds complexity, in the form of hundreds of additional lines of code and configuration options.

Supporting data: As of pip 8 (released this week, already used for something like 1/3 of PyPI downloads), the user agent of pip includes the system's OpenSSL version. Looking at the data (excluding Windows and OS X, since on those platforms we include OpenSSL 1.0.2 in our wheels). The overall distribution is:



Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all installations.

Looking at per-package data, here are the percent of downloads using OpenSSL 0.9.8 for some relevant packages:

- unidecode: 7.6% (This is the package with the highest percent of 0.9.8 users)
- rsa: 3.3%
- pyasn1: 2.2%
- requests: 1.6%
- pycrypto: 0.8%
- pip: 0.6%
- pyopenssl: 0.4%
- letsencrypt-apache: 0.3%
- cryptography: 0.3%


I think these numbers are low enough that we can safely drop OpenSSL 0.9.8 support.

Platforms specifically known to be affected:
- RHEL/CentOS 5 and older
- Debian Squeeze (baed on OpenSSL version, this is where most of the affected users will be).


Thoughts? Will you be affected by this?
​Alex

--
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-- 
Ron Frederick
ronf at timeheart.net



_______________________________________________  
Cryptography-dev mailing list  
Cryptography-dev at python.org  
https://mail.python.org/mailman/listinfo/cryptography-dev  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160122/fc03d286/attachment.html>


More information about the Cryptography-dev mailing list