[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 (original) (raw)

Wes Turner wes.turner at gmail.com
Sun Jan 14 13:06:20 EST 2018

FWIW, anaconda and conda-forge currently have 1.0.2 X

https://anaconda.org/anaconda/openssl

https://anaconda.org/conda-forge/openssl

On Sunday, January 14, 2018, Ned Deily <nad at python.org> wrote:

On Jan 14, 2018, at 08:39, Christian Heimes <christian at python.org> wrote: > On 2018-01-14 09:24, Matt Billenstein wrote: >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has >> deprecated (and no longer ships the header files for) the version shipped with >> recent versions of osx. >> >> Perhaps this is an option to support the various flavors of Linux as well? > > AFAK Apple has decided to compile and statically link CPython's ssl with > an ancient, customized LibreSSL version. Cory posted [1] a couple of > months ago

I think you're conflating some things here. Apple has not yet shipped a version of Python 3 with macOS so the fact that Apple now links their version of Python2.7 with a "private" copy of LibreSSL is irrelevant. (It's private in the sense that they don't ship the header files for it; the shared libs are there just for the use of the open source products they ship with macOS that don't yet use the macOS native crypto APIs, products like Python and Perl.) What Matt is likely thinking of is the Python 3 versions provided by the python.org macOS binary installers where we do build and link with our own 1.0.2 (and soon 1.1.0 for 3.7) versions of OpenSSL. Currently, the OpenSSL (and several other third-party libs such as libxz which is not shipped by Apple) are built as part of the installer build script in the Mac section of the source repo. I would like to refactor and generalize that so those third-party libs could optionally be used for non-installer builds as well. But, in any case, we don't have much choice for the installer builds until such time as cPython has support for the Apple-provided crypto APIs.

Support for Apple SecureTransport is part of the TLS module. IDK how far along that work is (whether it'll be ready for 3.7 beta 1)?

https://github.com/python/peps/blob/master/pep-0543.rst

https://www.python.org/dev/peps/pep-0543/

http://markmail.org/search/?q=list%3Aorg.python+PEP+543+TLS

> I'm not going to add OpenSSL sources or builds to CPython. We just got > rid of copies of libffi and other 3rd party dependencies. Crypto and TLS > libraries are much, MUCH more complicated to handle than libffi. It's a > constant moving targets of attacks. Vendors and distributions also have > different opinions about trust store and policies. > > Let's keep build dependencies a downstream and vendor problem. That's not always an option, unfortunately. -- Ned Deily nad at python.org -- []

Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ wes.turner%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20180114/97baa6f3/attachment.html>

More information about the Python-Dev mailing list