[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

Steve Dower steve.dower at python.org
Tue Jan 16 16:44:59 EST 2018 

Honestly, I’d rather plug into the WinHTTP API and just not even bother with sockets :)

Certificate validation is about the only thing broken in OpenSSL on Windows (as far as not working well with system config), and it’s relatively easy to replace with a couple of API calls. Now that we don’t statically link OpenSSL anymore, it can be done easily with ctypes, so I’ll probably put out a package for it sometime soon.

Top-posted from my Windows phone

From: Christian Heimes
Sent: Tuesday, January 16, 2018 22:52
To: python-dev at python.org
Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

On 2018-01-16 12:28, Wes Turner wrote:
> 
> 
> On Tuesday, January 16, 2018, Steve Dower <steve.dower at python.org
> <mailto:steve.dower at python.org>> wrote:
> 
>     From my perspective, we can’t keep an OpenSSL-like API and use
>     Windows platform libraries (we *could* do a requests-like API easily
>     enough, but even urllib3 is painfully low-level).____
> 
> Support for Windows SChannel and Apple SecureTransport is part of the
> TLS module.
> 
> IDK how far along that work is (whether it'll be ready for 3.7 beta 1)?
> Or where those volunteering to help with the TLS module can send PRs?

You are misunderstanding the goal of PEP 543. It's not about providing
implementations of various backends. The PEP merely defines an minimal
abstraction layer. Neither the PEP nor the API are finalized or complete
yet, too Some parts of the PEP must be changed before it can be
finalized. Cory and I are discussion the matter.

Python 3.7's ssl module won't be compatible with PEP 543. For 3.8 it
*might* be possible to provide a 543 compatible implementation on top of
the ssl module.

I will not work on SChannel or SecureTransport, since I have neither
expertise, knowledge, interest or resources to work on other
implementations. AFAIK Steve would rather plug in Windows' cert
validation API into OpenSSL than to provide another TLS implementation.
For Apple ... no clue. How about you contact Apple support?

Regards,
Christian

_______________________________________________
Python-Dev mailing list
Python-Dev at python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve.dower%40python.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180117/86c0bd10/attachment.html>

More information about the Python-Dev mailing list