Is there a build flag or a ./configure-time autodetection that would allow for supporting LibreSSL while they port X509_VERIFY_PARAM_set1_host?
On Thursday, January 18, 2018, Christian Heimes <christ...@python.org> wrote: > On 2018-01-16 21:17, Christian Heimes wrote: > > FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have > > created a daily cronjob to populate Travis' cache with OpenSSL builds. > > Until the cache is filled, Linux CI will take an extra 5 minute. > > I have messed up my initial research. :( When I was checking LibreSSL > and OpenSSL for features, I draw a wrong conclusion. LibreSSL is *not* > OpenSSL 1.0.2 compatible. It only implements some of the required > features from 1.0.2 (e.g. X509_check_hostname) but not > X509_VERIFY_PARAM_set1_host. > > X509_VERIFY_PARAM_set1_host() is required to perform hostname > verification during the TLS handshake. Without the function, I'm unable > to fix Python's hostname matching code [1]. LibreSSL upstream knows > about the issue since 2016 [2]. I have opened another bug report [3]. > > We have two options until LibreSSL has addressed the issue: > > 1) Make the SSL module more secure, simpler and standard conform > 2) Support LibreSSL > > I started a vote on Twitter [4]. So far most people prefer security. > > Christian > > [1] https://bugs.python.org/issue31399 > [2] https://github.com/pyca/cryptography/issues/3247 > [3] https://github.com/libressl-portable/portable/issues/381 > [4] https://twitter.com/reaperhulk/status/953991843565490176 > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/ > wes.turner%40gmail.com >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
