Drop support for OpenSSL<1.1.1

[pquentin]

Context

The TLS situation in Python has considerably improved since the early years of urllib3, thanks to the hard work of persons like Christian Heimes and Cory Benfield. urllib3 took advantage of new features even when only a subset of users could use it, and still accepts OpenSSL versions that don't have SNI, for example.

Here's what OpenSSL currently supports:

• Version 1.1.1 will be supported until 2023-09-11 (LTS).
• Version 1.0.2 is no longer supported. Extended support for 1.0.2 to gain access to security fixes for that version is available.
• Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported.

RHEL 6 supports 1.0.1e+ and RHEL 7 only supports 1.0.2k and beyond.

We also know that Python 3.10+ will require OpenSSL 1.1.1+ thanks to PEP 644.

Given this the only operating systems that would be in a tough spot if we decide to drop support for OpenSSL <1.1.1 are OSes who:

• Still support OpenSSL <1.1.1 as their default OpenSSL
• Use Python >=3.7 but <3.10 for their default Python
• Are likely to upgrade their system package for urllib3 to v2.0

The combination of the above three is very unlikely. We've identified a few OSes we'd like to evaluate to make sure before we release v2.0:

• Amazon Linux 2
• Gentoo

Minimum requirements

💰 You can get paid to complete this issue! Please read the docs for more information.

• Evaluate the above OSes to see if they'd be impacted by dropping support for OpenSSL <1.1.1. Leave this in a comment in this issue.
• Raise an ImportError if not OpenSSL or ssl.OPENSSL_VERSION < (1, 1, 1) with a message about urllib3 v2.0 requiring OpenSSL 1.1.1+
• Remove work-arounds for conditional features around the ssl module that are due to OpenSSL <1.1.1 (minimum_version, HAS_SNI, _is_openssl_gt_v1_1_1, more examples below)
• Add documentation for urllib3 requiring OpenSSL 1.1.1+
• Add a newfragment

[sethmlarson]

• I'm in favor of dropping support for OpenSSL <1.0.2
  • However I'm not sure if we can stop supporting ssl without SNI, might require a bit more research (can you disable SNI at compile time of OpenSSL? Might be something that microcontrollers do?)
• If PEP 644 goes through we can discuss dropping OpenSSL <1.1.1, but I'm not sure beyond tighter support matrices what we gain from doing that? Does our code rely on detecting OpenSSL 1.1.1 features beyond TLS 1.3?
• Definitely remove notOpenSSL098

[pquentin]

• SNI can be disabled in 1.0.2, but no longer in 1.1.0: openssl/openssl@e481f9b. We'll keep the check for now.
• We currently rely on detection of OpenSSL/Python versions to:
  • Enable SNI (see SNIMissingWarning)
  • Use OpenSSL ciphers for OpenSSL 1.1.1+
  • Call context.set_alpn_protocols(ALPN_PROTOCOLS)
  • Enable post-handshake authentication
  • Use SSLKEYLOGFILE
  • Call load_default_certs
• Will remove notOpenSSL098, thanks Done

[pquentin]

For reference, PEP 644 was accepted for Python 3.10.

[graingert]

how about requiring OpenSSL 1.1.0g or newer? This would fix #2636

[pquentin]

I think that requiring 1.1.1+ for v2 is reasonable, which is what RHEL 8 and Debian stable support. While RHEL 7 is still supporting 1.0.2k+, it is end of life, and for context they still ship urllib3 1.10! Also, while we have CI for 1.1.1 and 3.0.0, we don't have anything for 1.0.2 or 1.1.0.

[graingert]

requiring 1.1.1+ will also allow dropping of pyopenssl inject_into_urllib3 https://github.com/psf/requests/search?q=inject_into_urllib3&type=code and if urllib3 drops ssl 1.0.1 then SecureTransport can go too: https://github.com/pypa/pip/blob/bf91a079791f2daf4339115fb39ce7d7e33a9312/src/pip/_internal/utils/inject_securetransport.py#L24

[sethmlarson]

It'd be interesting to see which flavors of Linux are both using OpenSSL <1.1.1 and likely to update to urllib3 v2.0 as a part of their system libraries specifically. I suspect the list is extremely small. Given that information I'd like to consider only supporting OpenSSL 1.1.1+ for v2.0 unless we find an example that's still using OpenSSL <1.1.1.

Does anyone have such an example?

[sethmlarson]

From this link: https://repology.org/project/openssl/versions

Linux flavors of interest:

• AlmaLinux 8 (OpenSSL 1.0.2 / 1.1.1)
• AlmaLinux 9 (OpenSSL 3.0)
• Alpine 3.8 (OpenSSL 1.0.2)
• Alpine 3.9+ (OpenSSL 1.1.1+)
• Amazon Linux 1 (OpenSSL 1.0.2)
• Amazon Linux 2 (OpenSSL 1.0.2/1.1.1+) Drop support for OpenSSL<1.1.1 #2168 (comment)
• Arch (OpenSSL 1.1.1)
• CentOS 6 (OpenSSL 1.0.1)
• CentOS 7 (OpenSSL 1.0.2)
• CentOS 8+ (OpenSSL 1.1.1+)
• Debian 10+ (OpenSSL 1.1.1/3.0)
• Fedora 29+ (OpenSSL 1.1.1+)
• Gentoo stable (OpenSSL 1.1.1o - Drop support for OpenSSL<1.1.1 #2168 (comment))
• Raspbian stable (OpenSSL 1.1.1+)
• Ubuntu 18.04+ (OpenSSL 1.1.1+)

Would be great to fill in the ⚠️ with details. Done

[sethmlarson]

@pquentin Brought up the case where a downstream packaged pip unbundles urllib3, if the user were to upgrade their system's installation of urllib3 they'd essentially brick their system and not be able to downgrade urllib3 using pip alone.

I'm not sure there's a way we can both use static build system and disallow users from installing urllib3 v2.0 on a system with OpenSSL <1.1.1 so any guard rails here would be for cleaning up the mess afterwards?

Perhaps we can point to documentation on how to unmangle your system if you've upgraded urllib3 after running pip install with system Python?

[graingert]

a downstream packaged pip unbundles urllib3

The system unbundled system pip is usually on a very old python version

[sethmlarson]

True, so the system would also have to have Python 3.7-3.9 installed to have this issue since urllib3 v2.0 requires 3.7+ and 3.10 requires OpenSSL 1.1.1+.

[graingert]

Are there any distributions with an unbundled pip with openssl < 1.1.1 running on python 3.7+?

[sethmlarson]

Probably not. Outside of anyone else bringing a good reason for us to support OpenSSL 1.1.0 or earlier we're going to drop support of OpenSSL <1.1.1. Going to update this issue appropriately.

[pquentin]

@mgorny Is requiring OpenSSL 1.1.1+ for urllib3 2.0 going to be a problem for Gentoo?

[mgorny]

Not at all, Gentoo stable is at 1.1.1o already.

[mgorny]

(Thanks for asking)

[pquentin]

Amazon Linux 2 has an openssl11 package but comes with OpenSSL 1.0.2 preinstalled:

$ docker run -ti amazonlinux:2 yum list | grep openssl | grep installed
openssl-libs.x86_64                    1:1.0.2k-24.amzn2.0.3          installed 

But then it's also preinstalled with Python 2.7:

$ docker run -ti amazonlinux:2 python
Python 2.7.18 (default, May 25 2022, 14:30:51) 
[GCC 7.3.1 20180712 (Red Hat 7.3.1-15)] on linux2

Updated the list above with that information. I don't think that changes our plans.

(I'm also not claiming that issue even if I completed the first item.)

[IvanLauLinTiong]

pyOpenSSL is deprecated and will be removed in future release version 2.x (#2691).

[geopopos]

Is there a way to force OpenSSL? I am getting the following error
ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 2.8.3. See

[gopackgo90]

Is there a way to force OpenSSL? I am getting the following error ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 2.8.3. See

LibreSSL isn't supported anymore as of 2.0, see https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html#what-are-the-important-changes

Removed support for non-OpenSSL TLS libraries (like LibreSSL and wolfSSL).

and https://urllib3.readthedocs.io/en/stable/changelog.html

Removed support for Python with an ssl module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives. Python is moving to require OpenSSL with PEP 644 (#2168).

[vincent-paing]

Seeing ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 2.8.3. See: https://github.com/urllib3/urllib3/issues/2168 when I import tensorflow on macOS. it pointed me to this issue, can someone help me with what's the fix for this?

[akrsh24]

I faced the same issue. I switched to a different Python kernel (3.11.2) and it worked.

[stefan11111]

This breaks libressl compatibility on gentoo.
https://forums.gentoo.org/viewtopic-p-8788598.html#8788598

[gopackgo90]

This breaks libressl compatibility on gentoo.
https://forums.gentoo.org/viewtopic-p-8788598.html#8788598

Dropping LibreSSL support is intentional, see #2168 (comment).

[ionenwks]

This breaks libressl compatibility on gentoo.

Just for the record, Gentoo does not officially support LibreSSL anymore, so typical users are not affected.

[orbea]

Just for the record, Gentoo does not officially support LibreSSL anymore, so typical users are not affected.

LibreSSL is supported here. https://github.com/gentoo/libressl

[orbea]

I tested this patch locally against urllib3 2.0.2 and it seems to work so far with LibreSSL 3.7.2, is there a reason why it must be extra hard to use LibreSSL? If there are bugs or missing features inside of LibreSSL that are important then those should be reported upstream, but right now it seems like obstacles for the sake of having obstacles.

--- a/src/urllib3/__init__.py
+++ b/src/urllib3/__init__.py
@@ -32,7 +32,10 @@ except ImportError:
 else:
     # fmt: off
     if (
-        not ssl.OPENSSL_VERSION.startswith("OpenSSL ")
+        not (
+            ssl.OPENSSL_VERSION.startswith("OpenSSL ")
+            or ssl.OPENSSL_VERSION.startswith("LibreSSL ")
+        )
         or ssl.OPENSSL_VERSION_INFO < (1, 1, 1)
     ):  # Defensive:
         raise ImportError(

[sigmavirus24]

As had been shared twice now in very recent comments above, update Python is doing libressl support for the standard library. #2168 (comment)