[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 (original) (raw)
Christian Heimes christian at python.org
Sun Jan 14 08:39:54 EST 2018
- Previous message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Next message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2018-01-14 09:24, Matt Billenstein wrote:
Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has deprecated (and no longer ships the header files for) the version shipped with recent versions of osx.
Perhaps this is an option to support the various flavors of Linux as well?
AFAK Apple has decided to compile and statically link CPython's ssl with an ancient, customized LibreSSL version. Cory posted [1] a couple of months ago
Can confirm: macOS 10.13 will ship a Python linked against LibreSSL 2.2.7. A downside: this continues to use the TEA, meaning you cannot choose to distrust the system roots with it.
For TEA, see Hynek's blog post [2]
I'm not going to add OpenSSL sources or builds to CPython. We just got rid of copies of libffi and other 3rd party dependencies. Crypto and TLS libraries are much, MUCH more complicated to handle than libffi. It's a constant moving targets of attacks. Vendors and distributions also have different opinions about trust store and policies.
Let's keep build dependencies a downstream and vendor problem.
Christian
[1] https://twitter.com/lukasaoz/status/872085966579802112 [2] https://hynek.me/articles/apple-openssl-verification-surprises/
- Previous message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Next message (by thread): [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]