(original) (raw)
Is there a build flag or a ./configure-time autodetection that would allow for supporting LibreSSL while they port X509_VERIFY_PARAM_set1_host?
On Thursday, January 18, 2018, Christian Heimes <christian@python.org> wrote:
On 2018-01-16 21:17, Christian Heimes wrote:
> FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have
> created a daily cronjob to populate Travis' cache with OpenSSL builds.
> Until the cache is filled, Linux CI will take an extra 5 minute.
I have messed up my initial research. :( When I was checking LibreSSL
and OpenSSL for features, I draw a wrong conclusion. LibreSSL is *not*
OpenSSL 1.0.2 compatible. It only implements some of the required
features from 1.0.2 (e.g. X509_check_hostname) but not
X509_VERIFY_PARAM_set1_host.
X509_VERIFY_PARAM_set1_host() is required to perform hostname
verification during the TLS handshake. Without the function, I'm unable
to fix Python's hostname matching code [1]. LibreSSL upstream knows
about the issue since 2016 [2]. I have opened another bug report [3].
We have two options until LibreSSL has addressed the issue:
- Make the SSL module more secure, simpler and standard conform
- Support LibreSSL
I started a vote on Twitter \[4\]. So far most people prefer security.
Christian
\[1\] https://bugs.python.org/issue31399
\[2\] https://github.com/pyca/cryptography/issues/3247
\[3\] https://github.com/libressl-portable/portable/issues/381
\[4\] https://twitter.com/reaperhulk/status/ 953991843565490176
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/ wes.turner%40gmail.com