Gotcha, thanks. On my OS X system, I have 1.0.2e installed from MacPorts, but I imagine many Mac users don’t.
On Jan 22, 2016, at 2:21 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > Uhhh, sorry, which includes OpenSSL *1.0.2*. > > Alex > > On Fri, Jan 22, 2016 at 5:21 PM, Alex Gaynor <alex.gay...@gmail.com > <mailto:alex.gay...@gmail.com>> wrote: > On OS X and Windows we distribute a Cryptography wheel which includes OpenSSL > 0.9.8. > > Alex > > On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <r...@timeheart.net > <mailto:r...@timeheart.net>> wrote: > What impact will this have on MacOS systems? Even the latest MacOS El Capitan > (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for the > /usr/bin/openssl binary. They ship with a version of libressl for use by > OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that library is > available for other applications or libraries to use. > > On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gay...@gmail.com > <mailto:alex.gay...@gmail.com>> wrote: >> Hi all, >> >> I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next >> release, and remove support in the release after (we already emit warnings >> in our current release, so this is consistent with our schedule). >> >> Rationale: OpenSSL 0.9.8 is old, does not support modern web security (e.g. >> no TLS 1.2), and supporting it adds complexity, in the form of hundreds of >> additional lines of code and configuration options. >> >> Supporting data: As of pip 8 (released this week, already used for something >> like 1/3 of PyPI downloads), the user agent of pip includes the system's >> OpenSSL version. Looking at the data (excluding Windows and OS X, since on >> those platforms we include OpenSSL 1.0.2 in our wheels). The overall >> distribution is: >> >> >> >> Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all >> installations. >> >> Looking at per-package data, here are the percent of downloads using OpenSSL >> 0.9.8 for some relevant packages: >> >> - unidecode: 7.6% (This is the package with the highest percent of 0.9.8 >> users) >> - rsa: 3.3% >> - pyasn1: 2.2% >> - requests: 1.6% >> - pycrypto: 0.8% >> - pip: 0.6% >> - pyopenssl: 0.4% >> - letsencrypt-apache: 0.3% >> - cryptography: 0.3% >> >> >> I think these numbers are low enough that we can safely drop OpenSSL 0.9.8 >> support. >> >> Platforms specifically known to be affected: >> - RHEL/CentOS 5 and older >> - Debian Squeeze (baed on OpenSSL version, this is where most of the >> affected users will be). >> >> >> Thoughts? Will you be affected by this? >> Alex >> >> -- >> "I disapprove of what you say, but I will defend to the death your right to >> say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: 125F 5C67 DFE9 4084 -- Ron Frederick r...@timeheart.net
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
