-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade installers to OpenSSL 1.1.1j #86003
Comments
"22-Sep-2020 OpenSSL 1.1.1h is now available, including bug fixes" Christian, any changes need in _ssl or any other reasons we should not upgrade? Changes between 1.1.1g and 1.1.1h [22 Sep 2020] *) Certificates with explicit curve parameters are now disallowed in *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
*) Handshake now fails if Extended Master Secret extension is dropped |
Christian, ping? |
Sorry, I missed the initial ping. The changes look unproblematic to me. Our test suite is passing with 1.1.1h, too. Python doesn't set VERIFY_X509_STRICT by default and does not support DTLS. Please go ahead. |
You may want to hold off until next week: https://mta.openssl.org/pipermail/openssl-announce/2020-December/000186.html OpenSSL 1.1.i is a security-fix release. The highest severity issue fixed in this release is HIGH. |
I believe this is all done now. |
The fix has only be done for 3.8, 3.9 and 3.10. Are 3.7 and 3.6 are not impacted? |
They are impacted. However 3.7.9 and 3.6.8 were the last releases with binaries for Windows and macOS. All subsequent releases are source-only releases. Since we don't release binaries for 3.6 and 3.7 any more, we typically don't update them. |
I got bad news. OpenSSL 1.1.1i introduced a regression in cert validation. This affects some cases that involve self-signed certificates. Cert validation fails if a self-signed certificate is used as both a trust anchor (root CA) and EE cert. This may affect Python. Would it be possible to rebuild our OpenSSL binaries with patch openssl/openssl#13749 ? |
Looks like we missed Christian's last message... Have OpenSSL made an updated release? If this issue is as bad as the short description above sounds, I expect they would have. It's possible to rebuild with the patch, but easier if it's a release. (Also, Christian, should this have been a release blocker? We just made fast releases for a security concern...) |
1.1.1j was issued earlier this week and, from browsing the source, it appears that this fix is included (it's not mentioned as a major issue) along with other fixes. So I assume we just need to update the installers to use 1.1.1j. The question is then do need to push updated installers for 3.9.x and 3.8.x? Setting to "deferred blocker" pending a decision. @christian? @Łukasz? |
Now updated to OpenSSL 1.1.1k in bpo-43631 |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: