Hi Jack,
No, I think you're spot on, this is a big problem. Actually, 2.7.9-2.7.12, even
the Python.org ones, are already somewhat broken because they use Apple's
ancient OpenSSL version. All the ciphers supported by that version of OpenSSL
are ones that are regarded as insecure now, so most modern servers, including
big ones like AWS, don't allow them anymore. Because of this you can't even
download a newer OpenSSL from the OpenSSL web site using Python. :(
It surprised me to find that the Python community wasn't really aware of this
problem. For one project I worked on we actually re-coded all our download code
to use the Cocoa HTTPS classes via PyObjC, and this was a couple years back.
Don't know how many others out there have been fighting with it.
Kevin
On 1/10/17, 8:05 AM, "Pythonmac-SIG on behalf of Jack Jansen"
<pythonmac-sig-bounces+kevino=theolliviers....@python.org on behalf of
jack.jan...@cwi.nl> wrote:
I have completely ignored this whole TLS 1.0 versus TLS 1.2 security debate
until know, but just now the following post came in on python-announce, which
seems to suggest that TLS 1.0 is really about to be phased out:
https://mail.python.org/pipermail/python-announce-list/2017-January/011437.html
I think Python 2.7 older that 2.7.13 (i.e. including the apple-shipped
Pythons) don’t support TLS 1.2 by default, which would seem to suggest that
things like pip will stop working as of this summer.
Or am I overreacting?
--
Jack Jansen, <jack.jan...@cwi.nl>, http://www.cwi.nl/~jack
If I can't dance I don't want to be part of your revolution -- Emma Goldman
_______________________________________________
Pythonmac-SIG maillist - Pythonmac-SIG@python.org
https://mail.python.org/mailman/listinfo/pythonmac-sig
unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
_______________________________________________
Pythonmac-SIG maillist - Pythonmac-SIG@python.org
https://mail.python.org/mailman/listinfo/pythonmac-sig
unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
