On 2018-01-14 01:03, Steven D'Aprano wrote: > On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: >> On Sat, 13 Jan 2018 13:54:33 +0100 >> Christian Heimes <christ...@python.org> wrote: >>> >>> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land >>> bunch of useful goodies like proper hostname verification [2], proper >>> fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate >>> and PrivateKey types (support loading certs and keys from file and >>> memory) [4], and simplified cipher suite configuration [5]. I can >>> finally clean up _ssl.c during the beta phase, too. >> >> Given the annoyance of supporting old OpenSSL versions, I'd say +1 to >> this. >> >> We'll have to deal with the complaints of users of Debian oldstable, >> CentOS 6 and RHEL 6, though. > > It will probably be more work for Christian, but is it reasonable to > keep support for the older versions of OpenSSL, but make the useful > goodies conditional on a newer version?
It's much more than just goodies. For example the X509_VERIFY_PARAM_set1_host() API fixes a whole lot of issues with ssl.match_hostname(). The feature is OpenSSL 1.0.2+ and baked into the certificate validation system. I don't see a realistic way to perform the same task with 1.0.1. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com