[Python-Dev] Supported versions of OpenSSL

Christian Heimes christian at python.org
Mon Aug 29 01:42:05 EDT 2016 

On 2016-08-29 04:38, Ned Deily wrote:
> On Aug 28, 2016, at 19:06, Benjamin Peterson <benjamin at python.org> wrote:
>> On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote:
>>> Here is the deal for 2.7 to 3.5:
>>>
>>> 1) All versions older than 0.9.8 are completely out-of-scope and no
>>> longer supported.
>> +1
>>> 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8.
>>> However we do NOT promise that is secure to run 0.9.8. We also require a
>>> recent version. Patch level 0.9.8zc from October 2014 is reasonable
>>> because it comes with SCSV fallback (CVE-2014-3566).
>> I think we should support 0.9.8 for 2.7 and drop it for 3.6.
> 
> Sounds good to me, too.  I think we should also not change things for 3.5.x at this point, e.g. continue to support 0.9.8 there.


In my proto-PEP I'm talking about different levels of support: full,
build-only and unsupported. Full support means that the combination of
Python and OpenSSL versions is reasonable secure and recommended.

On the other hand build-only support doesn't come with any security
promise. The ssl and hashlib module are source compatible with OpenSSL
0.9.8. You can still compile Python, do https connections but they might
not be secure. It's "Warranty void" mode.

>>> 3) 1.0.0 is irrelevant. Users are either stuck on 0.9.8 or are able to
>>> upgrade to 1.0.1+. Let's not support it.
>>>
>>> 4) 1.0.1 is discouraged but still supported until its EOL.
>>>
>>> 5) 1.0.2 is the recommend version.
>>>
>>> 6) 1.1 support will be added by #26470 soon.
> 
> [...]
> 
>>> For upcoming 3.6 I would like to limit support to 1.0.2+ and require
>>> 1.0.2 features for 3.7.
> 
> It's not clear to me what you are proposing as the differences between 3.6 ("limit support to 1.0.2+") and 3.7 ("require 1.0.2 features").  Could you elaborate?

For 3.6 I don't require any 1.0.2 feature yet. The 1.1.0 patch keeps
code compatible with 0.9.8zc to 1.1.0. But as soon as I use new
features, the ssl module will no longer be source and build compatible
with < 1.0.2. There is also the point of OpenSSL 1.0.1. It reaches
end-of-lifetime by the end if this year. 1.0.2 will be supported until 2019.

I'm tempted to require 1.0.2 for Python 3.6 but it's technically not
necessary yet.

#if OPENSSL_VERSION_INFO < 0x01000200L
#  error "OpenSSL 1.0.2+ required"
#endif


> 
>>> What is the status of Python.org's OSX builds?
>>> Is it possible to drop 0.9.8?
> 
> I think we can safely drop 0.9.8 support in 3.6.  If anyone is aware of any supported platform where this will would cause a problem, please speak up now.
> 
> With regard to OS X (or macOS, as the upcoming next major release is called), the 3.6.0 python.org OS X installer will supply a private copy of OpenSSL 1.0.2+.  Most other third-party distributors of Python on OS X already do not use the Apple-suplied deprecated system OpenSSL libs.  As of the current OS X 10.11 El Capitan, Apple no longer supplies the header files for OpenSSL in either Xcode macosx SDK or in the optional Command Line Tools /usr/include headers so, if you want to build Python on OS X, you now need to use a non-system copy of OpenSSL anyway (the devguide explains how to build with OpenSSL libs from either Homebrew or MacPorts).  The shared libs are still supplied for the benefit of applications built on older releases and for the Apple-supplied system Pythons (2.6.x and 2.7
>  .x, still no 3.x).

I'm glad to hear that. Thanks :)

Christian

More information about the Python-Dev mailing list