[Distutils] Announcement: TLSv1.2 will become mandatory in the future
nad at python.org
Tue Jan 10 15:47:48 EST 2017
On Jan 10, 2017, at 15:07, Ronald Oussoren <ronaldoussoren at mac.com> wrote:
>> On 10 Jan 2017, at 21:02, Donald Stufft <donald at stufft.io> wrote:
>>> On Jan 10, 2017, at 3:01 PM, Ronald Oussoren <ronaldoussoren at mac.com> wrote:
>>>> On 10 Jan 2017, at 14:24, Donald Stufft <donald at stufft.io> wrote:
>>>> […] Past that, macOS is going to be the
>>>> largest casualty since their system Python does not support TLSv1.2 yet in any
>>>> version of their OS.
>>> Not just the system Python on OSX, this also affects all Python.org installers for OSX except 3.6. The 3.6 installer is the first one that doesn’t use the system installation of OpenSSL.
That's not quite accurate. The 32-bit-only macOS python.org installers for recent 2.7.x and 3.x releases are also linked with a private current set of OpenSSL libraries. For 3.6, we no longer supply the 32-bit-only installer and the 64-bit/32-bit installer is now linked with the private OpenSSL as you note.
>>> Annoyingly with OpenSSL on OSX you have to options: either use an up-to-date release or have OpenSSL use the system CA trust store, but not both. Sigh…
It would be nice if someone would do the work to figure out whether it is feasible to use Apple's own Crypto and TLS API's as apparently libcurl does.
>>> I have no idea how may users use the Python.org installers on OSX, but this has the potential to affect a largish number of users on OSX including newbies (but far from all users on OSX, there’s also a sizeable population using Homebrew or Anaconda).
And MacPorts. I don't know about Anaconda but the other two already use their own private versions of OpenSSL AFAIK.
nad at python.org -- 
More information about the Distutils-SIG