Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

[Cory Benfield]

On 17 June 2014 17:41, Yates, Andy (CS Houston, TX)  wrote:
> Is it possible to drop in new OpenSSL versions
> on Windows without rebuilding Python?

If you think this is a problem you're going to have more than once,
you'll want to look  hard at whether it's worth using pyOpenSSL
(either the egenix version or the PyCA one[1]) instead, and delivering
binary releases with a bundled copy of OpenSSL. PyOpenSSL from PyCA is
actually considering bundling OpenSSL on Windows anyway[2], so you
might find this problem goes away.

[1] https://github.com/pyca/pyopenssl
[2] https://github.com/pyca/cryptography/issues/1121
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

[Martin v. Löwis]

Am 17.06.14 18:41, schrieb Yates, Andy (CS Houston, TX):
> Python Dev,
> 
> Andy here. I have a Windows product based on Python and I’m getting
> hammered to release a version that includes the fix in OpenSSL 1.0.1h. 
> My product is built on a Windows system using Python installed from the
> standard Python installer at Python.org.  I would be grateful if I could
> get some advice on my options. 

Can you please report
- what version of Python you are distributing?
- why it absolutely has to be 1.0.1h that is included?

According to the CVE, 0.9.8za and 1.0.0m would work as well (and in our
case, would be preferred for older versions of Python).

Regards,
Martin


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

[Martin v. Löwis]

Am 17.06.14 20:27, schrieb Steve Dower:
> You'll only need to rebuild the _ssl and _hashlib extension modules
> with the new OpenSSL version. The easiest way to do this is to build
> from source (which has already been updated for 1.0.1h if you use the
> externals scripts in Tools\buildbot), and you should just be able to
> drop _ssl.pyd and _hashlib.pyd on top of a normal install.
> 
> Aside: I wonder if it's worth changing to dynamically linking to
> OpenSSL? It would make this kind of in-place upgrade easier when
> people need to do it. Any thoughts? (Does OpenSSL even support it?)

We originally considered using prebuilt binaries, such as

http://slproweb.com/products/Win32OpenSSL.html

This is tricky because of CRT issues: they will likely bind to a
different version of the CRT, and
a) it is unclear whether this would reliably work, and
b) requires the Python installer to include a different version of
   the CRT, which we would not have a license to include (as the
   CRT redistribution license only applies to the version of the CRT
   that Python was built with)

There was also the desire to use the same compiler for all code
distributed, to use the same optimizations on all of it. In addition,
for OpenSSL, there is compile time configuration wrt. to the algorithms
built into the binaries where Python's build deviates from the default.

Having a separate project to build a DLL within pcbuild.sln was never
implemented. Doing so possibly increases the risk of DLL hell, if Python
picks up the wrong version of OpenSSL (e.g. if Python gets embedded
into some other application).

Regards,
Martin
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

[Steve Dower]

Yeah, the fact that it really has to be our own copy of the DLL negates the 
advantage. If someone can rebuild that, they could rebuild the modules that 
statically link it.

Cheers,
Steve

Top-posted from my Windows Phone

From: Martin v. Löwis
Sent: ‎6/‎18/‎2014 2:46
To: Steve Dower; Yates, Andy (CS Houston, 
TX); Python-Dev@python.org
Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h 
on Windows required

Am 17.06.14 20:27, schrieb Steve Dower:
> You'll only need to rebuild the _ssl and _hashlib extension modules
> with the new OpenSSL version. The easiest way to do this is to build
> from source (which has already been updated for 1.0.1h if you use the
> externals scripts in Tools\buildbot), and you should just be able to
> drop _ssl.pyd and _hashlib.pyd on top of a normal install.
>
> Aside: I wonder if it's worth changing to dynamically linking to
> OpenSSL? It would make this kind of in-place upgrade easier when
> people need to do it. Any thoughts? (Does OpenSSL even support it?)

We originally considered using prebuilt binaries, such as

http://slproweb.com/products/Win32OpenSSL.html

This is tricky because of CRT issues: they will likely bind to a
different version of the CRT, and
a) it is unclear whether this would reliably work, and
b) requires the Python installer to include a different version of
   the CRT, which we would not have a license to include (as the
   CRT redistribution license only applies to the version of the CRT
   that Python was built with)

There was also the desire to use the same compiler for all code
distributed, to use the same optimizations on all of it. In addition,
for OpenSSL, there is compile time configuration wrt. to the algorithms
built into the binaries where Python's build deviates from the default.

Having a separate project to build a DLL within pcbuild.sln was never
implemented. Doing so possibly increases the risk of DLL hell, if Python
picks up the wrong version of OpenSSL (e.g. if Python gets embedded
into some other application).

Regards,
Martin
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com