Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s #78812

Closed
tiran opened this issue Sep 11, 2018 · 17 comments
Closed

Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s #78812

tiran opened this issue Sep 11, 2018 · 17 comments
Assignees
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes deferred-blocker OS-mac OS-windows topic-SSL type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented Sep 11, 2018

BPO 34631
Nosy @pfmoore, @ronaldoussoren, @tiran, @tjguk, @ned-deily, @alex, @zware, @zooba, @dstufft, @miss-islington
PRs
  • bpo-34631: Update test infra to OpenSSL 1.1.1b #12094
  • [2.7] bpo-34631: Updated OpenSSL to 1.0.2s in Windows installer (GH-14161) #14161
  • bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer #14163
  • [3.8] bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163) #14164
  • [3.7] bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163) #14165
  • bpo-34631: Update OpenSSL to 1.1.1c in macOS installer #14187
  • [3.8] bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187) #14189
  • [3.7] bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187) #14190
  • [2.7] bpo-34631: Updated OpenSSL to 1.0.2s in macOS installer. #14198
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = <Date 2019-06-18.10:50:43.756>
    created_at = <Date 2018-09-11.17:13:46.164>
    labels = ['OS-mac', 'expert-SSL', 'deferred-blocker', '3.7', '3.8', '3.9', 'type-feature', 'OS-windows']
    title = 'Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s'
    updated_at = <Date 2019-06-18.10:50:43.755>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2019-06-18.10:50:43.755>
    actor = 'ned.deily'
    assignee = 'christian.heimes'
    closed = True
    closed_date = <Date 2019-06-18.10:50:43.756>
    closer = 'ned.deily'
    components = ['macOS', 'Windows', 'SSL']
    creation = <Date 2018-09-11.17:13:46.164>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 34631
    keywords = ['patch']
    message_count = 17.0
    messages = ['325034', '336846', '338748', '345826', '345836', '345868', '345875', '345886', '345887', '345893', '345911', '345932', '345933', '345959', '345962', '345963', '345980']
    nosy_count = 11.0
    nosy_names = ['paul.moore', 'ronaldoussoren', 'janssen', 'christian.heimes', 'tim.golden', 'ned.deily', 'alex', 'zach.ware', 'steve.dower', 'dstufft', 'miss-islington']
    pr_nums = ['12094', '14161', '14163', '14164', '14165', '14187', '14189', '14190', '14198']
    priority = 'deferred blocker'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'enhancement'
    url = 'https://bugs.python.org/issue34631'
    versions = ['Python 2.7', 'Python 3.7', 'Python 3.8', 'Python 3.9']

    @tiran
    Copy link
    Member Author

    tiran commented Sep 11, 2018

    OpenSSL 1.1.1 was released today. The blog post https://www.openssl.org/blog/blog/2018/09/11/release111/ lists all major improvements.

    Highlights:

    • TLS 1.3
    • API and ABI compatible with OpenSSL 1.1.0
    • LTS release (support schedule TBD)

    All tests on master are passing with OpenSSL 1.1.1. I still want to hold off and wait a couple of patch releases, before we start to ship Windows and macOS builds with 1.1.1. Some aspects of the TLS 1.3 handshake are different to TLS 1.2. I might have to implement some additional APIs for post handshake authentication.

    @tiran tiran added the 3.8 (EOL) end of life label Sep 11, 2018
    @tiran tiran self-assigned this Sep 11, 2018
    @tiran tiran added topic-SSL type-feature A feature request or enhancement labels Sep 11, 2018
    @tiran
    Copy link
    Member Author

    tiran commented Feb 28, 2019

    Hi macOS and Windows devs,

    as I explained in https://mail.python.org/pipermail/python-dev/2019-February/156470.html we need to update Python 3.7 to OpenSSL 1.1.1 eventually. 1.1.0 will reach EOL in September.

    @tiran tiran changed the title Upgrade to OpenSSL 1.1.1 Upgrade to OpenSSL 1.1.1b Feb 28, 2019
    @ned-deily
    Copy link
    Member

    [From the cited python-dev email]:

    "Python 3.7 and master (3.8) are affected. As of now, both branches use
    OpenSSL 1.1.0 and must be updated to 1.1.1 soonish. Ned has scheduled
    3.7.3 release for 2019-03-25. That's still well within the release
    schedule for 1.1.0. I suggest that we update to 1.1.1 directly after the
    release of Python 3.7.3 and target 3.7.4 as first builds with TLS 1.3
    support. That gives Victor, Steve, and me enough time to sort out the
    remaining issues."

    So setting the priority here to "deferred blocker" as a reminder to take care of this prior to 3.8.0b1 (2019-05-26) and 3.7.4rc1 (2019-06-10) at the latest.

    @ned-deily
    Copy link
    Member

    It looks we missed the window for 3.7.4 here. (I assume the Windows installer build is not using 1.1.1. Steve?) Talking with Christian about this in IRC, we agreed, the CI pipelines (Azure and travis) are now using 1.1.1c and I've put a request to the buildbot owners to upgrade to 1.1.1c if possible. So let's retarget 1.1.1c for 3.7.5 then which will be right around the time 1.1.0 support ends. In the meantime, we should update other installers to 1.1.0k and 1.0.2s.

    @ned-deily ned-deily added the 3.9 only security fixes label Jun 17, 2019
    @ned-deily ned-deily changed the title Upgrade to OpenSSL 1.1.1b Upgrade to OpenSSL 1.1.1c, 1.1.0k, and/or 1.0.2s Jun 17, 2019
    @ned-deily
    Copy link
    Member

    (I assume the Windows installer build is not using 1.1.1. Steve?)

    After doing a little more homework and better understanding PCbuild/get_externals.bat, https://github.com/python/cpython-source-deps, and https://github.com/python/cpython-bin-deps and their twisting branches, it appears we *are* using 1.1.1, in particular, 1.1.1b for 3.7 and 3.8 Windows builds. So:

    1. Can/should be try to update to 1.1.1c for 3.7.4 on Windows, and

    2. Should I try to update the macOS installer to 1.1.1c for 3.7.4?

    For the latter, I'll give it a try and see how smoothly it goes before making a final decision.

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    The canonical source of versions used on Windows is in PCbuild/python.props

    I'll pull the 1.1.1c sources into cpython-source-deps and run a build. If all goes smoothly, we can consider it, but I don't have a huge amount of time for CPython this week I'm afraid.

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    New changeset d8e3a8a by Steve Dower in branch '2.7':
    bpo-34631: Updated OpenSSL to 1.0.2s in Windows installer (GH-14161)
    d8e3a8a

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    The tests seem to pass fine for 1.1.1c against master, so I'll merge that and see if the backport is also okay.

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    New changeset a268edd by Steve Dower in branch 'master':
    bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
    a268edd

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    New changeset c28c135 by Steve Dower (Miss Islington (bot)) in branch '3.8':
    bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
    c28c135

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    Ned - the 3.7 backport seems to be okay (PR 14165). Do we want it?

    @ned-deily
    Copy link
    Member

    Might as well, thanks!

    @zooba
    Copy link
    Member

    zooba commented Jun 17, 2019

    New changeset 14bac00 by Steve Dower in branch '3.7':
    bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
    14bac00

    @ned-deily
    Copy link
    Member

    New changeset f3fb839 by Ned Deily in branch 'master':
    bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
    f3fb839

    @miss-islington
    Copy link
    Contributor

    New changeset bd75abf by Miss Islington (bot) in branch '3.8':
    bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
    bd75abf

    @miss-islington
    Copy link
    Contributor

    New changeset 0f3abbc by Miss Islington (bot) in branch '3.7':
    bpo-34631: Updated OpenSSL to 1.1.1c in macOS installer (GH-14187)
    0f3abbc

    @ned-deily
    Copy link
    Member

    New changeset a5b1b22 by Ned Deily in branch '2.7':
    bpo-34631: Updated OpenSSL to 1.0.2s in macOS installer. (GH-14198)
    a5b1b22

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes deferred-blocker OS-mac OS-windows topic-SSL type-feature A feature request or enhancement
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants