Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 1.1.0 deprecated functions #74194

Open
floppym mannequin opened this issue Apr 6, 2017 · 15 comments
Open

OpenSSL 1.1.0 deprecated functions #74194

floppym mannequin opened this issue Apr 6, 2017 · 15 comments
Labels
3.8 only security fixes 3.9 only security fixes 3.10 only security fixes build The build process and cross-build stdlib Python modules in the Lib dir topic-SSL

Comments

@floppym
Copy link
Mannequin

floppym mannequin commented Apr 6, 2017

BPO 30008
Nosy @tiran, @alex, @floppym, @dstufft, @csabella, @markwright, @miss-islington
PRs
  • bpo-30008: SSL module: emulate tls methods #3934
  • bpo-30008: OpenSSL 1.1 compatibility without using deprecated API #3943
  • bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) #20397
  • [3.9] bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) #20565
  • [3.8] bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) #20566
  • [3.7] bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) #20567
  • Files
  • build.log: build log
  • python-2.7.14-openssl-1.1.0.patch: python-2.7.14-openssl-1.1.0.patch
  • python-3.4.6-openssl-1.1.0.patch: python-3.4.6-openssl-1.1.0.patch
  • python-3.5.4-openssl-1.1.0.patch: python-3.5.4-openssl-1.1.0.patch
  • python-3.6.3-openssl-1.1.0.patch: python-3.6.3-openssl-1.1.0.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = None
    created_at = <Date 2017-04-06.16:34:45.622>
    labels = ['3.8', 'build', 'library', '3.9', '3.10']
    title = 'OpenSSL 1.1.0 deprecated functions'
    updated_at = <Date 2020-06-01.07:18:42.523>
    user = 'https://github.com/floppym'

    bugs.python.org fields:

    activity = <Date 2020-06-01.07:18:42.523>
    actor = 'miss-islington'
    assignee = 'none'
    closed = False
    closed_date = None
    closer = None
    components = ['Library (Lib)']
    creation = <Date 2017-04-06.16:34:45.622>
    creator = 'floppymaster'
    dependencies = []
    files = ['46782', '47198', '47199', '47200', '47201']
    hgrepos = []
    issue_num = 30008
    keywords = ['patch']
    message_count = 15.0
    messages = ['291236', '291343', '291345', '303951', '303953', '303954', '303955', '303967', '304028', '369904', '369906', '370535', '370536', '370537', '370538']
    nosy_count = 10.0
    nosy_names = ['janssen', 'christian.heimes', 'Arfrever', 'alex', 'devurandom', 'floppymaster', 'dstufft', 'cheryl.sabella', 'gienah', 'miss-islington']
    pr_nums = ['3934', '3943', '20397', '20565', '20566', '20567']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'compile error'
    url = 'https://bugs.python.org/issue30008'
    versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

    @floppym
    Copy link
    Mannequin Author

    floppym mannequin commented Apr 6, 2017

    Some effort was made to port Python to OpenSSL 1.1.0 (see bpo-26470). However, the code still uses several deprecated functions, and fails to compile against OpenSSL 1.1.0 if these functions are disabled.

    This may be replicated by building OpenSSL with --api=1.1.0. This will disable all functions marked as deprecated.

    I have attached a build log from the cpython master branch.

    Downstream bug: https://bugs.gentoo.org/show_bug.cgi?id=592480

    @floppym floppym mannequin added 3.7 (EOL) end of life stdlib Python modules in the Lib dir build The build process and cross-build labels Apr 6, 2017
    @tiran
    Copy link
    Member

    tiran commented Apr 8, 2017

    Thanks for your report.

    Python is going to require legacy functions like TLSv1_method() for a while. They are required to provide constants like PROTOCOL_TLSv1. I have deprecated these constants in 3.6 and they will be removed in 3.8. In the mean time Python is not compatible with OpenSSL api=1.1.0.

    @floppym
    Copy link
    Mannequin Author

    floppym mannequin commented Apr 8, 2017

    Thanks for the reply.

    OpenSSL 1.1.0 added functions to control the SSL/TLS version used by SSL contexts created using TLS_method(). You might consider updating the code for existing Python branches to use these functions.

    SSL_CTX_set_min_proto_version
    SSL_CTX_set_max_proto_version

    https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

    @markwright
    Copy link
    Mannequin

    markwright mannequin commented Oct 9, 2017

    My proposed patch based on python 2.7.14 to remove the use of the API
    that was deprecated in openssl 1.1.

    @markwright
    Copy link
    Mannequin

    markwright mannequin commented Oct 9, 2017

    This patch allows python 3.4.6 to compile with openssl 1.1 without using
    the deprecated API. It is hacky though as I had to backport changes
    that were already in 3.5.4 and 3.6.3.

    Also RAND_pseudo_bytes was removed, so I call RAND_bytes instead.

    @markwright
    Copy link
    Mannequin

    markwright mannequin commented Oct 9, 2017

    My proposed patch based on python 3.5.4 to remove the use of the API
    that was deprecated in openssl 1.1. As RAND_pseudo_bytes was removed I
    call RAND_bytes instead.

    @markwright
    Copy link
    Mannequin

    markwright mannequin commented Oct 9, 2017

    My proposed patch based on python 3.6.3 to remove the use of the API
    that was deprecated in openssl 1.1. As RAND_pseudo_bytes was removed I
    call RAND_bytes instead.

    @tiran
    Copy link
    Member

    tiran commented Oct 9, 2017

    Thanks for your patches, Mark. A few remarks:

    Python 3.5 is in security fix-only mode. The issue is not a security bug.

    Python has switched to a different workflow a while ago. Please provide a pull request on GitHub against master (3.7). I'll take care of the backports.

    Also your implementation of version specific TLS has multiple flaws, e.g. missing NULL check and missing set_max_proto_version() calls. I opened a new PR.

    @markwright
    Copy link
    Mannequin

    markwright mannequin commented Oct 10, 2017

    Thanks, I opened
    #3943
    for the rest of the changes (on top of your changes in
    #3934)
    to allow it to compile with OpenSSL 1.1.0f compiled with
    disable-deprecated.

    @csabella
    Copy link
    Contributor

    @christian.heimes, is this issue and PR still relevant? You mention 3.8 in msg291343. Thanks!

    @tiran
    Copy link
    Member

    tiran commented May 25, 2020

    Yes, it's still relevant. I haven't got time to look into the matter yet.

    @tiran tiran added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes and removed 3.7 (EOL) end of life labels May 25, 2020
    @tiran
    Copy link
    Member

    tiran commented Jun 1, 2020

    New changeset a871f69 by Christian Heimes in branch 'master':
    bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
    a871f69

    @miss-islington
    Copy link
    Contributor

    New changeset 296db8c by Miss Islington (bot) in branch '3.7':
    bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
    296db8c

    @miss-islington
    Copy link
    Contributor

    New changeset 9c0ff17 by Miss Islington (bot) in branch '3.8':
    bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
    9c0ff17

    @miss-islington
    Copy link
    Contributor

    New changeset 24a88b0 by Miss Islington (bot) in branch '3.9':
    bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
    24a88b0

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.8 only security fixes 3.9 only security fixes 3.10 only security fixes build The build process and cross-build stdlib Python modules in the Lib dir topic-SSL
    Projects
    Status: Todo
    Development

    No branches or pull requests

    4 participants