On 2018-01-16 21:17, Christian Heimes wrote: > FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have > created a daily cronjob to populate Travis' cache with OpenSSL builds. > Until the cache is filled, Linux CI will take an extra 5 minute.
I have messed up my initial research. :( When I was checking LibreSSL and OpenSSL for features, I draw a wrong conclusion. LibreSSL is *not* OpenSSL 1.0.2 compatible. It only implements some of the required features from 1.0.2 (e.g. X509_check_hostname) but not X509_VERIFY_PARAM_set1_host. X509_VERIFY_PARAM_set1_host() is required to perform hostname verification during the TLS handshake. Without the function, I'm unable to fix Python's hostname matching code [1]. LibreSSL upstream knows about the issue since 2016 [2]. I have opened another bug report [3]. We have two options until LibreSSL has addressed the issue: 1) Make the SSL module more secure, simpler and standard conform 2) Support LibreSSL I started a vote on Twitter [4]. So far most people prefer security. Christian [1] https://bugs.python.org/issue31399 [2] https://github.com/pyca/cryptography/issues/3247 [3] https://github.com/libressl-portable/portable/issues/381 [4] https://twitter.com/reaperhulk/status/953991843565490176 _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
