Drop support for OpenSSL 1.0.2 in 3.10

Y’all,

I would like to drop support for OpenSSL 1.0.2 from master (3.10) and require 1.1.1. OpenSSL 1.0.2 has reached EOL in December 2019. Python 3.10 is scheduled to be released in October 2021. By the time 3.10 comes out OpenSSL 1.0.2 will be missing almost two years of security updates.

Benefits

  • Simpler of code, OpenSSL 1.1.0 has introduced a new API. The ssl and hashlib module contain additional code and ifdefs to provide backwards compatibility. I would be able to remove fair amount of compatibility code.
  • Reduced maintenance overhead, I would no longer have to verify that code works with OpenSSL 1.0.2, 1.1.1, 3.0.0
  • OpenSSL 1.1.1 comes with sha3 and shake. I can remove _sha3 implementation and reduce code size by about 280kB and library size by about 100kB.

distributions with OpenSSL >= 1.1

(according to distrowatch)

  • Alpine
  • CentOS 8
  • Debian 9, 10
  • Fedora (all supported)
  • FreeBSD 11, 12, 13
  • macOS homebrew
  • macOS python.org installer (1)
  • OpenSUSE 15.1 (current)
  • RHEL 8
  • Ubuntu 18.04 LTS (1), 20.04 LTS
  • Windows python.org installer (1)

(1) The installers are provided by us and are shipped with latest OpenSSL 1.1.1 since OpenSSL 1.0.2 and 1.1.0 reached EOL.
(2) Ubuntu 18.04 has OpenSSL 1.1.0, which contains sha3

distributions with OpenSSL 1.0.2

  • CentOS 7 (EOL 2024)
  • RHEL 7
  • Ubuntu 16.04 LTS (standard supports ends 2021-04)

In my opinion it’s ok to drop support for old Ubuntu and RHEL versions. Users on old stable distributions rarely care about latest Python version. They still have the option to download and compile Python with a more recent OpenSSL build, too.

14 Likes