On 2017-09-04 12:49, Gregory P. Smith wrote: > RHEL 7 (the *current* release), Debian Jessie (oldstable) and Ubuntu > 14.04 (old LTS supported in "maintenance" mode until early 2019 - > https://www.ubuntu.com/info/release-end-of-life) all shipped with 1.0.1 > based OpenSSL. :(
RHEL 7.4 comes with OpenSSL 1.0.2: https://access.redhat.com/errata/RHBA-2017:1929 https://bugzilla.redhat.com/show_bug.cgi?id=1276310 > IMNSHO *I still think we should do this to 3.7*. OpenSSL >=1.0.2 > provides a much more usable API for modern security standards. If we > set our standards based on the most conservative OS distro out there, > we're just holding ourselves back. That's the gist of my upcoming PEP. For one, I want to replace ssl.match_hostname() with OpenSSL's hostname verification API. It solves several issues. The API is available since OpenSSL 1.0.2 and LibreSSL 2.5.3. The PEP is still in proto state, e.g. missing several chapters and has bunch of grammar and spelling errors: https://github.com/tiran/peps/blob/sslmod/pep-9999.txt > Isn't MacOS also in a lousy state when it comes to OpenSSL? Did we > switch to providing our own there already? We could do the same (ship > our own) when building on stale distros. Ned has changed our macOS packages to use our own build of OpenSSL. IIRC it's 1.0.2 and not 1.1.0. 1.1.0 was deemed too new when 3.6.0 came out. Also Apple no longer ships header files for OpenSSL. Apple's own Python binary use a private copy of an old LibreSSL version. Christian _______________________________________________ Python-Buildbots mailing list Python-Buildbots@python.org https://mail.python.org/mailman/listinfo/python-buildbots
