iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
python-peps/pep-0644/index.html

520 lines
33 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="color-scheme" content="light dark">
<title>PEP 644 Require OpenSSL 1.1.1 or newer | peps.python.org</title>
<link rel="shortcut icon" href="../_static/py.png">
<link rel="canonical" href="https://peps.python.org/pep-0644/">
<link rel="stylesheet" href="../_static/style.css" type="text/css">
<link rel="stylesheet" href="../_static/mq.css" type="text/css">
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" media="(prefers-color-scheme: light)" id="pyg-light">
<link rel="stylesheet" href="../_static/pygments_dark.css" type="text/css" media="(prefers-color-scheme: dark)" id="pyg-dark">
<link rel="alternate" type="application/rss+xml" title="Latest PEPs" href="https://peps.python.org/peps.rss">
<meta property="og:title" content='PEP 644 Require OpenSSL 1.1.1 or newer | peps.python.org'>
<meta property="og:description" content="This PEP proposes for CPythons standard library to support only OpenSSL 1.1.1 LTS or newer. Support for OpenSSL versions past end-of-lifetime, incompatible forks, and other TLS libraries are dropped.">
<meta property="og:type" content="website">
<meta property="og:url" content="https://peps.python.org/pep-0644/">
<meta property="og:site_name" content="Python Enhancement Proposals (PEPs)">
<meta property="og:image" content="https://peps.python.org/_static/og-image.png">
<meta property="og:image:alt" content="Python PEPs">
<meta property="og:image:width" content="200">
<meta property="og:image:height" content="200">
<meta name="description" content="This PEP proposes for CPythons standard library to support only OpenSSL 1.1.1 LTS or newer. Support for OpenSSL versions past end-of-lifetime, incompatible forks, and other TLS libraries are dropped.">
<meta name="theme-color" content="#3776ab">
</head>
<body>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-sun-half" viewBox="0 0 24 24" pointer-events="all">
<title>Following system colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="9"></circle>
<path d="M12 3v18m0-12l4.65-4.65M12 14.3l7.37-7.37M12 19.6l8.85-8.85"></path>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24" pointer-events="all">
<title>Selected dark colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<path stroke="none" d="M0 0h24v24H0z" fill="none"></path>
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z"></path>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24" pointer-events="all">
<title>Selected light colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
</svg>
<script>
document.documentElement.dataset.colour_scheme = localStorage.getItem("colour_scheme") || "auto"
</script>
<section id="pep-page-section">
<header>
<h1>Python Enhancement Proposals</h1>
<ul class="breadcrumbs">
<li><a href="https://www.python.org/" title="The Python Programming Language">Python</a> &raquo; </li>
<li><a href="../pep-0000/">PEP Index</a> &raquo; </li>
<li>PEP 644</li>
</ul>
<button id="colour-scheme-cycler" onClick="setColourScheme(nextColourScheme())">
<svg aria-hidden="true" class="colour-scheme-icon-when-auto"><use href="#svg-sun-half"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-light"><use href="#svg-sun"></use></svg>
<span class="visually-hidden">Toggle light / dark / auto colour theme</span>
</button>
</header>
<article>
<section id="pep-content">
<h1 class="page-title">PEP 644 Require OpenSSL 1.1.1 or newer</h1>
<dl class="rfc2822 field-list simple">
<dt class="field-odd">Author<span class="colon">:</span></dt>
<dd class="field-odd">Christian Heimes &lt;christian&#32;&#97;t&#32;python.org&gt;</dd>
<dt class="field-even">Discussions-To<span class="colon">:</span></dt>
<dd class="field-even"><a class="reference external" href="https://discuss.python.org/t/pep-644-require-openssl-1-1-or-newer/5584">Discourse thread</a></dd>
<dt class="field-odd">Status<span class="colon">:</span></dt>
<dd class="field-odd"><abbr title="Accepted and implementation complete, or no longer active">Final</abbr></dd>
<dt class="field-even">Type<span class="colon">:</span></dt>
<dd class="field-even"><abbr title="Normative PEP with a new feature for Python, implementation change for CPython or interoperability standard for the ecosystem">Standards Track</abbr></dd>
<dt class="field-odd">Created<span class="colon">:</span></dt>
<dd class="field-odd">27-Oct-2020</dd>
<dt class="field-even">Python-Version<span class="colon">:</span></dt>
<dd class="field-even">3.10</dd>
<dt class="field-odd">Post-History<span class="colon">:</span></dt>
<dd class="field-odd">27-Oct-2020, 03-Mar-2021, 17-Mar-2021, 17-Apr-2021</dd>
<dt class="field-even">Resolution<span class="colon">:</span></dt>
<dd class="field-even"><a class="reference external" href="https://mail.python.org/archives/list/python-dev&#64;python.org/message/INLCO2EZVQW7R7J2OL6HWVLVU3TQRAZV/">Python-Dev message</a></dd>
</dl>
<hr class="docutils" />
<section id="contents">
<details><summary>Table of Contents</summary><ul class="simple">
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#motivation">Motivation</a></li>
<li><a class="reference internal" href="#impact">Impact</a><ul>
<li><a class="reference internal" href="#openssl-1-0-2-lts">OpenSSL 1.0.2 LTS</a></li>
<li><a class="reference internal" href="#openssl-1-1-0">OpenSSL 1.1.0</a></li>
<li><a class="reference internal" href="#openssl-1-1-1-lts">OpenSSL 1.1.1 LTS</a></li>
<li><a class="reference internal" href="#openssl-3-0-0">OpenSSL 3.0.0</a></li>
<li><a class="reference internal" href="#libressl">LibreSSL</a></li>
<li><a class="reference internal" href="#boringssl">BoringSSL</a></li>
</ul>
</li>
<li><a class="reference internal" href="#benefits">Benefits</a><ul>
<li><a class="reference internal" href="#tls-1-3">TLS 1.3</a></li>
<li><a class="reference internal" href="#thread-and-fork-safety">Thread and fork safety</a></li>
<li><a class="reference internal" href="#sha-3">SHA-3</a></li>
</ul>
</li>
<li><a class="reference internal" href="#compatibility">Compatibility</a><ul>
<li><a class="reference internal" href="#openssl-downstream-patches-and-options">OpenSSL downstream patches and options</a></li>
<li><a class="reference internal" href="#libressl-support">LibreSSL support</a></li>
<li><a class="reference internal" href="#id12">BoringSSL</a></li>
</ul>
</li>
<li><a class="reference internal" href="#rejected-ideas">Rejected Ideas</a><ul>
<li><a class="reference internal" href="#formalize-supported-openssl-versions">Formalize supported OpenSSL versions</a></li>
<li><a class="reference internal" href="#keep-support-for-openssl-1-1-0">Keep support for OpenSSL 1.1.0</a></li>
</ul>
</li>
<li><a class="reference internal" href="#backwards-compatibility">Backwards Compatibility</a></li>
<li><a class="reference internal" href="#disclaimer-and-special-thanks">Disclaimer and special thanks</a></li>
<li><a class="reference internal" href="#references">References</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
</details></section>
<section id="abstract">
<h2><a class="toc-backref" href="#abstract" role="doc-backlink">Abstract</a></h2>
<p>This PEP proposes for CPythons standard library to support only OpenSSL
1.1.1 LTS or newer. Support for OpenSSL versions past end-of-lifetime,
incompatible forks, and other TLS libraries are dropped.</p>
</section>
<section id="motivation">
<h2><a class="toc-backref" href="#motivation" role="doc-backlink">Motivation</a></h2>
<p>Python makes use of OpenSSL in <code class="docutils literal notranslate"><span class="pre">hashlib</span></code>, <code class="docutils literal notranslate"><span class="pre">hmac</span></code>, and <code class="docutils literal notranslate"><span class="pre">ssl</span></code> modules. OpenSSL
provides fast implementations of cryptographic primitives and a full TLS
stack including handling of X.509 certificates. The <code class="docutils literal notranslate"><span class="pre">ssl</span></code> module is used by
standard library modules like <code class="docutils literal notranslate"><span class="pre">urllib</span></code> and 3rd party modules like <code class="docutils literal notranslate"><span class="pre">urllib3</span></code>
to implement secure variants of internet protocols. <code class="docutils literal notranslate"><span class="pre">pip</span></code> uses the <code class="docutils literal notranslate"><span class="pre">ssl</span></code>
module to securely download packages from PyPI. Any bug in the <code class="docutils literal notranslate"><span class="pre">ssl</span></code> modules
bindings to OpenSSL can lead to a severe security issue.</p>
<p>Over time OpenSSLs public API has evolved and changed. Version 1.0.2
introduced new APIs to verify and match hostnames. OpenSSL 1.1.0 made
internal structs opaque and introduced new APIs that replace direct access of
struct members. Version 3.0.0 will deprecate more APIs due to internal
reorganization that moves cryptographic algorithms out of the core and into
providers. Forks like LibreSSL and BoringSSL have diverged in different
directions.</p>
<p>Currently Python versions 3.6 to 3.9 are compatible with OpenSSL 1.0.2,
1.1.0, and 1.1.1. For the most part Python also works with LibreSSL &gt;= 2.7.1
with some missing features and broken tests.</p>
<p>Due to limited resources and time it becomes increasingly hard to support
multiple versions and forks as well as test and verify correctness. Besides
multiple incompatible APIs there are build time flags,
distribution-specific patches, and local crypto-policy settings that add to
plethora of combinations. On the other hand, the Python core team has only
a couple of domain experts who are familiar with TLS and OpenSSL internals
and even fewer who are active maintainers.</p>
<p>Requiring OpenSSL 1.1.1 would allow us to give the vast majority of users a
better experience, reduce our maintenance overhead and thus free resources
to implement new features. Users would be able to rely on the presence of
new features and consistent behavior, ultimately resulting in a more robust
experience.</p>
</section>
<section id="impact">
<h2><a class="toc-backref" href="#impact" role="doc-backlink">Impact</a></h2>
<p>OpenSSL 1.1.1 is the default variant and version of OpenSSL on almost all
supported platforms and distributions. Its also the only version that still
receives security support from upstream <a class="footnote-reference brackets" href="#id23" id="id1">[9]</a>.</p>
<p>No macOS and Windows user will be affected by the deprecation. The python.org
installer and alternative distributions like Conda ship with most recent
OpenSSL version.</p>
<p>As of October 2020 and according to DistroWatch <a class="footnote-reference brackets" href="#id15" id="id2">[1]</a> most current BSD and
Linux distributions ship with OpenSSL 1.1.1 as well. Some older releases of
long-term support (LTS) and enterprise distributions have older versions of
OpenSSL or LibreSSL. By the time Python 3.10 will be generally available,
several of these distributions will have reached end of lifetime, end of
general support, or moved from LibreSSL to OpenSSL.</p>
<p>Other software has dropped support for OpenSSL 1.0.2 as well. For example,
PyCA cryptography 3.2 (2020-10-25) removed compatibility with OpenSSL 1.0.2.</p>
<section id="openssl-1-0-2-lts">
<h3><a class="toc-backref" href="#openssl-1-0-2-lts" role="doc-backlink">OpenSSL 1.0.2 LTS</a></h3>
<p>released: 2015-02
end of lifetime: 2019-12</p>
<p>OpenSSL 1.0.2 added hostname verification, ALPN support, and elliptic curves.</p>
<ul class="simple">
<li>CentOS 7 (EOL 2024-06)</li>
<li>Debian 8 Jessie (EOL 2020-07)</li>
<li>Linux Mint 18.3 (EOL 2021-04)</li>
<li>RHEL 7 (full support ends 2019-08, maintenance 2 support ends 2024-06)</li>
<li>SUSE Enterprise Linux 12-SP5 (general supports ends 2024-10)</li>
<li>Ubuntu 16.04 LTS / Xenial (general support ends 2021-04)</li>
</ul>
</section>
<section id="openssl-1-1-0">
<h3><a class="toc-backref" href="#openssl-1-1-0" role="doc-backlink">OpenSSL 1.1.0</a></h3>
<p>released: 2016-08
end of lifetime: 2019-09</p>
<p>OpenSSL 1.1.0 removed or disabled insecure ciphers by default and added
support for ChaCha20-Poly1305, BLAKE2 (basic features), X25519 and CT. The
majority of structs were made opaque and new APIs were introduced. OpenSSL
1.1.0 is not API compatible with 1.0.2.</p>
<ul class="simple">
<li>Debian 9 Stretch (security support ended 2020-07, LTS until 2022-06)</li>
<li>Ubuntu 18.04 LTS / Bionic (general support ends 2023-04)</li>
</ul>
</section>
<section id="openssl-1-1-1-lts">
<h3><a class="toc-backref" href="#openssl-1-1-1-lts" role="doc-backlink">OpenSSL 1.1.1 LTS</a></h3>
<p>released: 2018-08
end of lifetime: 2023-09 (planned)</p>
<p>OpenSSL 1.1.1 added TLS 1.3, SHA-3, X448 and Ed448.</p>
<ul class="simple">
<li>Alpine (switched back to OpenSSL in 2018 <a class="footnote-reference brackets" href="#id18" id="id3">[4]</a>)</li>
<li>Arch Linux current</li>
<li>CentOS 8.0+</li>
<li>Debian 10 Buster</li>
<li>Debian 11 Bullseye (ETA 2021-06)</li>
<li>Fedora 29+</li>
<li>FreeBSD 11.3+</li>
<li>Gentoo Linux stable (dropped LibreSSL as alternative in January 2021 <a class="footnote-reference brackets" href="#id24" id="id4">[10]</a>)</li>
<li>HardenedBSD (switched back to OpenSSL in 2018 <a class="footnote-reference brackets" href="#id17" id="id5">[3]</a>)</li>
<li>Linux Mint 19.3+</li>
<li>macOS (python.org installer)</li>
<li>NetBSD 8.2+</li>
<li>openSUSE 15.2+</li>
<li>RHEL 8.0+</li>
<li>Slackware current</li>
<li>SUSE Enterprise Linux 15-SP2</li>
<li>Ubuntu 18.10+</li>
<li>Ubuntu 20.04 LTS / Focal</li>
<li>VoidLinux (switched back to OpenSSL in March 2021 <a class="footnote-reference brackets" href="#id19" id="id6">[5]</a>)</li>
<li>Windows (python.org installer, Conda)</li>
</ul>
<p>Major CI providers provide images with OpenSSL 1.1.1.</p>
<ul class="simple">
<li>AppVeyor (with image <code class="docutils literal notranslate"><span class="pre">Ubuntu2004</span></code>)</li>
<li>CircleCI (with recent <code class="docutils literal notranslate"><span class="pre">cimg/base:stable</span></code> or <code class="docutils literal notranslate"><span class="pre">cimg/base:stable-20.04</span></code>)</li>
<li>GitHub Actions (with <code class="docutils literal notranslate"><span class="pre">runs-on:</span> <span class="pre">ubuntu-20.04</span></code>)</li>
<li>Giblab CI (with Debian Stretch, Ubuntu Focal, CentOS 8, RHEL 8, or Fedora
runner)</li>
<li>Packit</li>
<li>TravisCI (with <code class="docutils literal notranslate"><span class="pre">dist:</span> <span class="pre">focal</span></code>)</li>
<li>Zuul</li>
</ul>
</section>
<section id="openssl-3-0-0">
<h3><a class="toc-backref" href="#openssl-3-0-0" role="doc-backlink">OpenSSL 3.0.0</a></h3>
<p>released: n/a (planned for mid/late 2021)</p>
<p>OpenSSL 3.0.0 is currently under development. Major changes include
relicensing to Apache License 2.0 and a new API for cryptographic algorithms
providers. Most changes are internal refactorings and dont affect public
APIs. <a class="footnote-reference brackets" href="#id22" id="id7">[8]</a></p>
</section>
<section id="libressl">
<h3><a class="toc-backref" href="#libressl" role="doc-backlink">LibreSSL</a></h3>
<p>created: 2014-04 (forked from OpenSSL 1.0.1g)</p>
<ul class="simple">
<li>DragonFly BSD</li>
<li>Hyperbola GNU/Linux-libre</li>
<li>OpenBSD</li>
<li>OpenELEC (discontinued)</li>
<li>TrueOS (discontinued)</li>
</ul>
<p>Some distributions like FreeBSD and OPNsense also feature LibreSSL
instead of OpenSSL as non-standard TLS libraries. Gentoo discontinued
LibreSSL as an alternative to OpenSSL in January 2021 <a class="footnote-reference brackets" href="#id24" id="id8">[10]</a> due to
compatibility issues and little testing.</p>
<p>OpenBSD ports has a port <code class="docutils literal notranslate"><span class="pre">security/openssl/1.1</span></code> which is documented as
“[…] is present to provide support for applications which cannot be made
compatible with LibReSSL” <a class="footnote-reference brackets" href="#id21" id="id9">[7]</a>. The package could be used by OpenBSD to
provide a working ssl module.</p>
</section>
<section id="boringssl">
<h3><a class="toc-backref" href="#boringssl" role="doc-backlink">BoringSSL</a></h3>
<p>created: 2014-06</p>
<p>BoringSSL is Googles fork of OpenSSL. Its not intended for general use and
therefore not supported by Python. There are no guarantees of API or ABI
stability. Vendored copies of BoringSSL are used in Chrome/Chromium browser,
Android, and on Apple platforms <a class="footnote-reference brackets" href="#id20" id="id10">[6]</a>.</p>
</section>
</section>
<section id="benefits">
<h2><a class="toc-backref" href="#benefits" role="doc-backlink">Benefits</a></h2>
<section id="tls-1-3">
<h3><a class="toc-backref" href="#tls-1-3" role="doc-backlink">TLS 1.3</a></h3>
<p>OpenSSL 1.1.1 introduced support for the new TLS 1.3 version. The latest
version of the TLS protocol has a faster handshake and is more secure than
the previous versions.</p>
</section>
<section id="thread-and-fork-safety">
<h3><a class="toc-backref" href="#thread-and-fork-safety" role="doc-backlink">Thread and fork safety</a></h3>
<p>Starting with release 1.1.0c, OpenSSL is fully fork and thread safe.
Bindings no longer need any workarounds or additional callbacks to support
multithreading.</p>
</section>
<section id="sha-3">
<h3><a class="toc-backref" href="#sha-3" role="doc-backlink">SHA-3</a></h3>
<p>Since 1.1.0, OpenSSL ships with SHA-3 and SHAKE implementations.
Pythons builtin SHA-3 support is based on the reference implementation. The
internal <code class="docutils literal notranslate"><span class="pre">_sha3</span></code> code is fairly large and the resulting shared library close
to 0.5 MB. Python could drop the builtin implementation and rely on OpenSSLs
<code class="docutils literal notranslate"><span class="pre">libcrypto</span></code> instead.</p>
<p>So far LibreSSL upstream development has refused to add SHA-3 support. <a class="footnote-reference brackets" href="#id16" id="id11">[2]</a></p>
</section>
</section>
<section id="compatibility">
<h2><a class="toc-backref" href="#compatibility" role="doc-backlink">Compatibility</a></h2>
<section id="openssl-downstream-patches-and-options">
<h3><a class="toc-backref" href="#openssl-downstream-patches-and-options" role="doc-backlink">OpenSSL downstream patches and options</a></h3>
<p>OpenSSL features more than 70 configure and build time options in the form
of <code class="docutils literal notranslate"><span class="pre">OPENSSL_NO_*</span></code> macros. Around 60 options affect the presence of features
like cryptographic algorithms and TLS versions. Some distributions apply
patches to alter settings. Furthermore, default values for settings like
security level, ciphers, TLS version range, and signature algorithms can
be set in OpenSSL config file.</p>
<p>The Python core team lacks resources to test all possible combinations.
This PEP proposes that Python only supports OpenSSL builds that have
standard features enabled. Vendors shall disable deprecated or insecure
algorithms and TLS versions with build time options like
<code class="docutils literal notranslate"><span class="pre">OPENSSL_NO_TLS1_1_METHOD</span></code> or OpenSSL config options like
<code class="docutils literal notranslate"><span class="pre">MinProtocol</span> <span class="pre">=</span> <span class="pre">TLSv1.2</span></code>.</p>
<p>Python assumes that OpenSSL is built with</p>
<ul class="simple">
<li>hashlibs default algorithms such as MD5, SHA-1, SHA-2 family,
SHA-3/SHAKE family, BLAKE2</li>
<li>TLS 1.2 and TLS 1.3 protocols</li>
<li>current key agreement, signature, and encryption algorithms for TLS 1.2
and 1.3 (ECDH, RSA, ECDSA, Curve25519, AES, Poly1309-ChaCha20, …)</li>
<li>threading, file I/O, socket I/O, and error messages</li>
</ul>
<p>Weak algorithms (MD5, SHA-1 signatures) and short keys (RSA &lt; 2024 bits) may
be disabled at runtime. Algorithms may also be blocked when they are
disabled by a crypto policy such as FIPS. The PEP is not more specific on
purpose to give room for new features as well as countermeasures against
vulnerabilities. As a rule of thumb, Python should be able to connect to
PyPI and the test suite should pass.</p>
</section>
<section id="libressl-support">
<h3><a class="toc-backref" href="#libressl-support" role="doc-backlink">LibreSSL support</a></h3>
<p>LibreSSL is a fork of OpenSSL. The fork was created off OpenSSL 1.0.1g by
members of the OpenBSD team in 2014 in light of the heartbleed vulnerability.
Since its inception several features deemed problematic or insecure were
removed or replaced (SSL 2.0, SSL 3.0, improved CPRNG) or backported
from OpenSSL and BoringSSL.</p>
<p>At the moment LibreSSL is not fully API compatible with OpenSSL 1.1.1. The
latest release LibreSSL 3.3.2 is missing features and behaves differently
in some cases. Mentionable missing or incompatible features include</p>
<ul class="simple">
<li>SHA-3, SHAKE, BLAKE2</li>
<li><code class="docutils literal notranslate"><span class="pre">SSL_CERT_*</span></code> environment variables</li>
<li>security level APIs</li>
<li>session handling APIs</li>
<li>key logging API</li>
<li>verified cert chain APIs</li>
<li>OPENSSL_VERSION macro</li>
</ul>
<p>This PEP proposed to remove any and all LibreSSL related workarounds from
Python. In the future Python will not actively prohibit LibreSSL support
with configure and compile time checks. But Python will not accept patches
that add non-trivial workarounds or disable tests either.</p>
</section>
<section id="id12">
<h3><a class="toc-backref" href="#id12" role="doc-backlink">BoringSSL</a></h3>
<p>There are currently no plans to support BoringSSL.</p>
</section>
</section>
<section id="rejected-ideas">
<h2><a class="toc-backref" href="#rejected-ideas" role="doc-backlink">Rejected Ideas</a></h2>
<section id="formalize-supported-openssl-versions">
<h3><a class="toc-backref" href="#formalize-supported-openssl-versions" role="doc-backlink">Formalize supported OpenSSL versions</a></h3>
<p>This PEP does not provide a set of formal rules and conditions under which
an OpenSSL version is supported.</p>
<p>In general Python aims to be compatible with commonly used and officially
supported OpenSSL versions. Patch releases of Python may not be compatible
with new major releases of OpenSSL. Users should not expect that a new major
or minor release of Python works with an OpenSSL version that is past its
end-of-lifetime. Python core development may backport fixes for new releases
or extend compatibility with EOLed releases as we see fit.</p>
<p>The new ABI stability and LTS policies of OpenSSL <a class="footnote-reference brackets" href="#id23" id="id13">[9]</a> should help, too.</p>
</section>
<section id="keep-support-for-openssl-1-1-0">
<h3><a class="toc-backref" href="#keep-support-for-openssl-1-1-0" role="doc-backlink">Keep support for OpenSSL 1.1.0</a></h3>
<p>It was suggested to keep support for OpenSSL 1.1.0 for compatibility with
Debian 9 (Stretch). The proposal was rejected since it would complicated code
cleanup and testing. Stretch is already out of regular security support and
close to end of long-term support. By the time of Python 3.10 final release,
Debian Buster and Debian Bullseye will be available.</p>
<p>Instead Python 3.10 will gain additional documentation and a new
<code class="docutils literal notranslate"><span class="pre">configure</span></code> option <code class="docutils literal notranslate"><span class="pre">--with-openssl-rpath=auto</span></code> to simplify use of custom
OpenSSL builds <a class="footnote-reference brackets" href="#id25" id="id14">[11]</a>.</p>
</section>
</section>
<section id="backwards-compatibility">
<h2><a class="toc-backref" href="#backwards-compatibility" role="doc-backlink">Backwards Compatibility</a></h2>
<p>Python 3.10 will no longer support TLS/SSL and fast hashing on platforms
with OpenSSL 1.0.2 or LibreSSL. The first draft of this PEP was published at
the beginning of the 3.10 release cycles to give vendors like Linux
distributors or CI providers sufficient time to plan.</p>
<p>Pythons internal copy of the <em>Keccak Code Package</em> and the internal
<code class="docutils literal notranslate"><span class="pre">_sha3</span></code> module will be removed. This will reduce source code size by
about 280kB and code size by roughly 0.5MB. The <code class="docutils literal notranslate"><span class="pre">hashlib</span></code> will solely rely
on OpenSSLs SHA-3 implementation. SHA-3 and SHAKE will no longer be available
without OpenSSL.</p>
</section>
<section id="disclaimer-and-special-thanks">
<h2><a class="toc-backref" href="#disclaimer-and-special-thanks" role="doc-backlink">Disclaimer and special thanks</a></h2>
<p>The author of this PEP is a contributor to OpenSSL project and employed by
a major Linux distributor that uses OpenSSL.</p>
<p>Thanks to Alex Gaynor, Gregory P. Smith, Nathaniel J. Smith, Paul Kehrer,
and Seth Larson for their review and feedback on the initial draft.</p>
</section>
<section id="references">
<h2><a class="toc-backref" href="#references" role="doc-backlink">References</a></h2>
<aside class="footnote-list brackets">
<aside class="footnote brackets" id="id15" role="doc-footnote">
<dt class="label" id="id15">[<a href="#id2">1</a>]</dt>
<dd><a class="reference external" href="https://distrowatch.com/">https://distrowatch.com/</a></aside>
<aside class="footnote brackets" id="id16" role="doc-footnote">
<dt class="label" id="id16">[<a href="#id11">2</a>]</dt>
<dd><a class="reference external" href="https://github.com/libressl-portable/portable/issues/455">https://github.com/libressl-portable/portable/issues/455</a></aside>
<aside class="footnote brackets" id="id17" role="doc-footnote">
<dt class="label" id="id17">[<a href="#id5">3</a>]</dt>
<dd><a class="reference external" href="https://hardenedbsd.org/article/shawn-webb/2018-04-30/hardenedbsd-switching-back-openssl">https://hardenedbsd.org/article/shawn-webb/2018-04-30/hardenedbsd-switching-back-openssl</a></aside>
<aside class="footnote brackets" id="id18" role="doc-footnote">
<dt class="label" id="id18">[<a href="#id3">4</a>]</dt>
<dd><a class="reference external" href="https://lists.alpinelinux.org/~alpine/devel/%3CCA%2BT2pCGFeh30aEi43hAvJ3yoHBijABy_U62wfjhVmf3FmbNUUg%40mail.gmail.com%3E">https://lists.alpinelinux.org/~alpine/devel/%3CCA%2BT2pCGFeh30aEi43hAvJ3yoHBijABy_U62wfjhVmf3FmbNUUg%40mail.gmail.com%3E</a></aside>
<aside class="footnote brackets" id="id19" role="doc-footnote">
<dt class="label" id="id19">[<a href="#id6">5</a>]</dt>
<dd><a class="reference external" href="https://voidlinux.org/news/2021/02/OpenSSL.html">https://voidlinux.org/news/2021/02/OpenSSL.html</a></aside>
<aside class="footnote brackets" id="id20" role="doc-footnote">
<dt class="label" id="id20">[<a href="#id10">6</a>]</dt>
<dd><a class="reference external" href="https://forums.swift.org/t/rfc-moving-swiftnio-ssl-to-boringssl/18280">https://forums.swift.org/t/rfc-moving-swiftnio-ssl-to-boringssl/18280</a></aside>
<aside class="footnote brackets" id="id21" role="doc-footnote">
<dt class="label" id="id21">[<a href="#id9">7</a>]</dt>
<dd><a class="reference external" href="https://openports.se/security/openssl/1.1">https://openports.se/security/openssl/1.1</a></aside>
<aside class="footnote brackets" id="id22" role="doc-footnote">
<dt class="label" id="id22">[<a href="#id7">8</a>]</dt>
<dd><a class="reference external" href="https://www.openssl.org/docs/OpenSSL300Design.html">https://www.openssl.org/docs/OpenSSL300Design.html</a></aside>
<aside class="footnote brackets" id="id23" role="doc-footnote">
<dt class="label" id="id23">[9]<em> (<a href='#id1'>1</a>, <a href='#id13'>2</a>) </em></dt>
<dd><a class="reference external" href="https://www.openssl.org/policies/releasestrat.html">https://www.openssl.org/policies/releasestrat.html</a></aside>
<aside class="footnote brackets" id="id24" role="doc-footnote">
<dt class="label" id="id24">[10]<em> (<a href='#id4'>1</a>, <a href='#id8'>2</a>) </em></dt>
<dd><a class="reference external" href="https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html">https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html</a></aside>
<aside class="footnote brackets" id="id25" role="doc-footnote">
<dt class="label" id="id25">[<a href="#id14">11</a>]</dt>
<dd><a class="reference external" href="https://bugs.python.org/issue43466">https://bugs.python.org/issue43466</a></aside>
</aside>
</section>
<section id="copyright">
<h2><a class="toc-backref" href="#copyright" role="doc-backlink">Copyright</a></h2>
<p>This document is placed in the public domain or under the
CC0-1.0-Universal license, whichever is more permissive.</p>
</section>
</section>
<hr class="docutils" />
<p>Source: <a class="reference external" href="https://github.com/python/peps/blob/main/peps/pep-0644.rst">https://github.com/python/peps/blob/main/peps/pep-0644.rst</a></p>
<p>Last modified: <a class="reference external" href="https://github.com/python/peps/commits/main/peps/pep-0644.rst">2023-09-09 17:39:29 GMT</a></p>
</article>
<nav id="pep-sidebar">
<h2>Contents</h2>
<ul>
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#motivation">Motivation</a></li>
<li><a class="reference internal" href="#impact">Impact</a><ul>
<li><a class="reference internal" href="#openssl-1-0-2-lts">OpenSSL 1.0.2 LTS</a></li>
<li><a class="reference internal" href="#openssl-1-1-0">OpenSSL 1.1.0</a></li>
<li><a class="reference internal" href="#openssl-1-1-1-lts">OpenSSL 1.1.1 LTS</a></li>
<li><a class="reference internal" href="#openssl-3-0-0">OpenSSL 3.0.0</a></li>
<li><a class="reference internal" href="#libressl">LibreSSL</a></li>
<li><a class="reference internal" href="#boringssl">BoringSSL</a></li>
</ul>
</li>
<li><a class="reference internal" href="#benefits">Benefits</a><ul>
<li><a class="reference internal" href="#tls-1-3">TLS 1.3</a></li>
<li><a class="reference internal" href="#thread-and-fork-safety">Thread and fork safety</a></li>
<li><a class="reference internal" href="#sha-3">SHA-3</a></li>
</ul>
</li>
<li><a class="reference internal" href="#compatibility">Compatibility</a><ul>
<li><a class="reference internal" href="#openssl-downstream-patches-and-options">OpenSSL downstream patches and options</a></li>
<li><a class="reference internal" href="#libressl-support">LibreSSL support</a></li>
<li><a class="reference internal" href="#id12">BoringSSL</a></li>
</ul>
</li>
<li><a class="reference internal" href="#rejected-ideas">Rejected Ideas</a><ul>
<li><a class="reference internal" href="#formalize-supported-openssl-versions">Formalize supported OpenSSL versions</a></li>
<li><a class="reference internal" href="#keep-support-for-openssl-1-1-0">Keep support for OpenSSL 1.1.0</a></li>
</ul>
</li>
<li><a class="reference internal" href="#backwards-compatibility">Backwards Compatibility</a></li>
<li><a class="reference internal" href="#disclaimer-and-special-thanks">Disclaimer and special thanks</a></li>
<li><a class="reference internal" href="#references">References</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
<br>
<a id="source" href="https://github.com/python/peps/blob/main/peps/pep-0644.rst">Page Source (GitHub)</a>
</nav>
</section>
<script src="../_static/colour_scheme.js"></script>
<script src="../_static/wrap_tables.js"></script>
<script src="../_static/sticky_banner.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink