[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 (original) (raw)
Christian Heimes christian at python.org
Sun Jan 14 03:57:51 EST 2018
- Previous message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Next message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2018-01-14 01:03, Steven D'Aprano wrote:
On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote:
On Sat, 13 Jan 2018 13:54:33 +0100 Christian Heimes <christian at python.org> wrote:
If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land bunch of useful goodies like proper hostname verification [2], proper fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate and PrivateKey types (support loading certs and keys from file and memory) [4], and simplified cipher suite configuration [5]. I can finally clean up ssl.c during the beta phase, too. Given the annoyance of supporting old OpenSSL versions, I'd say +1 to this. We'll have to deal with the complaints of users of Debian oldstable, CentOS 6 and RHEL 6, though. It will probably be more work for Christian, but is it reasonable to keep support for the older versions of OpenSSL, but make the useful goodies conditional on a newer version?
It's much more than just goodies. For example the X509_VERIFY_PARAM_set1_host() API fixes a whole lot of issues with ssl.match_hostname(). The feature is OpenSSL 1.0.2+ and baked into the certificate validation system. I don't see a realistic way to perform the same task with 1.0.1.
Christian
- Previous message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Next message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]