Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEP 644: Require OpenSSL 1.1.1 or newer #87835

Closed
tiran opened this issue Mar 30, 2021 · 5 comments
Closed

PEP 644: Require OpenSSL 1.1.1 or newer #87835

tiran opened this issue Mar 30, 2021 · 5 comments
Assignees
@tiran
Labels
3.10 only security fixes topic-SSL type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented Mar 30, 2021

BPO 43669
Nosy @tiran, @wingel, @illia-v, @pprindeville, @ramikg
PRs
  • bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014) #23014
  • bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453) #25453
  • bpo-43669: More test_ssl cleanups (GH-25470) #25470
  • bpo-37952: SSL: add support for export_keying_material #25255
  • bpo-43669: Drop the internal _sha3 module per PEP 644 #28768
  • bpo-45399: Remove hostflags from PySSLContext #28602
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-17.09:37:20.558>
created_at = <Date 2021-03-30.12:10:46.359>
labels = ['expert-SSL', 'type-feature', '3.10']
title = 'PEP 644: Require OpenSSL 1.1.1 or newer'
updated_at = <Date 2021-10-07.09:18:15.969>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-10-07.09:18:15.969>
actor = 'ramikg'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-17.09:37:20.558>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2021-03-30.12:10:46.359>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 43669
keywords = ['patch']
message_count = 5.0
messages = ['389823', '391279', '391280', '391286', '391366']
nosy_count = 5.0
nosy_names = ['christian.heimes', 'wingel71', 'illia-v', 'philipp', 'ramikg']
pr_nums = ['23014', '25453', '25470', '25255', '28768', '28602']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue43669'
versions = ['Python 3.10']
    @tiran
    Copy link
    Member Author

    tiran commented Mar 30, 2021

    Tracker ticket for PEP-644, https://www.python.org/dev/peps/pep-0644/

    This PEP proposes for CPython’s standard library to support only OpenSSL 1.1.1 LTS or newer. Support for OpenSSL versions past end-of-lifetime, incompatible forks, and other TLS libraries are dropped.

    @tiran tiran added the 3.10 only security fixes label Mar 30, 2021
    @tiran tiran self-assigned this Mar 30, 2021
    @tiran tiran added topic-SSL 3.10 only security fixes type-feature A feature request or enhancement labels Mar 30, 2021
    @tiran tiran self-assigned this Mar 30, 2021
    @tiran tiran added topic-SSL type-feature A feature request or enhancement labels Mar 30, 2021
    @tiran
    Copy link
    Member Author

    tiran commented Apr 17, 2021

    New changeset 39258d3 by Christian Heimes in branch 'master':
    bpo-43669: PEP-644: Require OpenSSL 1.1.1 or newer (GH-23014)
    39258d3

    @tiran
    Copy link
    Member Author

    tiran commented Apr 17, 2021

    • Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
    • Update hashopenssl to require OpenSSL 1.1.1
    • multissltests only OpenSSL > 1.1.0
    • ALPN is always supported
    • SNI is always supported
    • Remove deprecated NPN code. Python wrappers are no-op.
    • ECDH is always supported
    • Remove OPENSSL_VERSION_1_1 macro
    • Remove locking callbacks
    • Drop PY_OPENSSL_1_1_API macro
    • Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
    • SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
    • security level is always available now
    • get_num_tickets is available with TLS 1.3
    • X509_V_ERR MISMATCH is always available now
    • Always set SSL_MODE_RELEASE_BUFFERS
    • X509_V_FLAG_TRUSTED_FIRST is always available
    • get_ciphers is always supported
    • SSL_CTX_set_keylog_callback is always available
    • Update Modules/Setup with static link example
    • Mention PEP in whatsnew
    • Drop 1.0.2 and 1.1.0 from GHA tests

    @tiran tiran closed this as completed Apr 17, 2021
    @tiran tiran closed this as completed Apr 17, 2021
    @tiran
    Copy link
    Member Author

    tiran commented Apr 17, 2021

    New changeset b8d0fa0 by Christian Heimes in branch 'master':
    bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)
    b8d0fa0

    @tiran
    Copy link
    Member Author

    tiran commented Apr 19, 2021

    New changeset d37b74f by Christian Heimes in branch 'master':
    bpo-43669: More test_ssl cleanups (GH-25470)
    d37b74f

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.10 only security fixes topic-SSL type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran