Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Python Language Summit: ssl module update 2019

Python Language Summit: ssl module update 2019

Christian Heimes

May 01, 2019
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. ssl module update 2019 2 OpenSSL version OpenSSL release strategy

    / EOL • 1.0.2 2019-12-31 • 1.1.0 2019-09-11 • 1.1.1 2023-09-11 Python • no action required for 2.7 to 3.6 • 3.7: update Windows / macOS to 1.1.1 (TLS 1.3 support)
  2. ssl module update 2019 3 Deprecate TLS 1.1 and earlier

    (PEP is WIP) • Disabled in recent Linux distros (Debian, RHEL 8) • Major browsers remove TLS 1.0/1.1 in March 2020 • Chrome, Edge, Firefox, IE, Safari, ... • Python 3.8 • minimum version TLS 1.2 • document as “may not work” • deprecate all constants SSL 2.0 - TLS 1.1 • Python 3.9 • Remove everything TLS 1.2 came out in 2008
  3. ssl module update 2019 4 Fix root CA issue •

    ssl.create_default_context() • OK on Linux/BSD with platform OpenSSL • Broken on Linux/BSD with self-compiled OpenSSL (wheel, Anaconda) • Partly broken on Windows • Broken on macOS (certifi) • IMHO (!!!) broken in requests, pip, twine, … • They use certifi instead of ss.create_default_context()
  4. ssl module update 2019 5 Proposed fix: use platform trust

    store • Fix SSL_CERT_FILE env var (“broken” in LibreSSL) • Detect known paths on Linux/BSD • Maybe use freedesktop.org p11-kit (PKCS#11) • Use platform's chain building and verification mechanism • Windows: CertGetCertificateChain(), CertVerifyCertificateChainPolicy() • macOS: SecTrustEvaluate() • Golang, Chrome browser, PHP use these approaches Open Table?
  5. ssl module update 2019 6 PEP 543 – Unified TLS

    API for Python • Simplified and unified API around TLS/SSL libraries • OpenSSL • SecureTransport • SChannel Paul Kehrer (PyCA Cryptography) and I will hack on PEP 543 during sprints.