Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Cory Benfield]

> On 15 Mar 2016, at 01:08, Jim Baker  wrote:
> 
> I have no vested interest in this, other than the continuing work we have 
> done to make Jython compatible with OpenSSL's model, warts and all.
> 
> But the fact that BoringSSL cleans up the OpenSSL API 
> (https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md), at the cost 
> of possible backwards breaking API changes looks reasonable. I suppose there 
> is some risk - perhaps the maintainers will decide that returning 1 should 
> mean OK, but that's not going to happen, is it. The real issue here is that 
> no direct exposure of BoringSSL to other packages. I don't think that happens 
> with CPython. (Ironically it happens with Jython, due to how signed jars 
> poorly interact with shading/Java namespace remapping.)
> 
> Maintaining security means dealing with the inevitable churn. Did I mention 
> Jython's support of Python-compatible SSL? I think I did :p

It is *possible* to support BoringSSL: curl does. However, the BoringSSL 
developers *really* only target Chromium when they consider the possibility of 
breakage, so it costs curl quite a bit of development time[0]. curl accepts 
that cost because it supports every TLS stack under the sun: given that CPython 
currently supports exactly one, widening it to two is a very big risk indeed.

Cory


[0]: See https://github.com/curl/curl/issues/275, 
https://github.com/curl/curl/pull/524, https://github.com/curl/curl/pull/640



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Jim Baker]

I have no vested interest in this, other than the continuing work we have
done to make Jython compatible with OpenSSL's model, warts and all.

But the fact that BoringSSL cleans up the OpenSSL API (
https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md), at the
cost of possible backwards breaking API changes looks reasonable. I suppose
there is some risk - perhaps the maintainers will decide that returning 1
should mean OK, but that's not going to happen, is it. The real issue here
is that no direct exposure of BoringSSL to other packages. I don't think
that happens with CPython. (Ironically it happens with Jython, due to how
signed jars poorly interact with shading/Java namespace remapping.)

Maintaining security means dealing with the inevitable churn. Did I mention
Jython's support of Python-compatible SSL? I think I did :p

- Jim

On Mon, Mar 14, 2016 at 6:06 PM, Gregory P. Smith  wrote:

>
> On Mon, Mar 14, 2016 at 4:56 PM Nathaniel Smith  wrote:
>
>> Should people outside google pay attention to boringssl? The first
>> thing it says on the website is:
>>
>> "Although BoringSSL is an open source project, it is not intended for
>> general use, as OpenSSL is. We don’t recommend that third parties
>> depend upon it. Doing so is likely to be frustrating because there are
>> no guarantees of API or ABI stability."
>>
>
> Heh, good point.  I guess not.  :)
>
>
>> On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith 
>> wrote:
>> > Don't forget BoringSSL.
>> >
>> > On Wed, Mar 9, 2016 at 9:30 AM Michael Felt  wrote:
>> >>
>> >> Can look at it. There has been a lot of discussion, iirc, between
>> OpenSSL
>> >> and LibreSSL re: version identification.
>> >> Thx for the reference.
>> >>
>> >>
>> >> On 08-Mar-16 14:55, Hasan Diwan wrote:
>> >>
>> >>
>> >> On 8 March 2016 at 00:49, Michael Felt  wrote:
>> >>>
>> >>> As a relative newcomer I may have missed a long previous discussion
>> re:
>> >>> linking with OpenSSL and/or LibreSSL.
>> >>> In an ideal world this would be rtl linking, i.e., underlying
>> >>> complexities of *SSL libraries are hidden from applications.
>> >>>
>> >>> In short, when I saw this http://bugs.python.org/issue26465 Title:
>> >>> Upgrade OpenSSL shipped with python installers, it reminded me I need
>> to
>> >>> start looking at LibreSSL again - and that, if not already done -
>> might be
>> >>> something "secure" for python as well.
>> >>
>> >>
>> >> According to the libressl website, one of the projects primary goals
>> is to
>> >> remain "backwards-compatible with OpenSSL", which is to say, to either
>> have
>> >> code work without changes or to fail gracefully when it uses the
>> deprecated
>> >> bits. It does seem it ships with OpenBSD. There is an issue open on
>> bugs to
>> >> address whatever incompatibilities remain between LibreSSL and
>> OpenSSL[1].
>> >> Perhaps you might want to take a look at that? -- H
>> >> 1. https://bugs.python.org/issue23177
>> >>>
>> >>>
>> >>> Michael
>> >>> ___
>> >>> Python-Dev mailing list
>> >>> Python-Dev@python.org
>> >>> https://mail.python.org/mailman/listinfo/python-dev
>> >>> Unsubscribe:
>> >>>
>> https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> OpenPGP: http://hasan.d8u.us/gpg.asc
>> >> Sent from my mobile device
>> >> Envoyé de mon portable
>> >>
>> >>
>> >> ___
>> >> Python-Dev mailing list
>> >> Python-Dev@python.org
>> >> https://mail.python.org/mailman/listinfo/python-dev
>> >> Unsubscribe:
>> >> https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
>> >
>> >
>> > ___
>> > Python-Dev mailing list
>> > Python-Dev@python.org
>> > https://mail.python.org/mailman/listinfo/python-dev
>> > Unsubscribe:
>> > https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
>> >
>>
>>
>>
>> --
>> Nathaniel J. Smith -- https://vorpus.org
>>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/jbaker%40zyasoft.com
>
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Gregory P. Smith]

On Mon, Mar 14, 2016 at 4:56 PM Nathaniel Smith  wrote:

> Should people outside google pay attention to boringssl? The first
> thing it says on the website is:
>
> "Although BoringSSL is an open source project, it is not intended for
> general use, as OpenSSL is. We don’t recommend that third parties
> depend upon it. Doing so is likely to be frustrating because there are
> no guarantees of API or ABI stability."
>

Heh, good point.  I guess not.  :)


> On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith  wrote:
> > Don't forget BoringSSL.
> >
> > On Wed, Mar 9, 2016 at 9:30 AM Michael Felt  wrote:
> >>
> >> Can look at it. There has been a lot of discussion, iirc, between
> OpenSSL
> >> and LibreSSL re: version identification.
> >> Thx for the reference.
> >>
> >>
> >> On 08-Mar-16 14:55, Hasan Diwan wrote:
> >>
> >>
> >> On 8 March 2016 at 00:49, Michael Felt  wrote:
> >>>
> >>> As a relative newcomer I may have missed a long previous discussion re:
> >>> linking with OpenSSL and/or LibreSSL.
> >>> In an ideal world this would be rtl linking, i.e., underlying
> >>> complexities of *SSL libraries are hidden from applications.
> >>>
> >>> In short, when I saw this http://bugs.python.org/issue26465 Title:
> >>> Upgrade OpenSSL shipped with python installers, it reminded me I need
> to
> >>> start looking at LibreSSL again - and that, if not already done -
> might be
> >>> something "secure" for python as well.
> >>
> >>
> >> According to the libressl website, one of the projects primary goals is
> to
> >> remain "backwards-compatible with OpenSSL", which is to say, to either
> have
> >> code work without changes or to fail gracefully when it uses the
> deprecated
> >> bits. It does seem it ships with OpenBSD. There is an issue open on
> bugs to
> >> address whatever incompatibilities remain between LibreSSL and
> OpenSSL[1].
> >> Perhaps you might want to take a look at that? -- H
> >> 1. https://bugs.python.org/issue23177
> >>>
> >>>
> >>> Michael
> >>> ___
> >>> Python-Dev mailing list
> >>> Python-Dev@python.org
> >>> https://mail.python.org/mailman/listinfo/python-dev
> >>> Unsubscribe:
> >>>
> https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
> >>
> >>
> >>
> >>
> >> --
> >> OpenPGP: http://hasan.d8u.us/gpg.asc
> >> Sent from my mobile device
> >> Envoyé de mon portable
> >>
> >>
> >> ___
> >> Python-Dev mailing list
> >> Python-Dev@python.org
> >> https://mail.python.org/mailman/listinfo/python-dev
> >> Unsubscribe:
> >> https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
> >
> >
> > ___
> > Python-Dev mailing list
> > Python-Dev@python.org
> > https://mail.python.org/mailman/listinfo/python-dev
> > Unsubscribe:
> > https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
> >
>
>
>
> --
> Nathaniel J. Smith -- https://vorpus.org
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Nathaniel Smith]

Should people outside google pay attention to boringssl? The first
thing it says on the website is:

"Although BoringSSL is an open source project, it is not intended for
general use, as OpenSSL is. We don’t recommend that third parties
depend upon it. Doing so is likely to be frustrating because there are
no guarantees of API or ABI stability."

On Mon, Mar 14, 2016 at 4:40 PM, Gregory P. Smith  wrote:
> Don't forget BoringSSL.
>
> On Wed, Mar 9, 2016 at 9:30 AM Michael Felt  wrote:
>>
>> Can look at it. There has been a lot of discussion, iirc, between OpenSSL
>> and LibreSSL re: version identification.
>> Thx for the reference.
>>
>>
>> On 08-Mar-16 14:55, Hasan Diwan wrote:
>>
>>
>> On 8 March 2016 at 00:49, Michael Felt  wrote:
>>>
>>> As a relative newcomer I may have missed a long previous discussion re:
>>> linking with OpenSSL and/or LibreSSL.
>>> In an ideal world this would be rtl linking, i.e., underlying
>>> complexities of *SSL libraries are hidden from applications.
>>>
>>> In short, when I saw this http://bugs.python.org/issue26465 Title:
>>> Upgrade OpenSSL shipped with python installers, it reminded me I need to
>>> start looking at LibreSSL again - and that, if not already done - might be
>>> something "secure" for python as well.
>>
>>
>> According to the libressl website, one of the projects primary goals is to
>> remain "backwards-compatible with OpenSSL", which is to say, to either have
>> code work without changes or to fail gracefully when it uses the deprecated
>> bits. It does seem it ships with OpenBSD. There is an issue open on bugs to
>> address whatever incompatibilities remain between LibreSSL and OpenSSL[1].
>> Perhaps you might want to take a look at that? -- H
>> 1. https://bugs.python.org/issue23177
>>>
>>>
>>> Michael
>>> ___
>>> Python-Dev mailing list
>>> Python-Dev@python.org
>>> https://mail.python.org/mailman/listinfo/python-dev
>>> Unsubscribe:
>>> https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
>>
>>
>>
>>
>> --
>> OpenPGP: http://hasan.d8u.us/gpg.asc
>> Sent from my mobile device
>> Envoyé de mon portable
>>
>>
>> ___
>> Python-Dev mailing list
>> Python-Dev@python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe:
>> https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
>



-- 
Nathaniel J. Smith -- https://vorpus.org
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Gregory P. Smith]

Don't forget BoringSSL.

On Wed, Mar 9, 2016 at 9:30 AM Michael Felt  wrote:

> Can look at it. There has been a lot of discussion, iirc, between OpenSSL
> and LibreSSL re: version identification.
> Thx for the reference.
>
>
> On 08-Mar-16 14:55, Hasan Diwan wrote:
>
>
> On 8 March 2016 at 00:49, Michael Felt  wrote:
>
>> As a relative newcomer I may have missed a long previous discussion re:
>> linking with OpenSSL and/or LibreSSL.
>> In an ideal world this would be rtl linking, i.e., underlying
>> complexities of *SSL libraries are hidden from applications.
>>
>> In short, when I saw this http://bugs.python.org/issue26465 Title:
>> Upgrade OpenSSL shipped with python installers, it reminded me I need to
>> start looking at LibreSSL again - and that, if not already done - might be
>> something "secure" for python as well.
>>
>
> According to the libressl website, one of the projects primary goals is to
> remain "backwards-compatible with OpenSSL", which is to say, to either
> have code work without changes or to fail gracefully when it uses the
> deprecated bits. It does seem it ships with OpenBSD. There is an issue open
> on bugs to address whatever incompatibilities remain between LibreSSL and
> OpenSSL[1]. Perhaps you might want to take a look at that? -- H
> 1. https://bugs.python.org/issue23177
>
>>
>> Michael
>> ___
>> Python-Dev mailing list
>> Python-Dev@python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe:
>> https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
>>
>
>
>
> --
> OpenPGP: http://hasan.d8u.us/gpg.asc
> Sent from my mobile device
> Envoyé de mon portable
>
>
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/greg%40krypto.org
>
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Michael Felt]

Can look at it. There has been a lot of discussion, iirc, between 
OpenSSL and LibreSSL re: version identification.

Thx for the reference.

On 08-Mar-16 14:55, Hasan Diwan wrote:


On 8 March 2016 at 00:49, Michael Felt > wrote:


As a relative newcomer I may have missed a long previous
discussion re: linking with OpenSSL and/or LibreSSL.
In an ideal world this would be rtl linking, i.e., underlying
complexities of *SSL libraries are hidden from applications.

In short, when I saw this http://bugs.python.org/issue26465 Title:
Upgrade OpenSSL shipped with python installers, it reminded me I
need to start looking at LibreSSL again - and that, if not already
done - might be something "secure" for python as well.


According to the libressl website, one of the projects primary goals 
is to remain "backwards-compatible with OpenSSL", which is to say, to 
either have code work without changes or to fail gracefully when it 
uses the deprecated bits. It does seem it ships with OpenBSD. There is 
an issue open on bugs to address whatever incompatibilities remain 
between LibreSSL and OpenSSL[1]. Perhaps you might want to take a look 
at that? -- H

1. https://bugs.python.org/issue23177


Michael
___
Python-Dev mailing list
Python-Dev@python.org 
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com




--
OpenPGP: http://hasan.d8u.us/gpg.asc
Sent from my mobile device
Envoyé de mon portable


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] New OpenSSL - has anyone ever looked at (in)compatibility with LibreSSL

[Hasan Diwan]

On 8 March 2016 at 00:49, Michael Felt  wrote:

> As a relative newcomer I may have missed a long previous discussion re:
> linking with OpenSSL and/or LibreSSL.
> In an ideal world this would be rtl linking, i.e., underlying complexities
> of *SSL libraries are hidden from applications.
>
> In short, when I saw this http://bugs.python.org/issue26465 Title:
> Upgrade OpenSSL shipped with python installers, it reminded me I need to
> start looking at LibreSSL again - and that, if not already done - might be
> something "secure" for python as well.
>

According to the libressl website, one of the projects primary goals is to
remain "backwards-compatible with OpenSSL", which is to say, to either have
code work without changes or to fail gracefully when it uses the deprecated
bits. It does seem it ships with OpenBSD. There is an issue open on bugs to
address whatever incompatibilities remain between LibreSSL and OpenSSL[1].
Perhaps you might want to take a look at that? -- H
1. https://bugs.python.org/issue23177

>
> Michael
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/hasan.diwan%40gmail.com
>



-- 
OpenPGP: http://hasan.d8u.us/gpg.asc
Sent from my mobile device
Envoyé de mon portable
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com