On 03/03/2021 16.06, Senthil Kumaran wrote: > On Tue, Mar 2, 2021 at 8:29 PM Gregory P. Smith <g...@krypto.org> wrote: >> >> For lack of better things to do with that... >> https://bugs.python.org/issue43382 filed to track it. > > Actually, that turned out to be useful. Thank you! > > The discussion with the default minimal level TLS, and way it is > configured in distributions like Ubuntu, Debian, Fedora, and it's > usage with Python is bit _unsettling_ from a users perspective. > OpenSSL, Ubuntu, Python are heavily relied upon pieces of > infrastructure. I wouldn't be surprised if more projects noticed this > problem with the update to Ubuntu 20.02.
Hi, for the record, the issue started when GitHub Actions updated "ubuntu-latest" was updated from 18.04 to 20.04. A user reported a similar issue on BPO last year in August and with Ubuntu last year in October. Only Ubuntu is affected. Debian, standard OpenSSL, and other distros use a different approach set minimum protocol version: https://bugs.python.org/issue41561 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 PEP 644 (not approved yet) and a soon-to-be-published PEP will hopefully get rid of the problem once and for all. PEP 644 removes support for OpenSSL < 1.1 and the new PEP will remove support for TLS 1.0 and 1.1 from stdlib. https://www.python.org/dev/peps/pep-0644/ By the way, all major distributions disable TLS 1.0 and 1.1. They also set a higher security level to block weak RSA, DH, and signatures. You can find more information about Fedora crypto policies at: https://fedoraproject.org/wiki/Changes/CryptoPolicy https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 Here are some of my fixes for crypto policies, TLS 1.0/1.1 deprecation, and FIPS: https://bugs.python.org/issue34399 https://bugs.python.org/issue38275 https://bugs.python.org/issue38271 https://bugs.python.org/issue34542 Christian _______________________________________________ python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-le...@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/JO3PCRIIG36GW2ZBRCSWUHNBXPUURYUW/ Code of Conduct: https://www.python.org/psf/codeofconduct/
