ssl module updates 2019 Python Language Summit Christian Heimes [email protected] 2019-05-01 

ssl module update 2019 2 OpenSSL version OpenSSL release strategy / EOL ● 1.0.2 2019-12-31 ● 1.1.0 2019-09-11 ● 1.1.1 2023-09-11 Python ● no action required for 2.7 to 3.6 ● 3.7: update Windows / macOS to 1.1.1 (TLS 1.3 support) 

ssl module update 2019 3 Deprecate TLS 1.1 and earlier (PEP is WIP) ● Disabled in recent Linux distros (Debian, RHEL 8) ● Major browsers remove TLS 1.0/1.1 in March 2020 ● Chrome, Edge, Firefox, IE, Safari, ... ● Python 3.8 ● minimum version TLS 1.2 ● document as “may not work” ● deprecate all constants SSL 2.0 - TLS 1.1 ● Python 3.9 ● Remove everything TLS 1.2 came out in 2008 

ssl module update 2019 4 Fix root CA issue ● ssl.create_default_context() ● OK on Linux/BSD with platform OpenSSL ● Broken on Linux/BSD with self-compiled OpenSSL (wheel, Anaconda) ● Partly broken on Windows ● Broken on macOS (certifi) ● IMHO (!!!) broken in requests, pip, twine, … ● They use certifi instead of ss.create_default_context() 

ssl module update 2019 5 Proposed fix: use platform trust store ● Fix SSL_CERT_FILE env var (“broken” in LibreSSL) ● Detect known paths on Linux/BSD ● Maybe use freedesktop.org p11-kit (PKCS#11) ● Use platform's chain building and verification mechanism ● Windows: CertGetCertificateChain(), CertVerifyCertificateChainPolicy() ● macOS: SecTrustEvaluate() ● Golang, Chrome browser, PHP use these approaches Open Table? 

ssl module update 2019 6 PEP 543 – Unified TLS API for Python ● Simplified and unified API around TLS/SSL libraries ● OpenSSL ● SecureTransport ● SChannel Paul Kehrer (PyCA Cryptography) and I will hack on PEP 543 during sprints.