[Python-Dev] Supported versions of OpenSSL
Christian Heimes
christian at python.org
Wed Aug 31 06:17:34 EDT 2016
On 2016-08-30 18:00, Antoine Pitrou wrote:
> On Sun, 28 Aug 2016 22:40:11 +0200
> Christian Heimes <christian at python.org> wrote:
>>
>> Here is the deal for 2.7 to 3.5:
>>
>> 1) All versions older than 0.9.8 are completely out-of-scope and no
>> longer supported.
>>
>> 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8.
>> However we do NOT promise that is secure to run 0.9.8. We also require a
>> recent version. Patch level 0.9.8zc from October 2014 is reasonable
>> because it comes with SCSV fallback (CVE-2014-3566).
>>
>> 3) 1.0.0 is irrelevant. Users are either stuck on 0.9.8 or are able to
>> upgrade to 1.0.1+. Let's not support it.
>>
>> 4) 1.0.1 is discouraged but still supported until its EOL.
>>
>> 5) 1.0.2 is the recommend version.
>>
>> 6) 1.1 support will be added by #26470 soon.
>>
>> 7) LibreSSL 2.3 is supported but with a slightly limited feature set.
>
> Can you expand briefly how "limited" the feature set is? Does it only
> disable some arcane features, so that e.g. asyncio + TLS supports works
> fine?
>
> Other than that, it all sounds good to me.
I honestly don't know because I lack the expertise and knowledge.
LibreSSL has removed some features (env vars like SSL_CERT_FILE, ENGINE
support) and added some other features. I cannot tell if stdlib ssl +
LibreSSL is even secure. It probably is *if and only if* LibreSSL is
100% compatible to OpenSSL.
Christian
More information about the Python-Dev
mailing list