[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7 (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Mon Mar 24 13:51:50 CET 2014

On 24 March 2014 22:39, M.-A. Lemburg <mal at egenix.com> wrote:

On 24.03.2014 13:33, Antoine Pitrou wrote:

Under Linux (and probably OS X too), the ssl module is linked dynamically with OpenSSL:

$ ldd build/lib.linux-x8664-2.7-pydebug/ssl.so linux-vdso.so.1 => (0x00007fff3f1de000) libssl.so.1.0.0 => /lib/x8664-linux-gnu/libssl.so.1.0.0 (0x00007fd8853ea000) libcrypto.so.1.0.0 => /lib/x8664-linux-gnu/libcrypto.so.1.0.0 (0x00007fd885010000) libpthread.so.0 => /lib/x8664-linux-gnu/libpthread.so.0 (0x00007fd884df1000) libc.so.6 => /lib/x8664-linux-gnu/libc.so.6 (0x00007fd884a2b000) libdl.so.2 => /lib/x8664-linux-gnu/libdl.so.2 (0x00007fd884827000) /lib64/ld-linux-x86-64.so.2 (0x00007fd885868000) Right, and it's using the system library, not a private copy - which can be both good and bad depending on how recent the system's library version is.

Even if we statically linked OpenSSL on Linux, you can bet distro vendors would switch it back to dynamic linking. Hence the comment in the PEP about vendor provided OpenSSL updates mitigating some of the concerns on Linux (defaulting not all of them though - it's still far too easy for developers to make mistakes and too hard from them to do the right thing from a security perspective).

You also reminded me that I need to dig around for and reference Ned's email about the status of OS X and reference that (OpenSSL upgrades were a casualty of Apple's anti-GPL crusade, so the OS X installers were switched to static linking somewhere along the line).

Cheers, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

More information about the Python-Dev mailing list