> Hi Richard, > porting Python 2.7 to openssl 3.0 doesn't really make sense to me. > > We ship Python 2.7 so that developers can test code that needs to work > on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora > aims to be a developer-friendly distro and so we want to provide the > tools to do that. Even if it's possible to port Python 2.7 to openssl > 3.0 safely with reasonable effort, which I doubt, it would lead to a > different Python 2.7, which would no longer work as a testing ground for > people developing for old deployments.
Hi Tomáš, Charalampos pinged me and asked me to look into this thread. For those who are not familiar with me, I'm a CPython core developer and primary maintainer of the ssl and hashlib module. In the past I have ported Python to OpenSSL 1.1.0 and OpenSSL 3.0. At first I also thought that it would be a lot of work to port Python 2.7 to OpenSSL 3.0. It turns out that most tests are actually passing. The Debian downstream patches address the remaining issue. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-compatibility.diff fixes version number comparison and a different representation of IPv6 addresses in 3.0. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-data.diff fixes error messages. OpenSSL 3.0 uses different error numbers than 1.1. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-load-verify-error.diff fixes a problem with error handling when loading certs - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-version.diff resolves another issue with version number formats All four patches are originally written by me and covered by PSF license. - https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-tests-tlsv1.diff changes tests to use latest TLS version instead of TLS 1.0. The change is based on another upstream change by me. You also have to disable openssl/opensslv.h parsing in setup.py. The code is not clever enough to understand OpenSSL 3.0's opensslv.h. In my humble opinion this would make Python 2.7 work sufficient enough with OpenSSL 3.0. I wouldn't trust it with mission critical production code. But it's ok enough for CI. Yes, Python 2.7 with OpenSSL 3.0 will behave differently than Python 2.7 with OpenSSL 1.1.1, e.g. some old ciphers and TLS versions may not work. But that's ok. Nobody should use TLS 1.0 in 2022 any more. Anyhow it is still too early to drop openssl1.1-devel in Fedora 37. I recommend to mark it as deprecated in F37 and drop it in a later release. Christian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
