[Python-Dev] LibreSSL support (original) (raw)

Wes Turner wes.turner at gmail.com
Thu Jan 18 13:42:08 EST 2018

Is there a build flag or a ./configure-time autodetection that would allow for supporting LibreSSL while they port X509_VERIFY_PARAM_set1_host?

On Thursday, January 18, 2018, Christian Heimes <christian at python.org> wrote:

On 2018-01-16 21:17, Christian Heimes wrote: > FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have > created a daily cronjob to populate Travis' cache with OpenSSL builds. > Until the cache is filled, Linux CI will take an extra 5 minute.

I have messed up my initial research. :( When I was checking LibreSSL and OpenSSL for features, I draw a wrong conclusion. LibreSSL is not OpenSSL 1.0.2 compatible. It only implements some of the required features from 1.0.2 (e.g. X509checkhostname) but not X509VERIFYPARAMset1host. X509VERIFYPARAMset1host() is required to perform hostname verification during the TLS handshake. Without the function, I'm unable to fix Python's hostname matching code [1]. LibreSSL upstream knows about the issue since 2016 [2]. I have opened another bug report [3]. We have two options until LibreSSL has addressed the issue: 1) Make the SSL module more secure, simpler and standard conform 2) Support LibreSSL I started a vote on Twitter [4]. So far most people prefer security. Christian [1] https://bugs.python.org/issue31399 [2] https://github.com/pyca/cryptography/issues/3247 [3] https://github.com/libressl-portable/portable/issues/381 [4] https://twitter.com/reaperhulk/status/953991843565490176

Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ wes.turner%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20180118/1d69300b/attachment.html>

More information about the Python-Dev mailing list