On OS X and Windows we distribute a Cryptography wheel which includes OpenSSL 0.9.8.
Alex On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <r...@timeheart.net> wrote: > What impact will this have on MacOS systems? Even the latest MacOS El > Capitan (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for > the /usr/bin/openssl binary. They ship with a version of libressl for use > by OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that > library is available for other applications or libraries to use. > > On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > > Hi all, > > I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next > release, and remove support in the release after (we already emit warnings > in our current release, so this is consistent with our schedule). > > Rationale: OpenSSL 0.9.8 is old, does not support modern web security > (e.g. no TLS 1.2), and supporting it adds complexity, in the form of > hundreds of additional lines of code and configuration options. > > Supporting data: As of pip 8 (released this week, already used for > something like 1/3 of PyPI downloads), the user agent of pip includes the > system's OpenSSL version. Looking at the data (excluding Windows and OS X, > since on those platforms we include OpenSSL 1.0.2 in our wheels). The > overall distribution is: > > > > Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all > installations. > > Looking at per-package data, here are the percent of downloads using > OpenSSL 0.9.8 for some relevant packages: > > - unidecode: 7.6% (This is the package with the highest percent of 0.9.8 > users) > - rsa: 3.3% > - pyasn1: 2.2% > - requests: 1.6% > - pycrypto: 0.8% > - pip: 0.6% > - pyopenssl: 0.4% > - letsencrypt-apache: 0.3% > - cryptography: 0.3% > > > I think these numbers are low enough that we can safely drop OpenSSL 0.9.8 > support. > > Platforms specifically known to be affected: > - RHEL/CentOS 5 and older > - Debian Squeeze (baed on OpenSSL version, this is where most of the > affected users will be). > > > Thoughts? Will you be affected by this? > Alex > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: 125F 5C67 DFE9 4084 > > -- > Ron Frederick > r...@timeheart.net > > > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
