classification
Title: Upgrade installers to OpenSSL 1.1.1j
Type: behavior Stage: patch review
Components: Build, macOS, Windows Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, lukasz.langa, miss-islington, ned.deily, paul.moore, ronaldoussoren, squear, steve.dower, tim.golden, zach.ware
Priority: deferred blocker Keywords: patch

Created on 2020-09-23 00:59 by ned.deily, last changed 2021-03-01 08:01 by miss-islington.

Pull Requests
URL Status Linked Edit
PR 24080 merged ned.deily, 2021-01-04 09:18
PR 24083 merged miss-islington, 2021-01-04 09:40
PR 24084 merged miss-islington, 2021-01-04 09:40
PR 24125 merged steve.dower, 2021-01-05 20:54
PR 24127 merged steve.dower, 2021-01-05 21:42
PR 24131 merged steve.dower, 2021-01-05 23:42
PR 24677 merged ned.deily, 2021-03-01 07:15
PR 24678 merged miss-islington, 2021-03-01 07:39
PR 24679 merged miss-islington, 2021-03-01 07:39
Messages (19)
msg377352 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-09-23 00:59
"22-Sep-2020  OpenSSL 1.1.1h is now available, including bug fixes"

Christian, any changes need in _ssl or any other reasons we should not upgrade?

Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
  
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]
msg382102 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-11-30 01:28
Christian, ping?
msg382149 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-11-30 14:23
Sorry, I missed the initial ping.

The changes look unproblematic to me. Our test suite is passing with 1.1.1h, too. Python doesn't set VERIFY_X509_STRICT by default and does not support DTLS.

Please go ahead.
msg382234 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-12-01 11:05
You may want to hold off until next week:

https://mta.openssl.org/pipermail/openssl-announce/2020-December/000186.html

OpenSSL 1.1.i is a security-fix release. The highest severity issue fixed in this release is HIGH.
msg384311 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-01-04 09:39
New changeset 14097a2785414c728d41d8d730a469a8c46ecdb9 by Ned Deily in branch 'master':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080)
https://github.com/python/cpython/commit/14097a2785414c728d41d8d730a469a8c46ecdb9
msg384315 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-01-04 10:27
New changeset f24ac455521e46bf9f6c7971aec0e4abec4451c4 by Miss Islington (bot) in branch '3.8':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080) (#24084)
https://github.com/python/cpython/commit/f24ac455521e46bf9f6c7971aec0e4abec4451c4
msg384316 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-01-04 10:28
New changeset 76489dd2998ac70ffb300d612792a7238c03438c by Miss Islington (bot) in branch '3.9':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i. (GH-24080) (GH-24083)
https://github.com/python/cpython/commit/76489dd2998ac70ffb300d612792a7238c03438c
msg384434 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-01-05 21:35
New changeset afb71443788a7b20f9104243b3d8d37e3d12cfe2 by Steve Dower in branch 'master':
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125)
https://github.com/python/cpython/commit/afb71443788a7b20f9104243b3d8d37e3d12cfe2
msg384442 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-01-05 23:37
New changeset c8333931434389ae72da9eb0471054f4393249db by Steve Dower in branch '3.9':
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125)
https://github.com/python/cpython/commit/c8333931434389ae72da9eb0471054f4393249db
msg384448 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-01-06 00:07
New changeset 86b1207dbb9201d1259d1ec7603e720e29ba9042 by Steve Dower in branch '3.8':
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i (GH-24125)
https://github.com/python/cpython/commit/86b1207dbb9201d1259d1ec7603e720e29ba9042
msg384452 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-01-06 00:12
I believe this is all done now.
msg384590 - (view) Author: Sebastian Voigt (squear) Date: 2021-01-07 14:47
The fix has only be done for 3.8, 3.9 and 3.10. Are 3.7 and 3.6 are not impacted?
msg384592 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-07 15:31
They are impacted. However 3.7.9 and 3.6.8 were the last releases with binaries for Windows and macOS. All subsequent releases are source-only releases. Since we don't release binaries for 3.6 and 3.7 any more, we typically don't update them.
msg385102 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-15 08:55
I got bad news. OpenSSL 1.1.1i introduced a regression in cert validation. This affects some cases that involve self-signed certificates. Cert validation fails if a self-signed certificate is used as both a trust anchor (root CA) and EE cert. This may affect Python.

Would it be possible to rebuild our OpenSSL binaries with patch https://github.com/openssl/openssl/pull/13749 ?
msg387353 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-02-19 20:55
Looks like we missed Christian's last message...

Have OpenSSL made an updated release? If this issue is as bad as the short description above sounds, I expect they would have.

It's possible to rebuild with the patch, but easier if it's a release.

(Also, Christian, should this have been a release blocker? We just made fast releases for a security concern...)
msg387425 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-02-20 19:08
1.1.1j was issued earlier this week and, from browsing the source, it appears that this fix is included (it's not mentioned as a major issue) along with other fixes.  So I assume we just need to update the installers to use 1.1.1j. The question is then do need to push updated installers for 3.9.x and 3.8.x? Setting to "deferred blocker" pending a decision.

@Christian?  @Ɓukasz?
msg387846 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-03-01 07:39
New changeset 0242494a156970186cbc4121ccf03aefbddea716 by Ned Deily in branch 'master':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677)
https://github.com/python/cpython/commit/0242494a156970186cbc4121ccf03aefbddea716
msg387848 - (view) Author: miss-islington (miss-islington) Date: 2021-03-01 08:00
New changeset e2f6ed89aeaa0b723f45f914dba92e1b42518395 by Miss Islington (bot) in branch '3.8':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677)
https://github.com/python/cpython/commit/e2f6ed89aeaa0b723f45f914dba92e1b42518395
msg387849 - (view) Author: miss-islington (miss-islington) Date: 2021-03-01 08:01
New changeset 982e8ecbdf216bc1fa285a4ff45c84c6778856e5 by Miss Islington (bot) in branch '3.9':
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j. (GH-24677)
https://github.com/python/cpython/commit/982e8ecbdf216bc1fa285a4ff45c84c6778856e5
History
Date User Action Args
2021-03-01 08:01:50miss-islingtonsetmessages: + msg387849
2021-03-01 08:00:16miss-islingtonsetmessages: + msg387848
2021-03-01 07:39:49miss-islingtonsetpull_requests: + pull_request23464
2021-03-01 07:39:43miss-islingtonsetpull_requests: + pull_request23463
2021-03-01 07:39:20ned.deilysetmessages: + msg387846
2021-03-01 07:15:22ned.deilysetpull_requests: + pull_request23462
2021-02-20 19:08:41ned.deilysetpriority: high -> deferred blocker

messages: + msg387425
title: Upgrade installers to OpenSSL 1.1.1i -> Upgrade installers to OpenSSL 1.1.1j
2021-02-19 21:11:45ned.deilysetnosy: + lukasz.langa
2021-02-19 20:55:39steve.dowersetmessages: + msg387353
2021-01-15 08:55:18christian.heimessetstatus: closed -> open
type: behavior
messages: + msg385102

resolution: fixed ->
stage: resolved -> patch review
2021-01-07 15:31:43christian.heimessetmessages: + msg384592
2021-01-07 14:47:44squearsetnosy: + squear
messages: + msg384590
2021-01-06 00:12:22steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg384452

stage: patch review -> resolved
2021-01-06 00:07:58steve.dowersetmessages: + msg384448
2021-01-05 23:42:05steve.dowersetpull_requests: + pull_request22961
2021-01-05 23:37:38steve.dowersetmessages: + msg384442
2021-01-05 21:42:09steve.dowersetpull_requests: + pull_request22957
2021-01-05 21:35:11steve.dowersetmessages: + msg384434
2021-01-05 20:54:04steve.dowersetpull_requests: + pull_request22955
2021-01-04 10:28:36ned.deilysetmessages: + msg384316
2021-01-04 10:27:26ned.deilysetmessages: + msg384315
2021-01-04 09:41:11ned.deilysettitle: Upgrade installers to OpenSSL 1.1.1h -> Upgrade installers to OpenSSL 1.1.1i
2021-01-04 09:40:17miss-islingtonsetpull_requests: + pull_request22917
2021-01-04 09:40:06miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request22916
2021-01-04 09:39:50ned.deilysetmessages: + msg384311
2021-01-04 09:18:10ned.deilysetkeywords: + patch
stage: patch review
pull_requests: + pull_request22914
2020-12-01 11:05:45christian.heimessetmessages: + msg382234
2020-11-30 14:23:01christian.heimessetmessages: + msg382149
2020-11-30 01:28:16ned.deilysetmessages: + msg382102
2020-09-23 00:59:08ned.deilycreate