[Python-Dev] Supported versions of OpenSSL (original) (raw)

Christian Heimes christian at python.org
Mon Aug 29 04:24:42 EDT 2016

On 2016-08-29 10:09, M.-A. Lemburg wrote:

On 28.08.2016 22:40, Christian Heimes wrote:

... I like to reduce the maintenance burden and list of supported OpenSSL versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 will reach EOL by the end of this year, https://www.openssl.org/policies/releasestrat.html . However OpenSSL 0.9.8 is still required for some platforms (OSX). ... For upcoming 3.6 I would like to limit support to 1.0.2+ and require 1.0.2 features for 3.7. ... Hmm, that last part would mean that Python 3.7 will no longer compile on e.g. Ubuntu 14.04 LTS which uses OpenSSL 1.0.1 as default version. Since 14.04 LTS is supported until 2019, I think it would be better to only start requiring 1.0.2 in Python 3.8.

No, LTS support should not be our concern. If you need a brand new version of Python on an old LTS or Enterprise version of your OS, please contact your vendor and buy support. You don't get to run old metal and play with shiny new toys at the same time for free.

By the way I knew that something like this would come up from you. Thank you that you satisfied my expectation. :p

BTW: Are there any features in 1.0.2 that we need and would warrant dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ?

Yes, there are features I want to use, e.g. proper hostname verification. Python's post-handshake verification is a hack and leads to information disclosure.

Christian

More information about the Python-Dev mailing list