[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

Christian Heimes christian at python.org
Sat Jan 13 07:54:33 EST 2018


I'm still working on a ssl module PEP for 3.7 [1], but it's probably not
going to be finished before beta 1 deadline. I have a bunch of fixes and
improvements for the ssl module in queue, most of them require OpenSSL
1.0.2 features. The features are also present and working properly since
LibreSSL 2.5.3

If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land
bunch of useful goodies like proper hostname verification [2], proper
fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate
and PrivateKey types (support loading certs and keys from file and
memory) [4], and simplified cipher suite configuration [5]. I can
finally clean up _ssl.c during the beta phase, too.

OpenSSL 1.0.1 is out of support since December 2016, 0.9.8 since 2015.
These versions haven't received any security updates for more than a year!

All major Linux and BSD distributions have at least 1.0.2 [6]. The only
relevant exception is Ubuntu 14.04 LTS, because Travis CI is running
14.04. PR 3562 [7] contains a PoC to compile a custom build of OpenSSL
on Travis. Builds are cached.


[1] https://github.com/tiran/peps/blob/sslmodule37/pep-9999.txt
[2] https://bugs.python.org/issue31399
[3] https://bugs.python.org/issue32185
[4] https://bugs.python.org/issue18369
[5] https://bugs.python.org/issue31429
[6] https://gist.github.com/tiran/c5409bbd60a5f082f654d967add8cc79
[7] https://github.com/python/cpython/pull/3462

More information about the Python-Dev mailing list