classification
Title: Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s
Type: enhancement Stage: resolved
Components: macOS, SSL, Windows Versions: Python 3.9, Python 3.8, Python 3.7, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, dstufft, janssen, miss-islington, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
Priority: deferred blocker Keywords: patch

Created on 2018-09-11 17:13 by christian.heimes, last changed 2019-06-18 10:50 by ned.deily. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 12094 closed christian.heimes, 2019-02-28 16:11
PR 14161 merged steve.dower, 2019-06-17 15:45
PR 14163 merged steve.dower, 2019-06-17 16:36
PR 14164 merged miss-islington, 2019-06-17 18:36
PR 14165 merged steve.dower, 2019-06-17 19:10
PR 14187 merged ned.deily, 2019-06-18 07:58
PR 14189 merged miss-islington, 2019-06-18 08:18
PR 14190 merged miss-islington, 2019-06-18 08:18
PR 14198 merged ned.deily, 2019-06-18 10:09
Messages (17)
msg325034 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-09-11 17:13
OpenSSL 1.1.1 was released today. The blog post https://www.openssl.org/blog/blog/2018/09/11/release111/ lists all major improvements.

Highlights:
* TLS 1.3
* API and ABI compatible with OpenSSL 1.1.0
* LTS release (support schedule TBD)

All tests on master are passing with OpenSSL 1.1.1. I still want to hold off and wait a couple of patch releases, before we start to ship Windows and macOS builds with 1.1.1. Some aspects of the TLS 1.3 handshake are different to TLS 1.2. I might have to implement some additional APIs for post handshake authentication.
msg336846 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-02-28 16:07
Hi macOS and Windows devs,

as I explained in https://mail.python.org/pipermail/python-dev/2019-February/156470.html we need to update Python 3.7 to OpenSSL 1.1.1 eventually. 1.1.0 will reach EOL in September.
msg338748 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-03-24 20:06
[From the cited python-dev email]:

"Python 3.7 and master (3.8) are affected. As of now, both branches use
OpenSSL 1.1.0 and must be updated to 1.1.1 soonish. Ned has scheduled
3.7.3 release for 2019-03-25. That's still well within the release
schedule for 1.1.0. I suggest that we update to 1.1.1 directly after the
release of Python 3.7.3 and target 3.7.4 as first builds with TLS 1.3
support. That gives Victor, Steve, and me enough time to sort out the
remaining issues."

So setting the priority here to "deferred blocker" as a reminder to take care of this prior to 3.8.0b1 (2019-05-26) and 3.7.4rc1 (2019-06-10) at the latest.
msg345826 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-17 08:45
It looks we missed the window for 3.7.4 here.  (I assume the Windows installer build is not using 1.1.1.  Steve?)  Talking with Christian about this in IRC, we agreed, the CI pipelines (Azure and travis) are now using 1.1.1c and I've put a request to the buildbot owners to upgrade to 1.1.1c if possible.  So let's retarget 1.1.1c for 3.7.5 then which will be right around the time 1.1.0 support ends.  In the meantime, we should update other installers to 1.1.0k and 1.0.2s.
msg345836 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-17 09:55
> (I assume the Windows installer build is not using 1.1.1.  Steve?)

After doing a little more homework and better understanding PCbuild/get_externals.bat, https://github.com/python/cpython-source-deps, and https://github.com/python/cpython-bin-deps and their twisting branches, it appears we *are* using 1.1.1, in particular, 1.1.1b for 3.7 and 3.8 Windows builds.  So:

1. Can/should be try to update to 1.1.1c for 3.7.4 on Windows, and

2. Should I try to update the macOS installer to 1.1.1c for 3.7.4?

For the latter, I'll give it a try and see how smoothly it goes before making a final decision.
msg345868 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 15:33
The canonical source of versions used on Windows is in PCbuild/python.props

I'll pull the 1.1.1c sources into cpython-source-deps and run a build. If all goes smoothly, we can consider it, but I don't have a huge amount of time for CPython this week I'm afraid.
msg345875 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 16:33
New changeset d8e3a8af775d683c606f3618d04f2be4e97ac3c0 by Steve Dower in branch '2.7':
bpo-34631: Updated OpenSSL to 1.0.2s in Windows installer (GH-14161)
https://github.com/python/cpython/commit/d8e3a8af775d683c606f3618d04f2be4e97ac3c0
msg345886 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 18:35
The tests seem to pass fine for 1.1.1c against master, so I'll merge that and see if the backport is also okay.
msg345887 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 18:36
New changeset a268edd6a411480281222b1fdb0f78053434d17f by Steve Dower in branch 'master':
bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
https://github.com/python/cpython/commit/a268edd6a411480281222b1fdb0f78053434d17f
msg345893 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 19:54
New changeset c28c1358245b9fe42e9559c34eae01befce73a1f by Steve Dower (Miss Islington (bot)) in branch '3.8':
bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
https://github.com/python/cpython/commit/c28c1358245b9fe42e9559c34eae01befce73a1f
msg345911 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 21:21
Ned - the 3.7 backport seems to be okay (PR 14165). Do we want it?
msg345932 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-17 22:22
Might as well, thanks!
msg345933 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-06-17 22:26
New changeset 14bac0088271d0a5c428e3468ef94fe7c73e93f7 by Steve Dower in branch '3.7':
bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
https://github.com/python/cpython/commit/14bac0088271d0a5c428e3468ef94fe7c73e93f7
msg345959 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-18 08:17
New changeset f3fb8393e3cbbdc0ec79e0fdefaadec6977e1491 by Ned Deily in branch 'master':
bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
https://github.com/python/cpython/commit/f3fb8393e3cbbdc0ec79e0fdefaadec6977e1491
msg345962 - (view) Author: miss-islington (miss-islington) Date: 2019-06-18 08:39
New changeset bd75abfefed31316fc627069597cc3c5087a885b by Miss Islington (bot) in branch '3.8':
bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
https://github.com/python/cpython/commit/bd75abfefed31316fc627069597cc3c5087a885b
msg345963 - (view) Author: miss-islington (miss-islington) Date: 2019-06-18 08:40
New changeset 0f3abbc29f5750706be1a255784eea5003c25901 by Miss Islington (bot) in branch '3.7':
bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
https://github.com/python/cpython/commit/0f3abbc29f5750706be1a255784eea5003c25901
msg345980 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-06-18 10:48
New changeset a5b1b222077870f194ca7c8c0326eeda014f0452 by Ned Deily in branch '2.7':
bpo-34631: Updated OpenSSL to 1.0.2s in macOS installer. (GH-14198)
https://github.com/python/cpython/commit/a5b1b222077870f194ca7c8c0326eeda014f0452
History
Date User Action Args
2019-06-18 10:50:43ned.deilysetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2019-06-18 10:48:57ned.deilysetmessages: + msg345980
2019-06-18 10:09:34ned.deilysetpull_requests: + pull_request14035
2019-06-18 08:40:08miss-islingtonsetmessages: + msg345963
2019-06-18 08:39:56miss-islingtonsetnosy: + miss-islington
messages: + msg345962
2019-06-18 08:18:20miss-islingtonsetpull_requests: + pull_request14027
2019-06-18 08:18:10miss-islingtonsetpull_requests: + pull_request14026
2019-06-18 08:17:39ned.deilysetmessages: + msg345959
2019-06-18 07:58:18ned.deilysetpull_requests: + pull_request14024
2019-06-17 22:26:46steve.dowersetmessages: + msg345933
2019-06-17 22:22:05ned.deilysetmessages: + msg345932
2019-06-17 21:21:07steve.dowersetmessages: + msg345911
2019-06-17 19:54:28steve.dowersetmessages: + msg345893
2019-06-17 19:10:31steve.dowersetpull_requests: + pull_request14007
2019-06-17 18:36:45miss-islingtonsetpull_requests: + pull_request14006
2019-06-17 18:36:13steve.dowersetmessages: + msg345887
2019-06-17 18:35:57steve.dowersetmessages: + msg345886
2019-06-17 16:36:05steve.dowersetpull_requests: + pull_request14005
2019-06-17 16:33:29steve.dowersetmessages: + msg345875
2019-06-17 15:45:21steve.dowersetpull_requests: + pull_request14003
2019-06-17 15:33:23steve.dowersetmessages: + msg345868
2019-06-17 09:55:12ned.deilysetmessages: + msg345836
2019-06-17 08:45:59ned.deilysettitle: Upgrade to OpenSSL 1.1.1b -> Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s
messages: + msg345826
versions: + Python 2.7, Python 3.9
2019-03-24 20:06:42ned.deilysetpriority: normal -> deferred blocker

messages: + msg338748
2019-02-28 16:11:58christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request12102
2019-02-28 16:07:48christian.heimessettitle: Upgrade to OpenSSL 1.1.1 -> Upgrade to OpenSSL 1.1.1b
nosy: + paul.moore, ronaldoussoren, tim.golden, ned.deily, zach.ware, steve.dower

messages: + msg336846

versions: + Python 3.7
components: + macOS, Windows
2018-09-11 17:13:46christian.heimescreate