[python-committers] ssl module will require OpenSSL 1.0.2
Christian Heimes
christian at python.org
Fri Jan 26 14:47:14 EST 2018
For your information,
my ssl module improvement "Let OpenSSL verify hostname and IP address"
will land either today or tomorrow. I'm just waiting for Alex to give me
the final ACK on PR https://github.com/python/cpython/pull/3462.
Once the PR has landed, several issues with hostname and IP address
verification will be solved. Python 3.7 will use OpenSSL's recommended
API to match hostnames. The API is OpenSSL 1.0.2+ only. OpenSSL 0.9.8
and 1.0.1 are no longer supported.
LibreSSL does not yet implement these APIs yet, see
https://github.com/libressl-portable/portable/issues/381 for my upstream
bug and
https://mail.python.org/pipermail/python-dev/2018-January/151824.html
for Python-dev discussion.
I also like to get https://github.com/python/cpython/pull/5259 into 3.7.
The PR adds support for OpenSSL's new API to set minimum and maximum TLS
protocol version. It's require for compatibility with future versions of
Debian. Debian has used the new APIs to disable TLS 1.0 and 1.1, see
https://bugs.python.org/issue31453.
PR https://github.com/python/cpython/pull/5162 implements PEP 543
Certificate and PrivateKey classes, but it's not finished yet. The code
works but it lacks tests and documentation.
My remaining TLS PRs are either bug fixes or can wait for 3.8. I'll
merge them after beta 1 has been released.
Christian
More information about the python-committers
mailing list