[issue41837] Upgrade installers to OpenSSL 1.1.1h
Ned Deily
report at bugs.python.org
Tue Sep 22 20:59:08 EDT 2020
New submission from Ned Deily <nad at python.org>:
"22-Sep-2020 OpenSSL 1.1.1h is now available, including bug fixes"
Christian, any changes need in _ssl or any other reasons we should not upgrade?
Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
[Tomas Mraz]
*) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
[Viktor Dukhovni]
*) Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
[Tomas Mraz]
----------
components: Build, Windows, macOS
messages: 377352
nosy: christian.heimes, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
priority: high
severity: normal
status: open
title: Upgrade installers to OpenSSL 1.1.1h
versions: Python 3.10, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41837>
_______________________________________
More information about the Python-bugs-list
mailing list