➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-09-23 00:59 by ned.deily, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 24080 | merged | ned.deily, 2021-01-04 09:18 | |
| PR 24083 | merged | miss-islington, 2021-01-04 09:40 | |
| PR 24084 | merged | miss-islington, 2021-01-04 09:40 | |
| PR 24125 | merged | steve.dower, 2021-01-05 20:54 | |
| PR 24127 | merged | steve.dower, 2021-01-05 21:42 | |
| PR 24131 | merged | steve.dower, 2021-01-05 23:42 | |
| PR 24677 | merged | ned.deily, 2021-03-01 07:15 | |
| PR 24678 | merged | miss-islington, 2021-03-01 07:39 | |
| PR 24679 | merged | miss-islington, 2021-03-01 07:39 | |
| Messages (20) | |||
|---|---|---|---|
| msg377352 - (view) | Author: Ned Deily (ned.deily) *  |
Date: 2020-09-23 00:59 | |
"22-Sep-2020 OpenSSL 1.1.1h is now available, including bug fixes"
Christian, any changes need in _ssl or any other reasons we should not upgrade?
Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
[Tomas Mraz]
*) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
[Viktor Dukhovni]
*) Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
[Tomas Mraz]
|
|||
| msg382102 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2020-11-30 01:28 | |
Christian, ping? |
|||
| msg382149 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2020-11-30 14:23 | |
Sorry, I missed the initial ping. The changes look unproblematic to me. Our test suite is passing with 1.1.1h, too. Python doesn't set VERIFY_X509_STRICT by default and does not support DTLS. Please go ahead. |
|||
| msg382234 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2020-12-01 11:05 | |
You may want to hold off until next week: https://mta.openssl.org/pipermail/openssl-announce/2020-December/000186.html OpenSSL 1.1.i is a security-fix release. The highest severity issue fixed in this release is HIGH. |
|||
| msg384311 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-01-04 09:39 | |
New changeset 14097a2785414c728d41d8d730a469a8c46ecdb9 by Ned Deily in branch 'master': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080) https://github.com/python/cpython/commit/14097a2785414c728d41d8d730a469a8c46ecdb9 |
|||
| msg384315 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-01-04 10:27 | |
New changeset f24ac455521e46bf9f6c7971aec0e4abec4451c4 by Miss Islington (bot) in branch '3.8': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080) (#24084) https://github.com/python/cpython/commit/f24ac455521e46bf9f6c7971aec0e4abec4451c4 |
|||
| msg384316 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-01-04 10:28 | |
New changeset 76489dd2998ac70ffb300d612792a7238c03438c by Miss Islington (bot) in branch '3.9': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080) (GH-24083) https://github.com/python/cpython/commit/76489dd2998ac70ffb300d612792a7238c03438c |
|||
| msg384434 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-01-05 21:35 | |
New changeset afb71443788a7b20f9104243b3d8d37e3d12cfe2 by Steve Dower in branch 'master': bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125) https://github.com/python/cpython/commit/afb71443788a7b20f9104243b3d8d37e3d12cfe2 |
|||
| msg384442 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-01-05 23:37 | |
New changeset c8333931434389ae72da9eb0471054f4393249db by Steve Dower in branch '3.9': bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125) https://github.com/python/cpython/commit/c8333931434389ae72da9eb0471054f4393249db |
|||
| msg384448 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-01-06 00:07 | |
New changeset 86b1207dbb9201d1259d1ec7603e720e29ba9042 by Steve Dower in branch '3.8': bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125) https://github.com/python/cpython/commit/86b1207dbb9201d1259d1ec7603e720e29ba9042 |
|||
| msg384452 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-01-06 00:12 | |
I believe this is all done now. |
|||
| msg384590 - (view) | Author: Sebastian Voigt (squear) | Date: 2021-01-07 14:47 | |
The fix has only be done for 3.8, 3.9 and 3.10. Are 3.7 and 3.6 are not impacted? |
|||
| msg384592 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2021-01-07 15:31 | |
They are impacted. However 3.7.9 and 3.6.8 were the last releases with binaries for Windows and macOS. All subsequent releases are source-only releases. Since we don't release binaries for 3.6 and 3.7 any more, we typically don't update them. |
|||
| msg385102 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2021-01-15 08:55 | |
I got bad news. OpenSSL 1.1.1i introduced a regression in cert validation. This affects some cases that involve self-signed certificates. Cert validation fails if a self-signed certificate is used as both a trust anchor (root CA) and EE cert. This may affect Python. Would it be possible to rebuild our OpenSSL binaries with patch https://github.com/openssl/openssl/pull/13749 ? |
|||
| msg387353 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-02-19 20:55 | |
Looks like we missed Christian's last message... Have OpenSSL made an updated release? If this issue is as bad as the short description above sounds, I expect they would have. It's possible to rebuild with the patch, but easier if it's a release. (Also, Christian, should this have been a release blocker? We just made fast releases for a security concern...) |
|||
| msg387425 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-02-20 19:08 | |
1.1.1j was issued earlier this week and, from browsing the source, it appears that this fix is included (it's not mentioned as a major issue) along with other fixes. So I assume we just need to update the installers to use 1.1.1j. The question is then do need to push updated installers for 3.9.x and 3.8.x? Setting to "deferred blocker" pending a decision. @Christian? @Łukasz? |
|||
| msg387846 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-03-01 07:39 | |
New changeset 0242494a156970186cbc4121ccf03aefbddea716 by Ned Deily in branch 'master': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677) https://github.com/python/cpython/commit/0242494a156970186cbc4121ccf03aefbddea716 |
|||
| msg387848 - (view) | Author: miss-islington (miss-islington) | Date: 2021-03-01 08:00 | |
New changeset e2f6ed89aeaa0b723f45f914dba92e1b42518395 by Miss Islington (bot) in branch '3.8': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677) https://github.com/python/cpython/commit/e2f6ed89aeaa0b723f45f914dba92e1b42518395 |
|||
| msg387849 - (view) | Author: miss-islington (miss-islington) | Date: 2021-03-01 08:01 | |
New changeset 982e8ecbdf216bc1fa285a4ff45c84c6778856e5 by Miss Islington (bot) in branch '3.9': bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677) https://github.com/python/cpython/commit/982e8ecbdf216bc1fa285a4ff45c84c6778856e5 |
|||
| msg390251 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-04-05 19:37 | |
Now updated to OpenSSL 1.1.1k in Issue43631 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:35 | admin | set | github: 86003 |
| 2021-04-05 19:37:40 | ned.deily | set | status: open -> closed priority: deferred blocker -> resolution: out of date messages: + msg390251 superseder: Update to OpenSSL 1.1.1k stage: patch review -> resolved |
| 2021-03-01 08:01:50 | miss-islington | set | messages: + msg387849 |
| 2021-03-01 08:00:16 | miss-islington | set | messages: + msg387848 |
| 2021-03-01 07:39:49 | miss-islington | set | pull_requests: + pull_request23464 |
| 2021-03-01 07:39:43 | miss-islington | set | pull_requests: + pull_request23463 |
| 2021-03-01 07:39:20 | ned.deily | set | messages: + msg387846 |
| 2021-03-01 07:15:22 | ned.deily | set | pull_requests: + pull_request23462 |
| 2021-02-20 19:08:41 | ned.deily | set | priority: high -> deferred blocker messages: + msg387425 title: Upgrade installers to OpenSSL 1.1.1i -> Upgrade installers to OpenSSL 1.1.1j |
| 2021-02-19 21:11:45 | ned.deily | set | nosy:
+ lukasz.langa |
| 2021-02-19 20:55:39 | steve.dower | set | messages: + msg387353 |
| 2021-01-15 08:55:18 | christian.heimes | set | status: closed -> open type: behavior messages: + msg385102 resolution: fixed -> (no value) stage: resolved -> patch review |
| 2021-01-07 15:31:43 | christian.heimes | set | messages: + msg384592 |
| 2021-01-07 14:47:44 | squear | set | nosy:
+ squear messages: + msg384590 |
| 2021-01-06 00:12:22 | steve.dower | set | status: open -> closed resolution: fixed messages: + msg384452 stage: patch review -> resolved |
| 2021-01-06 00:07:58 | steve.dower | set | messages: + msg384448 |
| 2021-01-05 23:42:05 | steve.dower | set | pull_requests: + pull_request22961 |
| 2021-01-05 23:37:38 | steve.dower | set | messages: + msg384442 |
| 2021-01-05 21:42:09 | steve.dower | set | pull_requests: + pull_request22957 |
| 2021-01-05 21:35:11 | steve.dower | set | messages: + msg384434 |
| 2021-01-05 20:54:04 | steve.dower | set | pull_requests: + pull_request22955 |
| 2021-01-04 10:28:36 | ned.deily | set | messages: + msg384316 |
| 2021-01-04 10:27:26 | ned.deily | set | messages: + msg384315 |
| 2021-01-04 09:41:11 | ned.deily | set | title: Upgrade installers to OpenSSL 1.1.1h -> Upgrade installers to OpenSSL 1.1.1i |
| 2021-01-04 09:40:17 | miss-islington | set | pull_requests: + pull_request22917 |
| 2021-01-04 09:40:06 | miss-islington | set | nosy:
+ miss-islington pull_requests: + pull_request22916 |
| 2021-01-04 09:39:50 | ned.deily | set | messages: + msg384311 |
| 2021-01-04 09:18:10 | ned.deily | set | keywords:
+ patch stage: patch review pull_requests: + pull_request22914 |
| 2020-12-01 11:05:45 | christian.heimes | set | messages: + msg382234 |
| 2020-11-30 14:23:01 | christian.heimes | set | messages: + msg382149 |
| 2020-11-30 01:28:16 | ned.deily | set | messages: + msg382102 |
| 2020-09-23 00:59:08 | ned.deily | create | |