[Pythonmac-SIG] apple-Python and TLS 1.0

[Glyph Lefkowitz]

> On Jan 12, 2017, at 6:10 AM, Jack Jansen <Jack.Jansen at cwi.nl> wrote:
> 
> Ok, so this is a real problem:-(
> 
> Again, I’m not deep enough into the SSL stuff to really understand this (and specifically whether it needs a new openssl module, a new libssl, both, something else, ….), but I’d like to think of ways to fix this before the shit hits the fan for all poor mac Python users out there, if possible. And that includes people who aren’t even aware they’re macPython users because they use some app that uses Python under the hood…..
> 
> So a couple of questions:
> 
> 1. Is this fixable by Apple, by providing a security update to various OSX versions that would include a newer python/libssl/whatever? 

Yes.  Apple should really be including a private OpenSSL with Python.  But they probably won't do that.

> 1a. Would this still fall under Apple’s idea of “security update”?

No, it would probably be a Major-OS sort of thing.

> 1b. Do we have any chance of making Apple interested in fixing this?

It's doubtful that they will update OpenSSL directly.  But they might include a new version of Python with a different approach to basic TLS (see the 'tls' module in my other response)

> 2. Is this fixable with an installer that would somehow override the openssl module, so that installing this one thing would make the whole Apple-Python installation work again?

Yes and no.  You could fix this by replacing the 'ssl' module with a wrapper that replicates it based on 'pyOpenSSL', which is a layer over 'cryptography', but this doesn't help users bootstrap via Pip; it would be easier to just tell them to get a different Python.
> 
> 3. Failing that, I assume its the end of the line for Apple-Python, and we’ll have to steer end users towards installing a python.org version. Right?

Homebrew is by far my most preferred option (easier to get updates, easier to get PyPy, easier to make multiple versions play nicely, more tuned for developers, etc etc etc).  But python.org <http://python.org/> is a reasonable option as well.  And there are lots of other reasons not to tell users to use the system-provided Python.

> 3a. If that’s the case, is there something we could ask of the pip developers, the PyPi maintainers, whoever else to help the poor end users? I.e. get them to release a version that would not say “ssl v1 invalid foobar get lost” but in stead “you appear to be using Apple Python which does not support current security measures, please see www.example.com for more information”.

There's no way to do this purely from PyPI's side, but with a little help from Apple it's doable.

Another option here is to build the mac Python installers differently so they're more user-friendly, and rather than a .pkg make a .app, so that users who have sufficiently little command-line expertise to be able to get something like Homebrew to behave properly would be able to get on-screen instructions and prompts that would help them get set up with a correct command linee.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pythonmac-sig/attachments/20170113/e040eca7/attachment.html>