From d98cb9db3d87a78357b711397baa726de2ac6bcf Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Sat, 30 Jun 2018 20:14:46 +1000 Subject: [PATCH 1/4] bpo-34009: Expand on platform support changes --- Doc/whatsnew/3.7.rst | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 53fbe185a3ade3..367b0481d85c27 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -1304,8 +1304,8 @@ Host name validation can be customized with .. note:: The improved host name check requires a *libssl* implementation compatible with OpenSSL 1.0.2 or 1.1. Consequently, OpenSSL 0.9.8 and 1.0.1 are no - longer supported. The ssl module is mostly compatible with LibreSSL 2.7.2 - and newer. + longer supported (see :ref:`37-platform-support-removals` for more details). + The ssl module is mostly compatible with LibreSSL 2.7.2 and newer. The ``ssl`` module no longer sends IP addresses in SNI TLS extension. (Contributed by Christian Heimes in :issue:`32185`.) @@ -2069,10 +2069,24 @@ or higher. (Contributed by Serhiy Storchaka in :issue:`27867`.) (Contributed by Antoine Pitrou in :issue:`16500`.) +.. _37-platform-support-removals: + Platform Support Removals ========================= -FreeBSD 9 and older are no longer officially supported. +* FreeBSD 9 and older are no longer officially supported. +* For full Unicode support, including within extension modules, \*nix platforms + are now expected to provide at least one of ``C.UTF-8`` (full locale), + ``C.utf8`` (full locale) or ``UTF-8`` (``LC_CTYPE``-only locale) as an + alternative to the legacy ``ASCII``-only ``C`` locale. +* OpenSSL 0.9.8 and 1.0.1 are no longer supported, which means building Python + 3.7 on platforms using these versions will require custom build options that + link to a more recent OpenSSL. This affects projects testing on Ubuntu 14.04 + (the "dist: trusty" build environment on Travis CI), where the simplest + resolution may be to update to using Ubuntu 16.04 (the "dist: xenial" build + environment). For cases where that isn't an option, see + :source:`Tools/ssl/multissltests.py` for examples of building custom + versions of SSL/TLS libraries, and linking Python against them. API and Feature Removals From c4fca8bf0ea83fcd26bf3b6bc56904b6bf933396 Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Sun, 1 Jul 2018 13:24:07 +1000 Subject: [PATCH 2/4] Better info on the OpenSSL 1.0.1 issue --- Doc/whatsnew/3.7.rst | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 367b0481d85c27..6b718d334be5a0 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -2080,14 +2080,28 @@ Platform Support Removals ``C.utf8`` (full locale) or ``UTF-8`` (``LC_CTYPE``-only locale) as an alternative to the legacy ``ASCII``-only ``C`` locale. * OpenSSL 0.9.8 and 1.0.1 are no longer supported, which means building Python - 3.7 on platforms using these versions will require custom build options that - link to a more recent OpenSSL. This affects projects testing on Ubuntu 14.04 - (the "dist: trusty" build environment on Travis CI), where the simplest - resolution may be to update to using Ubuntu 16.04 (the "dist: xenial" build - environment). For cases where that isn't an option, see - :source:`Tools/ssl/multissltests.py` for examples of building custom - versions of SSL/TLS libraries, and linking Python against them. - + 3.7 with SSL/TLS support on older platforms still using these versions + requires custom build options that link to a more recent version of OpenSSL. + + Notably, this issue affects the Debian 8 and Ubuntu 14.04 LTS Linux + distributions, as they still use OpenSSL 1.0.1 by default. Debian 9 and + Ubuntu 16.04, as well as recent releases of other LTS Linux releases + (e.g. RHEL/CentOS 7.5, SLES 12-SP3), use OpenSSL 1.0.2 or later, and remain + supported in the default build configuration. + + For projects using the Ubuntu 14.04 (``dist: trusty``) environment in + Travis CI, CPython's own :source:`CI configuration file <.travis.yml>` + provides an example of using the SSL + :source:`compatibility testing infrastructure ` in + CPython's test suite to build and link against OpenSSL 1.1.0 rather than the + outdated system provided OpenSSL. + + There is an `open ticket with Travis CI `_ + requesting either an Ubuntu 14.04 compatible build of CPython 3.7, or else + an update on the availability of a reliable ``dist: xenial`` (Ubuntu 16.04) + testing environment. + +.. _travis-ci-openssl-ticket: https://github.com/travis-ci/travis-ci/issues/9069 API and Feature Removals ======================== From 3dc9695db72e99c78e4888b071a74b8b42210cad Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Sun, 1 Jul 2018 13:26:28 +1000 Subject: [PATCH 3/4] Small wording fixes --- Doc/whatsnew/3.7.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 6b718d334be5a0..26c0fd03858305 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -2078,8 +2078,8 @@ Platform Support Removals * For full Unicode support, including within extension modules, \*nix platforms are now expected to provide at least one of ``C.UTF-8`` (full locale), ``C.utf8`` (full locale) or ``UTF-8`` (``LC_CTYPE``-only locale) as an - alternative to the legacy ``ASCII``-only ``C`` locale. -* OpenSSL 0.9.8 and 1.0.1 are no longer supported, which means building Python + alternative to the legacy ``ASCII``-based ``C`` locale. +* OpenSSL 0.9.8 and 1.0.1 are no longer supported, which means building CPython 3.7 with SSL/TLS support on older platforms still using these versions requires custom build options that link to a more recent version of OpenSSL. From b7a729a6ea68da3f26b2624a36dcd9f45ba584a1 Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Wed, 4 Jul 2018 20:59:32 +1000 Subject: [PATCH 4/4] Remove Travis references, add Debuntu code names --- Doc/whatsnew/3.7.rst | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 26c0fd03858305..ac13890d9794ef 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -2083,25 +2083,20 @@ Platform Support Removals 3.7 with SSL/TLS support on older platforms still using these versions requires custom build options that link to a more recent version of OpenSSL. - Notably, this issue affects the Debian 8 and Ubuntu 14.04 LTS Linux - distributions, as they still use OpenSSL 1.0.1 by default. Debian 9 and - Ubuntu 16.04, as well as recent releases of other LTS Linux releases - (e.g. RHEL/CentOS 7.5, SLES 12-SP3), use OpenSSL 1.0.2 or later, and remain - supported in the default build configuration. - - For projects using the Ubuntu 14.04 (``dist: trusty``) environment in - Travis CI, CPython's own :source:`CI configuration file <.travis.yml>` - provides an example of using the SSL + Notably, this issue affects the Debian 8 (aka "jessie") and Ubuntu 14.04 + (aka "Trusty") LTS Linux distributions, as they still use OpenSSL 1.0.1 by + default. + + Debian 9 ("stretch") and Ubuntu 16.04 ("xenial"), as well as recent releases + of other LTS Linux releases (e.g. RHEL/CentOS 7.5, SLES 12-SP3), use OpenSSL + 1.0.2 or later, and remain supported in the default build configuration. + + CPython's own :source:`CI configuration file <.travis.yml>` provides an + example of using the SSL :source:`compatibility testing infrastructure ` in - CPython's test suite to build and link against OpenSSL 1.1.0 rather than the + CPython's test suite to build and link against OpenSSL 1.1.0 rather than an outdated system provided OpenSSL. - There is an `open ticket with Travis CI `_ - requesting either an Ubuntu 14.04 compatible build of CPython 3.7, or else - an update on the availability of a reliable ``dist: xenial`` (Ubuntu 16.04) - testing environment. - -.. _travis-ci-openssl-ticket: https://github.com/travis-ci/travis-ci/issues/9069 API and Feature Removals ========================