[python-committers] ssl module will require OpenSSL 1.0.2 (original) (raw)
Christian Heimes christian at python.org
Fri Jan 26 14:47:14 EST 2018
- Previous message (by thread): [python-committers] trivial tag on GitHub?
- Next message (by thread): [python-committers] ssl module will require OpenSSL 1.0.2
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
For your information,
my ssl module improvement "Let OpenSSL verify hostname and IP address" will land either today or tomorrow. I'm just waiting for Alex to give me the final ACK on PR https://github.com/python/cpython/pull/3462.
Once the PR has landed, several issues with hostname and IP address verification will be solved. Python 3.7 will use OpenSSL's recommended API to match hostnames. The API is OpenSSL 1.0.2+ only. OpenSSL 0.9.8 and 1.0.1 are no longer supported.
LibreSSL does not yet implement these APIs yet, see https://github.com/libressl-portable/portable/issues/381 for my upstream bug and https://mail.python.org/pipermail/python-dev/2018-January/151824.html for Python-dev discussion.
I also like to get https://github.com/python/cpython/pull/5259 into 3.7. The PR adds support for OpenSSL's new API to set minimum and maximum TLS protocol version. It's require for compatibility with future versions of Debian. Debian has used the new APIs to disable TLS 1.0 and 1.1, see https://bugs.python.org/issue31453.
PR https://github.com/python/cpython/pull/5162 implements PEP 543 Certificate and PrivateKey classes, but it's not finished yet. The code works but it lacks tests and documentation.
My remaining TLS PRs are either bug fixes or can wait for 3.8. I'll merge them after beta 1 has been released.
Christian
- Previous message (by thread): [python-committers] trivial tag on GitHub?
- Next message (by thread): [python-committers] ssl module will require OpenSSL 1.0.2
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]