New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.1.0 deprecated functions #74194
Comments
Some effort was made to port Python to OpenSSL 1.1.0 (see bpo-26470). However, the code still uses several deprecated functions, and fails to compile against OpenSSL 1.1.0 if these functions are disabled. This may be replicated by building OpenSSL with --api=1.1.0. This will disable all functions marked as deprecated. I have attached a build log from the cpython master branch. Downstream bug: https://bugs.gentoo.org/show_bug.cgi?id=592480 |
Thanks for your report. Python is going to require legacy functions like TLSv1_method() for a while. They are required to provide constants like PROTOCOL_TLSv1. I have deprecated these constants in 3.6 and they will be removed in 3.8. In the mean time Python is not compatible with OpenSSL api=1.1.0. |
Thanks for the reply. OpenSSL 1.1.0 added functions to control the SSL/TLS version used by SSL contexts created using TLS_method(). You might consider updating the code for existing Python branches to use these functions. SSL_CTX_set_min_proto_version https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html |
My proposed patch based on python 2.7.14 to remove the use of the API |
This patch allows python 3.4.6 to compile with openssl 1.1 without using Also RAND_pseudo_bytes was removed, so I call RAND_bytes instead. |
My proposed patch based on python 3.5.4 to remove the use of the API |
My proposed patch based on python 3.6.3 to remove the use of the API |
Thanks for your patches, Mark. A few remarks: Python 3.5 is in security fix-only mode. The issue is not a security bug. Python has switched to a different workflow a while ago. Please provide a pull request on GitHub against master (3.7). I'll take care of the backports. Also your implementation of version specific TLS has multiple flaws, e.g. missing NULL check and missing set_max_proto_version() calls. I opened a new PR. |
@christian.heimes, is this issue and PR still relevant? You mention 3.8 in msg291343. Thanks! |
Yes, it's still relevant. I haven't got time to look into the matter yet. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: