[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
Christian Heimes
christian at python.org
Sun Jan 14 03:57:51 EST 2018
On 2018-01-14 01:03, Steven D'Aprano wrote:
> On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote:
>> On Sat, 13 Jan 2018 13:54:33 +0100
>> Christian Heimes <christian at python.org> wrote:
>>>
>>> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land
>>> bunch of useful goodies like proper hostname verification [2], proper
>>> fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate
>>> and PrivateKey types (support loading certs and keys from file and
>>> memory) [4], and simplified cipher suite configuration [5]. I can
>>> finally clean up _ssl.c during the beta phase, too.
>>
>> Given the annoyance of supporting old OpenSSL versions, I'd say +1 to
>> this.
>>
>> We'll have to deal with the complaints of users of Debian oldstable,
>> CentOS 6 and RHEL 6, though.
>
> It will probably be more work for Christian, but is it reasonable to
> keep support for the older versions of OpenSSL, but make the useful
> goodies conditional on a newer version?
It's much more than just goodies. For example the
X509_VERIFY_PARAM_set1_host() API fixes a whole lot of issues with
ssl.match_hostname(). The feature is OpenSSL 1.0.2+ and baked into the
certificate validation system. I don't see a realistic way to perform
the same task with 1.0.1.
Christian
More information about the Python-Dev
mailing list