[Python-Dev] Supported versions of OpenSSL
Christian Heimes
christian at python.org
Wed Aug 31 04:50:19 EDT 2016
On 2016-08-31 10:31, M.-A. Lemburg wrote:
> In all this discussion I have yet to find a compelling security
> relevant argument for using an 1.0.2 API which is so important
> that we cannot make this optional at runtime.
>
> The only argument Christian reported was this one:
>
> """
>> BTW: Are there any features in 1.0.2 that we need and would warrant
>> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ?
>
> Yes, there are features I want to use, e.g. proper hostname
> verification. Python's post-handshake verification is a hack and leads
> to information disclosure.
> """
>
> Regarding that argument: hostname validation can be done
> in 1.0.1 by providing a verification hook handler. That's
> intended and by design, not a hack. 1.0.2 comes with
> support for hostname validation making this a little easier
> (you still have to set this up, though).
Are you willing to do implement and maintain this callback? Are you
willing to do all work?
Are you aware how many security bugs we had in our own verification
code? I'm aware of at least two critical bugs.
Christian
More information about the Python-Dev
mailing list