classification
Title: PEP 644: Require OpenSSL 1.1.1 or newer
Type: enhancement Stage: resolved
Components: SSL Versions: Python 3.10
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, philipp, wingel71
Priority: normal Keywords: patch

Created on 2021-03-30 12:10 by christian.heimes, last changed 2021-09-03 17:03 by philipp. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 23014 merged christian.heimes, 2021-03-30 12:20
PR 25453 merged christian.heimes, 2021-04-17 10:10
PR 25470 merged christian.heimes, 2021-04-19 05:56
PR 25255 wingel71, 2021-04-22 09:41
Messages (5)
msg389823 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-30 12:10
Tracker ticket for PEP 644, https://www.python.org/dev/peps/pep-0644/

This PEP proposes for CPython’s standard library to support only OpenSSL 1.1.1 LTS or newer. Support for OpenSSL versions past end-of-lifetime, incompatible forks, and other TLS libraries are dropped.
msg391279 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 09:36
New changeset 39258d3595300bc7b952854c915f63ae2d4b9c3e by Christian Heimes in branch 'master':
bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e
msg391280 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 09:37
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests
msg391286 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 13:49
New changeset b8d0fa035d74ae6ae00794c9af636b427c5dc650 by Christian Heimes in branch 'master':
bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)
https://github.com/python/cpython/commit/b8d0fa035d74ae6ae00794c9af636b427c5dc650
msg391366 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-19 06:31
New changeset d37b74f341c5a215e2fdd5eb4f8c0182f327635c by Christian Heimes in branch 'master':
bpo-43669: More test_ssl cleanups (GH-25470)
https://github.com/python/cpython/commit/d37b74f341c5a215e2fdd5eb4f8c0182f327635c
History
Date User Action Args
2021-09-03 17:03:00philippsetnosy: + philipp
2021-04-22 09:41:31wingel71setnosy: + wingel71

pull_requests: + pull_request24240
2021-04-19 06:31:36christian.heimessetmessages: + msg391366
2021-04-19 05:56:55christian.heimessetpull_requests: + pull_request24195
2021-04-17 13:49:53christian.heimessetmessages: + msg391286
2021-04-17 10:10:08christian.heimessetpull_requests: + pull_request24182
2021-04-17 09:37:20christian.heimessetstatus: open -> closed
resolution: fixed
messages: + msg391280

stage: patch review -> resolved
2021-04-17 09:36:42christian.heimessetmessages: + msg391279
2021-03-30 12:20:26christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request23842
2021-03-30 12:10:46christian.heimescreate