[Python-Dev] Supported versions of OpenSSL (original) (raw)

Benjamin Peterson benjamin at python.org
Tue Aug 30 01:13:54 EDT 2016

On Sun, Aug 28, 2016, at 22:42, Christian Heimes wrote:

On 2016-08-29 04:38, Ned Deily wrote: > On Aug 28, 2016, at 19:06, Benjamin Peterson <benjamin at python.org> wrote: >> On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: >>> Here is the deal for 2.7 to 3.5: >>> >>> 1) All versions older than 0.9.8 are completely out-of-scope and no >>> longer supported. >> +1 >>> 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. >>> However we do NOT promise that is secure to run 0.9.8. We also require a >>> recent version. Patch level 0.9.8zc from October 2014 is reasonable >>> because it comes with SCSV fallback (CVE-2014-3566). >> I think we should support 0.9.8 for 2.7 and drop it for 3.6. > > Sounds good to me, too. I think we should also not change things for 3.5.x at this point, e.g. continue to support 0.9.8 there.

In my proto-PEP I'm talking about different levels of support: full, build-only and unsupported. Full support means that the combination of Python and OpenSSL versions is reasonable secure and recommended. On the other hand build-only support doesn't come with any security promise. The ssl and hashlib module are source compatible with OpenSSL 0.9.8. You can still compile Python, do https connections but they might not be secure. It's "Warranty void" mode.

I'm not sure having such "support" is a good idea. If we're not able to support a security module securely, it's probably better if it doesn't compile at all.

More information about the Python-Dev mailing list