> On Jan 10, 2017, at 9:21 AM, Kevin Ollivier <kev...@theolliviers.com> wrote:
>
> Hi Jack,
>
> No, I think you're spot on, this is a big problem. Actually, 2.7.9-2.7.12,
> even the Python.org ones, are already somewhat broken because they use
> Apple's ancient OpenSSL version. All the ciphers supported by that version of
> OpenSSL are ones that are regarded as insecure now, so most modern servers,
> including big ones like AWS, don't allow them anymore. Because of this you
> can't even download a newer OpenSSL from the OpenSSL web site using Python.
> :(
Let's remember that the actual end-of-life here is 18 months out. It would not
be desirable to "fix" this problem by clinging to TLS 1.0 even longer; Fastly
is shutting it off for a lot of very good reasons.
In between here and there are a variety of events, including a new OS release
from apple. When it enters beta we can loudly encourage Apple to include new
and better crypto with Python - that probably does not mean a new 'ssl' module,
but something more like the new 'tls' module PEP that Cory Benfield has been
championing (in large part as a response to this).
You can see that discussion here:
https://mail.python.org/pipermail/security-sig/2017-January/000126.html
<https://mail.python.org/pipermail/security-sig/2017-January/000126.html>.
Finally, system Python has a lot of issues (unrelated to this, for example, it
can't be 'dtrace'd, which eliminates a ton of super-useful debugging tools,
including the OS X equivalent of 'strace'), and I've been gently discouraging
users from using it for years. (I say this as an ex- myself.) Tell users to
install Python (and PyPy!) from Homebrew, and they will generally have a much
better time.
If we do nothing, this is going to be a huge disaster. But the responsible
people are highly motivated and are quite actively doing things. If you want
to make sure users have a good experience, helping them out would definitely be
advised :).
> It surprised me to find that the Python community wasn't really aware of this
> problem. For one project I worked on we actually re-coded all our download
> code to use the Cocoa HTTPS classes via PyObjC, and this was a couple years
> back. Don't know how many others out there have been fighting with it.
Cryptography ships with its own OpenSSL, which means you can side-step a lot of
these issues; install requests[security] and you get better HTTPS. Or install
from Homebrew, or python.org <http://python.org/>, or Anaconda.
-glyph
_______________________________________________
Pythonmac-SIG maillist - Pythonmac-SIG@python.org
https://mail.python.org/mailman/listinfo/pythonmac-sig
unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
