On 2016-08-30 18:00, Antoine Pitrou wrote: > On Sun, 28 Aug 2016 22:40:11 +0200 > Christian Heimes <christ...@python.org> wrote: >> >> Here is the deal for 2.7 to 3.5: >> >> 1) All versions older than 0.9.8 are completely out-of-scope and no >> longer supported. >> >> 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. >> However we do NOT promise that is secure to run 0.9.8. We also require a >> recent version. Patch level 0.9.8zc from October 2014 is reasonable >> because it comes with SCSV fallback (CVE-2014-3566). >> >> 3) 1.0.0 is irrelevant. Users are either stuck on 0.9.8 or are able to >> upgrade to 1.0.1+. Let's not support it. >> >> 4) 1.0.1 is discouraged but still supported until its EOL. >> >> 5) 1.0.2 is the recommend version. >> >> 6) 1.1 support will be added by #26470 soon. >> >> 7) LibreSSL 2.3 is supported but with a slightly limited feature set. > > Can you expand briefly how "limited" the feature set is? Does it only > disable some arcane features, so that e.g. asyncio + TLS supports works > fine? > > Other than that, it all sounds good to me.
I honestly don't know because I lack the expertise and knowledge. LibreSSL has removed some features (env vars like SSL_CERT_FILE, ENGINE support) and added some other features. I cannot tell if stdlib ssl + LibreSSL is even secure. It probably is *if and only if* LibreSSL is 100% compatible to OpenSSL. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
