[Cryptography-dev] [Proposal] Deprecating and removing support for OpenSSL 0.9.8
Alex Gaynor
alex.gaynor at gmail.com
Fri Jan 22 16:58:33 EST 2016
Hi all,
I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next
release, and remove support in the release after (we already emit warnings
in our current release, so this is consistent with our schedule).
Rationale: OpenSSL 0.9.8 is old, does not support modern web security (e.g.
no TLS 1.2), and supporting it adds complexity, in the form of hundreds of
additional lines of code and configuration options.
Supporting data: As of pip 8 (released this week, already used for
something like 1/3 of PyPI downloads), the user agent of pip includes the
system's OpenSSL version. Looking at the data (excluding Windows and OS X,
since on those platforms we include OpenSSL 1.0.2 in our wheels). The
overall distribution is:
Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all
installations.
Looking at per-package data, here are the percent of downloads using
OpenSSL 0.9.8 for some relevant packages:
- unidecode: 7.6% (This is the package with the highest percent of 0.9.8
users)
- rsa: 3.3%
- pyasn1: 2.2%
- requests: 1.6%
- pycrypto: 0.8%
- pip: 0.6%
- pyopenssl: 0.4%
- letsencrypt-apache: 0.3%
- cryptography: 0.3%
I think these numbers are low enough that we can safely drop OpenSSL 0.9.8
support.
Platforms specifically known to be affected:
- RHEL/CentOS 5 and older
- Debian Squeeze (baed on OpenSSL version, this is where most of the
affected users will be).
Thoughts? Will you be affected by this?
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160122/53eb4927/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-01-22 at 4.51.47 PM.png
Type: image/png
Size: 44428 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160122/53eb4927/attachment-0001.png>
More information about the Cryptography-dev
mailing list