-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s #78812
Comments
OpenSSL 1.1.1 was released today. The blog post https://www.openssl.org/blog/blog/2018/09/11/release111/ lists all major improvements. Highlights:
All tests on master are passing with OpenSSL 1.1.1. I still want to hold off and wait a couple of patch releases, before we start to ship Windows and macOS builds with 1.1.1. Some aspects of the TLS 1.3 handshake are different to TLS 1.2. I might have to implement some additional APIs for post handshake authentication. |
Hi macOS and Windows devs, as I explained in https://mail.python.org/pipermail/python-dev/2019-February/156470.html we need to update Python 3.7 to OpenSSL 1.1.1 eventually. 1.1.0 will reach EOL in September. |
[From the cited python-dev email]: "Python 3.7 and master (3.8) are affected. As of now, both branches use So setting the priority here to "deferred blocker" as a reminder to take care of this prior to 3.8.0b1 (2019-05-26) and 3.7.4rc1 (2019-06-10) at the latest. |
It looks we missed the window for 3.7.4 here. (I assume the Windows installer build is not using 1.1.1. Steve?) Talking with Christian about this in IRC, we agreed, the CI pipelines (Azure and travis) are now using 1.1.1c and I've put a request to the buildbot owners to upgrade to 1.1.1c if possible. So let's retarget 1.1.1c for 3.7.5 then which will be right around the time 1.1.0 support ends. In the meantime, we should update other installers to 1.1.0k and 1.0.2s. |
After doing a little more homework and better understanding PCbuild/get_externals.bat, https://github.com/python/cpython-source-deps, and https://github.com/python/cpython-bin-deps and their twisting branches, it appears we *are* using 1.1.1, in particular, 1.1.1b for 3.7 and 3.8 Windows builds. So:
For the latter, I'll give it a try and see how smoothly it goes before making a final decision. |
The canonical source of versions used on Windows is in PCbuild/python.props I'll pull the 1.1.1c sources into cpython-source-deps and run a build. If all goes smoothly, we can consider it, but I don't have a huge amount of time for CPython this week I'm afraid. |
The tests seem to pass fine for 1.1.1c against master, so I'll merge that and see if the backport is also okay. |
Ned - the 3.7 backport seems to be okay (PR 14165). Do we want it? |
Might as well, thanks! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: