[Python-Dev] Supported versions of OpenSSL (original) (raw)

Christian Heimes christian at python.org
Sun Aug 28 16:40:11 EDT 2016

• Previous message (by thread): [Python-Dev] What do we do about bad slicing and possible crashes (issue 27867)
• Next message (by thread): [Python-Dev] Supported versions of OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

we need to talk about OpenSSL and LibreSSL before the next release of Python. I'm working on a PEP. Most likely it won't be ready before the feature freeze.

But first let me start with some good news. OpenSSL 1.1 was released a couple of days ago. It changed a lot of aspects of its internal API, e.g. all structs are opaque and must be allocated / freed with OpenSSL API calls. Since I have been tracking changes in OpenSSL for the last half year and have submitted a couple of patches to OpenSSL, we are in a good shape. My patch https://bugs.python.org/issue26470 makes Python 2 and 3 compatible with OpenSSL 0.9.8 to 1.1.0 and with LibreSSL, too. It needs to go through review, though. I have asked Alex to verify my patch.

Now to the bad news. The SSL module is a mess. It looks like a junk room owned by collector of ancient OpenSSL versions. For example it contains version checks for OpenSSL 0.9.5 -- which was decommissioned in 2000! That pre-dates new style classes!

I like to reduce the maintenance burden and list of supported OpenSSL versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 will reach EOL by the end of this year, https://www.openssl.org/policies/releasestrat.html . However OpenSSL 0.9.8 is still required for some platforms (OSX).

Here is the deal for 2.7 to 3.5:

1. All versions older than 0.9.8 are completely out-of-scope and no longer supported.

2. 0.9.8 is semi-support. Python will still compile and work with 0.9.8. However we do NOT promise that is secure to run 0.9.8. We also require a recent version. Patch level 0.9.8zc from October 2014 is reasonable because it comes with SCSV fallback (CVE-2014-3566).

3. 1.0.0 is irrelevant. Users are either stuck on 0.9.8 or are able to upgrade to 1.0.1+. Let's not support it.

4. 1.0.1 is discouraged but still supported until its EOL.

5. 1.0.2 is the recommend version.

6. 1.1 support will be added by #26470 soon.

7. LibreSSL 2.3 is supported but with a slightly limited feature set. LibreSSL removed some features like SSL_CERT_FILE and OPENSSL_CONF env vars.

For upcoming 3.6 I would like to limit support to 1.0.2+ and require 1.0.2 features for 3.7. What is the status of Python.org's OSX builds? Is it possible to drop 0.9.8?

Christian

• Previous message (by thread): [Python-Dev] What do we do about bad slicing and possible crashes (issue 27867)
• Next message (by thread): [Python-Dev] Supported versions of OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list