[Python-Dev] OpenSSL 1.1.1 update for 3.7/3.8

Christian Heimes christian at python.org
Tue Feb 26 16:45:27 EST 2019

On 26/02/2019 21.31, Wes Turner wrote:
>> IMHO it's
> fine to ship the last 2.7 build with an OpenSSL version that was EOLed
> just 24h earlier.
> Is this a time / cost issue or a branch policy issue?
> If someone was to back port the forthcoming 1.1.1 to 2.7 significantly
> before the EOL date, could that be merged?

My mail is about official binary Python packages for Windows and macOS.
We stick to an OpenSSL version to guarantee maximum backwards
compatibility within a minor release. OpenSSL 1.1.1 has TLS 1.3 support
and prefers TLS 1.3 over TLS 1.2. There is a small change that TLS 1.3
breaks some assumptions.

Python 2.7 works mostly fine with OpenSSL 1.1.1. There are some minor
test issues related to TLS 1.3 but nothing serious. Linux distros have
been shipping Python 2.7 with OpenSSL 1.1.1 for a while.

> There are all sorts of e.g. legacy academic works that'll never be
> upgraded etc etc

That topic is out of scope and has been discussed countless times.

More information about the Python-Dev mailing list