[issue32947] Support OpenSSL 1.1.1

Ned Deily added the comment: I don't have a strong opinion about backporting to 3.6. With OpenSSL 1.0.2 official support ending at the end of 2019 and 3.6.z retired towards the ned of 2021, there would be a 2-year window where 3.6 is still in security-fix-only status. But, if we don't do

[issue32947] Support OpenSSL 1.1.1

Ned Deily added the comment: New changeset 3dbc43f63c7e056b80d6e28f3812125a09555456 by Ned Deily (Victor Stinner) in branch '3.6': bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-11612) https://github.com/python/cpython/commit/3dbc43f63c7e056b80d6e28f3812125a09555456 --

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: Yes, the feature requires OpenSSL 1.0.2 and a more recent version of LibreSSL. 2.7 and 3.6 branches still target platforms with ancient versions of OpenSSL (e.g. Ubuntu 14.04 has 1.0.1f + patches). People were complain A LOT, because there were not able

[issue32947] Support OpenSSL 1.1.1

Benjamin Peterson added the comment: Was using OpenSSL to verify hostnames intentionally not backported? -- ___ Python tracker ___

[issue32947] Support OpenSSL 1.1.1

Change by Chih-Hsuan Yen : -- nosy: -yan12125 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

STINNER Victor added the comment: New changeset 2149a9ad7a9d39d7d680ec0fb602042c91057484 by Victor Stinner (stratakis) in branch '2.7': [2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876) https://github.com/python/cpython/commit/2149a9ad7a9d39d7d680ec0fb602042c91057484

[issue32947] Support OpenSSL 1.1.1

Change by Charalampos Stratakis : -- pull_requests: +11910 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

STINNER Victor added the comment: On Fedora 29 with OpenSSL 1.1.1 FIPS 11 Sep 2018, test_connect_cadata() of test_ssl fails randomly: --- $ ./python -m test -u all -F -m test_connect_cadata test_ssl Run tests sequentially 0:00:00 load avg: 0.43 [ 1] test_ssl test test_ssl failed --

[issue32947] Support OpenSSL 1.1.1

Change by STINNER Victor : -- pull_requests: +11345, 11346, 11347 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue32947] Support OpenSSL 1.1.1

Change by STINNER Victor : -- pull_requests: +11345, 11346 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

Change by STINNER Victor : -- pull_requests: +11345 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: The release candidates came out a couple of days ago. -- ___ Python tracker ___ ___

[issue32947] Support OpenSSL 1.1.1

Kurt Roeckx added the comment: Do you have any idea when the next release will be? I think python is currently our biggest blocker for getting OpenSSL 1.1.1 in Debian testing. -- ___ Python tracker

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: Kurt, see #34670 for PHA for server and client side. -- ___ Python tracker ___ ___

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: Soonish, I'm still working on post handshake auth. -- ___ Python tracker ___ ___

[issue32947] Support OpenSSL 1.1.1

Kurt Roeckx added the comment: Christian, Do you have any update on this? Any idea when we can expect relased python versions that work with OpenSSL 1.1.1? -- ___ Python tracker

[issue32947] Support OpenSSL 1.1.1

Kurt Roeckx added the comment: This are automated tests for the packages in Debian. I uploaded the pre9 version to unstable, and as a result of that all reverse dependencies got tested. I don't have any experience with python myself. Anyway, the openssl.cnf in Debian contains:

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: Kurt, can you try again with a current git checkout from master? I fixed a couple of issues lately. CPython master passes all tests with vanilla OpenSSL 1.1.1-pre9. Does Debian change some default settings? --

[issue32947] Support OpenSSL 1.1.1

Kurt Roeckx added the comment: This are the errors I'm currently getting testing with the pre9 verion in Debian: https://ci.debian.net/data/autopkgtest/testing/amd64/p/python2.7/865936/log.gz https://ci.debian.net/data/autopkgtest/testing/amd64/p/python3.6/865937/log.gz

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: New changeset 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826 by Christian Heimes in branch '3.6': bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) https://github.com/python/cpython/commit/2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826 --

[issue32947] Support OpenSSL 1.1.1

Change by Christian Heimes : -- pull_requests: +8237 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

Change by Christian Heimes : -- pull_requests: +8236 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

Charalampos Stratakis added the comment: Yes test_poplib and test_ftplib on fedora rawhide when run against openssl 1.1.1 pre8. Haven't tried the pr7, but assuming that the tests were fine before here is the list of changes between pre7 and pre8:

[issue32947] Support OpenSSL 1.1.1

Change by Chih-Hsuan Yen : -- nosy: +yan12125 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue32947] Support OpenSSL 1.1.1

Miro Hrončok added the comment: Note that Fedora 29 updated openssl from 1.1.0h to 1.1.1-0.pre8 and Python 3.7 tests are failing. Not 100% sure it's related, but full report at: https://bugzilla.redhat.com/show_bug.cgi?id=1609291 -- nosy: +hroncok

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: 3.7 and 3.8 support OpenSSL 1.1.1-pre7-dev. For 3.6 and 2.7 I have to backport some test fixes and documentation. I prefer to wait until both TLS 1.3 and OpenSSL 1.1.1 have been finalized. Once 1.1.1 is out, I'll fix the outstanding

[issue32947] Support OpenSSL 1.1.1

Ned Deily added the comment: Christian, I'm not sure how this issue now differs from Issue33618 (and whether it can be closed as a duplicate) but, with the delay in OpenSSL 1.1.1 and as discussed over there, full 1.1.1 support will have to wait for 3.7.1 et al so I'm

[issue32947] Support OpenSSL 1.1.1

Change by miss-islington : -- pull_requests: +5694 ___ Python tracker ___

[issue32947] Support OpenSSL 1.1.1

Christian Heimes added the comment: Ned, Benjamin OpenSSL 1.1.1 is scheduled to be released just before 3.7.0rc1 will come out. I'd rather address as many issues now instead of adding last minute patches to the release candidate. Once OpenSSL 1.1.1 is out and Python 3.7

[issue32947] Support OpenSSL 1.1.1

Change by Christian Heimes : -- keywords: +patch pull_requests: +5655 stage: -> patch review ___ Python tracker ___

[issue32947] Support OpenSSL 1.1.1

New submission from Christian Heimes : I'm using this ticket as an epos to track commits and required changes for OpenSSL 1.1.1 and TLS 1.3. Fixes need to be backported to 2.7 and 3.6 to 3.8. We might have to consider backports to 3.4 and 3.5, too. If all goes to plan,