[Distutils] Announcement: TLSv1.2 will become mandatory in the future

Donald Stufft donald at stufft.io
Tue Jan 10 08:24:36 EST 2017

Fastly has announced plans to disable TLSv1.0 and TLSv1.1 on their CDN endpoints
which will include PyPI (as well as other Python properties). You can see their
timeline at https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan.

There are two hard cut off dates to remember:

* April 30, 2017, which is when any Python.org site you see that does *not*
  have an EV certificate that is hosted by Fastly will no longer support
  TLSv1.0 and TLSv1.1 (testpypi.python.org, test.pypi.org,
  files.pythonhosted.org, etc). This will affect Warehouse since that uses
  files.pythonhosted.org to serve files.

* June 30, 2018, which is when any Python.org site you see that has an EV
  certificate that is hosted by Fastly will no longer support TSLv1.0 and
  TLSv1.1 (pypi.python.org, pypi.org, etc).

I am going to see about possibly organizing some scheduled "brown outs" of
TLSv1.0 and TLSv1.1 prior to the cut off dates to try and help folks find places
that will need updates. Any scheduled brownouts will be posted to
status.python.org prior to happening.

Looking at the download numbers, the absolute largest driver of TLSv1.0 and
TLSv1.1 traffic to PyPI are old versions of pip or other clients where I cannot
tell the OS that they are being run on. Past that, macOS is going to be the
largest casualty since their system Python does not support TLSv1.2 yet in any
version of their OS.

If you have a Python and you want to check to see if it supports TLSv1.2 or not,
the easiest way to do that is by running:

    python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"


    python3 -c "import urllib.request,json; print(json.loads(urllib.request.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

If you get something other than TLS 1.2, then I suggest making plans to deal
with the inevitable breakage which may start occurring on or before April 30,

Donald Stufft

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170110/686fa001/attachment.html>

More information about the Distutils-SIG mailing list