> On Jan 10, 2017, at 3:47 PM, Ned Deily <n...@python.org> wrote: > > On Jan 10, 2017, at 15:07, Ronald Oussoren <ronaldousso...@mac.com> wrote: >>> On 10 Jan 2017, at 21:02, Donald Stufft <don...@stufft.io> wrote: >>>> On Jan 10, 2017, at 3:01 PM, Ronald Oussoren <ronaldousso...@mac.com> >>>> wrote: >>>>> On 10 Jan 2017, at 14:24, Donald Stufft <don...@stufft.io> wrote: >>>>> […] Past that, macOS is going to be the >>>>> largest casualty since their system Python does not support TLSv1.2 yet >>>>> in any >>>>> version of their OS. >>>> Not just the system Python on OSX, this also affects all Python.org >>>> installers for OSX except 3.6. The 3.6 installer is the first one that >>>> doesn’t use the system installation of OpenSSL. > > That's not quite accurate. The 32-bit-only macOS python.org installers for > recent 2.7.x and 3.x releases are also linked with a private current set of > OpenSSL libraries. For 3.6, we no longer supply the 32-bit-only installer > and the 64-bit/32-bit installer is now linked with the private OpenSSL as you > note. > >>>> Annoyingly with OpenSSL on OSX you have to options: either use an >>>> up-to-date release or have OpenSSL use the system CA trust store, but not >>>> both. Sigh… > > It would be nice if someone would do the work to figure out whether it is > feasible to use Apple's own Crypto and TLS API's as apparently libcurl does.
It would be really nice if we could deprecate `ssl` (which has a bunch of OpenSSL specific stuff in it) and add a new `tls` module that served as an implementation agnostic library that would use OpenSSL on *nix, SecureTransport on macOS, and SChannel on Windows. However, in the mean time there are some folks poking to see about making something pip suitable that will enable us to use SecureTransport at least. > >>>> I have no idea how may users use the Python.org installers on OSX, but >>>> this has the potential to affect a largish number of users on OSX >>>> including newbies (but far from all users on OSX, there’s also a sizeable >>>> population using Homebrew or Anaconda). > > And MacPorts. I don't know about Anaconda but the other two already use > their own private versions of OpenSSL AFAIK. > > -- > Ned Deily > n...@python.org -- [] > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig — Donald Stufft
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig