Hi, I'm still working on a ssl module PEP for 3.7 [1], but it's probably not going to be finished before beta 1 deadline. I have a bunch of fixes and improvements for the ssl module in queue, most of them require OpenSSL 1.0.2 features. The features are also present and working properly since LibreSSL 2.5.3
If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land bunch of useful goodies like proper hostname verification [2], proper fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate and PrivateKey types (support loading certs and keys from file and memory) [4], and simplified cipher suite configuration [5]. I can finally clean up _ssl.c during the beta phase, too. OpenSSL 1.0.1 is out of support since December 2016, 0.9.8 since 2015. These versions haven't received any security updates for more than a year! All major Linux and BSD distributions have at least 1.0.2 [6]. The only relevant exception is Ubuntu 14.04 LTS, because Travis CI is running 14.04. PR 3562 [7] contains a PoC to compile a custom build of OpenSSL on Travis. Builds are cached. Regards, Christian [1] https://github.com/tiran/peps/blob/sslmodule37/pep-9999.txt [2] https://bugs.python.org/issue31399 [3] https://bugs.python.org/issue32185 [4] https://bugs.python.org/issue18369 [5] https://bugs.python.org/issue31429 [6] https://gist.github.com/tiran/c5409bbd60a5f082f654d967add8cc79 [7] https://github.com/python/cpython/pull/3462 _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
