diff --git a/pep-0644.rst b/pep-0644.rst index 570398b62..5697ffe73 100644 --- a/pep-0644.rst +++ b/pep-0644.rst @@ -1,5 +1,5 @@ PEP: 644 -Title: Require OpenSSL 1.1 or newer +Title: Require OpenSSL 1.1.1 or newer Author: Christian Heimes BDFL-Delegate: n/a Discussions-To: https://discuss.python.org/t/pep-644-require-openssl-1-1-or-newer/5584 @@ -8,7 +8,7 @@ Type: Standards Track Content-Type: text/x-rst Created: 27-Oct-2020 Python-Version: 3.10 -Post-History: 27-Oct-2020, 03-Mar-2021 +Post-History: 27-Oct-2020, 03-Mar-2021, 17-Mar-2021 Abstract @@ -106,7 +106,7 @@ support for ChaCha20-Poly1305, BLAKE2 (basic features), X25519 and CT. The majority of structs were made opaque and new APIs were introduced. OpenSSL 1.1.0 is not API compatible with 1.0.2. -- Debian 9 Stretch (estimated EOL 2022-06) +- Debian 9 Stretch (security support ended 2020-07, LTS until 2022-06) - Ubuntu 18.04 LTS / Bionic (general support ends 2023-04) @@ -122,6 +122,7 @@ OpenSSL 1.1.1 added TLS 1.3, SHA-3, X448 and Ed448. - Arch Linux current - CentOS 8.0+ - Debian 10 Buster +- Debian 11 Bullseye (ETA 2021-06) - Fedora 29+ - FreeBSD 11.3+ - Gentoo Linux stable (dropped LibreSSL as alternative in January 2021 [10]_) @@ -138,11 +139,22 @@ OpenSSL 1.1.1 added TLS 1.3, SHA-3, X448 and Ed448. - VoidLinux (switched back to OpenSSL in March 2021 [5]_) - Windows (python.org installer, Conda) +Major CI providers provide images with OpenSSL 1.1.1. + +- AppVeyor (with image ``Ubuntu2004``) +- CircleCI (with recent ``cimg/base:stable`` or ``cimg/base:stable-20.04``) +- GitHub Actions (with ``runs-on: ubuntu-20.04``) +- Giblab CI (with Debian Stretch, Ubuntu Focal, CentOS 8, RHEL 8, or Fedora + runner) +- Packit +- TravisCI (with ``dist: focal``) +- Zuul + OpenSSL 3.0.0 ------------- -released: n/a (planned for early 2021) +released: n/a (planned for mid/late 2021) OpenSSL 3.0.0 is currently under development. Major changes include relicensing to Apache License 2.0 and a new API for cryptographic algorithms @@ -299,14 +311,33 @@ or extend compatibility with EOLed releases as we see fit. The new ABI stability and LTS policies of OpenSSL [9]_ should help, too. +Keep support for OpenSSL 1.1.0 +------------------------------ + +It was suggested to keep support for OpenSSL 1.1.0 for compatibility with +Debian 9 (Stretch). The proposal was rejected since it would complicated code +cleanup and testing. Stretch is already out of regular security support and +close to end of long-term support. By the time of Python 3.10 final release, +Debian Buster and Debian Bullseye will be available. + +Instead Python 3.10 will gain additional documentation and a new +``configure`` option ``--with-openssl-rpath=auto`` to simplify use of custom +OpenSSL builds [11]. + Backwards Compatibility ======================= Python 3.10 will no longer support TLS/SSL and fast hashing on platforms -with OpenSSL 1.0.2 or LibreSSL. This PEP is published at the beginning of -the 3.10 release cycles. It gives vendors like Linux distributors or CI -providers roughly 11 months to react. +with OpenSSL 1.0.2 or LibreSSL. The first draft of this PEP was published at +the beginning of the 3.10 release cycles to give vendors like Linux +distributors or CI providers sufficient time to plan. + +Python's internal copy of the *Keccak Code Package* and the internal +``_sha3`` module will be removed. This will reduce source code size by +about 280kB and code size by roughly 0.5MB. The ``hashlib`` will solely rely +on OpenSSL's SHA-3 implementation. SHA-3 and SHAKE will no longer be available +without OpenSSL. Disclaimer and special thanks @@ -332,6 +363,7 @@ References .. [8] https://www.openssl.org/docs/OpenSSL300Design.html .. [9] https://www.openssl.org/policies/releasestrat.html .. [10] https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html +.. [11] https://bugs.python.org/issue43466 Copyright