[Python-Dev] OpenSSL 1.1.1 update for 3.7/3.8

[Christian Heimes]

Hi,

today's OpenSSL release of 1.0.2r and 1.1.1b reminded me of OpenSSL's
release strategy [1]. OpenSSL 1.0.2 will reach EOL on 2019-12-31, 1.1.0
will reach EOL on 2019-09-11 (one year after release of OpenSSL 1.1.1).

First the good news: There is no need to take any action for 2.7 to 3.6.
As of today, Python 2.7, 3.5, and 3.6 are using OpenSSL 1.0.2. Python
3.6.8 (2018-12-24) and 3.5.5 (2018-02-05) were the last regular update
with binary packages. 3.5.6 is a source-only security release. 3.6.9
will be the first source-only security release of the 3.6 series. Python
2.7 will reach EOL just a day after OpenSSL 1.0.2 reaches EOL. IMHO it's
fine to ship the last 2.7 build with an OpenSSL version that was EOLed
just 24h earlier.

Python 3.7 and master (3.8) are affected. As of now, both branches use
OpenSSL 1.1.0 and must be updated to 1.1.1 soonish. Ned has scheduled
3.7.3 release for 2019-03-25. That's still well within the release
schedule for 1.1.0. I suggest that we update to 1.1.1 directly after the
release of Python 3.7.3 and target 3.7.4 as first builds with TLS 1.3
support. That gives Victor, Steve, and me enough time to sort out the
remaining issues.

In worst case we could revert the update and postpone the update to
3.7.5. Or we disable TLS 1.3 support by default in Mac and Windows builds.

Christian

[1] https://www.openssl.org/policies/releasestrat.html