Python Language Summit: ssl module update 2019

Transcript

1. ssl module updates 2019 Python Language Summit Christian Heimes [email protected]

   2019-05-01

2. ssl module update 2019 2 OpenSSL version OpenSSL release strategy

   / EOL • 1.0.2 2019-12-31 • 1.1.0 2019-09-11 • 1.1.1 2023-09-11 Python • no action required for 2.7 to 3.6 • 3.7: update Windows / macOS to 1.1.1 (TLS 1.3 support)

3. ssl module update 2019 3 Deprecate TLS 1.1 and earlier

   (PEP is WIP) • Disabled in recent Linux distros (Debian, RHEL 8) • Major browsers remove TLS 1.0/1.1 in March 2020 • Chrome, Edge, Firefox, IE, Safari, ... • Python 3.8 • minimum version TLS 1.2 • document as “may not work” • deprecate all constants SSL 2.0 - TLS 1.1 • Python 3.9 • Remove everything TLS 1.2 came out in 2008

4. ssl module update 2019 4 Fix root CA issue •

   ssl.create_default_context() • OK on Linux/BSD with platform OpenSSL • Broken on Linux/BSD with self-compiled OpenSSL (wheel, Anaconda) • Partly broken on Windows • Broken on macOS (certifi) • IMHO (!!!) broken in requests, pip, twine, … • They use certifi instead of ss.create_default_context()

5. ssl module update 2019 5 Proposed fix: use platform trust

   store • Fix SSL_CERT_FILE env var (“broken” in LibreSSL) • Detect known paths on Linux/BSD • Maybe use freedesktop.org p11-kit (PKCS#11) • Use platform's chain building and verification mechanism • Windows: CertGetCertificateChain(), CertVerifyCertificateChainPolicy() • macOS: SecTrustEvaluate() • Golang, Chrome browser, PHP use these approaches Open Table?

6. ssl module update 2019 6 PEP 543 – Unified TLS

   API for Python • Simplified and unified API around TLS/SSL libraries • OpenSSL • SecureTransport • SChannel Paul Kehrer (PyCA Cryptography) and I will hack on PEP 543 during sprints.