Hi all, I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next release, and remove support in the release after (we already emit warnings in our current release, so this is consistent with our schedule).
Rationale: OpenSSL 0.9.8 is old, does not support modern web security (e.g. no TLS 1.2), and supporting it adds complexity, in the form of hundreds of additional lines of code and configuration options. Supporting data: As of pip 8 (released this week, already used for something like 1/3 of PyPI downloads), the user agent of pip includes the system's OpenSSL version. Looking at the data (excluding Windows and OS X, since on those platforms we include OpenSSL 1.0.2 in our wheels). The overall distribution is: Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all installations. Looking at per-package data, here are the percent of downloads using OpenSSL 0.9.8 for some relevant packages: - unidecode: 7.6% (This is the package with the highest percent of 0.9.8 users) - rsa: 3.3% - pyasn1: 2.2% - requests: 1.6% - pycrypto: 0.8% - pip: 0.6% - pyopenssl: 0.4% - letsencrypt-apache: 0.3% - cryptography: 0.3% I think these numbers are low enough that we can safely drop OpenSSL 0.9.8 support. Platforms specifically known to be affected: - RHEL/CentOS 5 and older - Debian Squeeze (baed on OpenSSL version, this is where most of the affected users will be). Thoughts? Will you be affected by this? Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
