(original) (raw)

Is there a build flag or a ./configure-time autodetection that would allow for supporting LibreSSL while they port X509_VERIFY_PARAM_set1_host?

On Thursday, January 18, 2018, Christian Heimes <christian@python.org> wrote:

On 2018-01-16 21:17, Christian Heimes wrote:

> FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have

> created a daily cronjob to populate Travis' cache with OpenSSL builds.

> Until the cache is filled, Linux CI will take an extra 5 minute.



I have messed up my initial research. :( When I was checking LibreSSL

and OpenSSL for features, I draw a wrong conclusion. LibreSSL is *not*

OpenSSL 1.0.2 compatible. It only implements some of the required

features from 1.0.2 (e.g. X509_check_hostname) but not

X509_VERIFY_PARAM_set1_host.



X509_VERIFY_PARAM_set1_host() is required to perform hostname

verification during the TLS handshake. Without the function, I'm unable

to fix Python's hostname matching code [1]. LibreSSL upstream knows

about the issue since 2016 [2]. I have opened another bug report [3].



We have two options until LibreSSL has addressed the issue:


  1. Make the SSL module more secure, simpler and standard conform
  2. Support LibreSSL

    I started a vote on Twitter \[4\]. So far most people prefer security.

    Christian

    \[1\] https://bugs.python.org/issue31399
    \[2\] https://github.com/pyca/cryptography/issues/3247
    \[3\] https://github.com/libressl-portable/portable/issues/381
    \[4\] https://twitter.com/reaperhulk/status/953991843565490176

    \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
    Python-Dev mailing list
    Python-Dev@python.org
    https://mail.python.org/mailman/listinfo/python-dev
    Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com