Skip to content

Drop support for OpenSSL<1.1.1 #2168

New issue
New issue
Closed
#2705
Closed
Drop support for OpenSSL<1.1.1#2168
#2705
Assignees
sethmlarson
Labels
TLS💰 Bounty $300If you complete this issue we'll pay you $300 on OpenCollective!
Milestone
v2.0
@pquentin

Description

@pquentin
pquentin
opened on Mar 8, 2021

Warning
Did you see this URL in an error message? Please read our migration guide which covers what you should do to continue using the latest version of urllib3.

There were some integration issues that have been resolved or documented in the latest versions of urllib3, requests, botocore, and other packages. To make that apparent to casual readers we will be minimizing the comments in the discussion that are related to these issues or have been covered in the migration guide. Please follow the official migration guide and if the case you're experiencing isn't covered please open a new issue or ask in our community Discord.

Context

The TLS situation in Python has considerably improved since the early years of urllib3, thanks to the hard work of persons like Christian Heimes and Cory Benfield. urllib3 took advantage of new features even when only a subset of users could use it, and still accepts OpenSSL versions that don't have SNI, for example.

Here's what OpenSSL currently supports:

  • Version 1.1.1 will be supported until 2023-09-11 (LTS).
  • Version 1.0.2 is no longer supported. Extended support for 1.0.2 to gain access to security fixes for that version is available.
  • Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported.

RHEL 6 supports 1.0.1e+ and RHEL 7 only supports 1.0.2k and beyond.

We also know that Python 3.10+ will require OpenSSL 1.1.1+ thanks to PEP 644.

Given this the only operating systems that would be in a tough spot if we decide to drop support for OpenSSL <1.1.1 are OSes who:

  • Still support OpenSSL <1.1.1 as their default OpenSSL
  • Use Python >=3.7 but <3.10 for their default Python
  • Are likely to upgrade their system package for urllib3 to v2.0

The combination of the above three is very unlikely. We've identified a few OSes we'd like to evaluate to make sure before we release v2.0:

  • Amazon Linux 2
  • Gentoo

Minimum requirements

💰 You can get paid to complete this issue! Please read the docs for more information.

  • Evaluate the above OSes to see if they'd be impacted by dropping support for OpenSSL <1.1.1. Leave this in a comment in this issue.
  • Raise an ImportError if not OpenSSL or ssl.OPENSSL_VERSION < (1, 1, 1) with a message about urllib3 v2.0 requiring OpenSSL 1.1.1+
  • Remove work-arounds for conditional features around the ssl module that are due to OpenSSL <1.1.1 (minimum_version, HAS_SNI, _is_openssl_gt_v1_1_1, more examples below)
  • Add documentation for urllib3 requiring OpenSSL 1.1.1+
  • Add a newfragment

Metadata

Metadata

Assignees

Labels

TLS💰 Bounty $300If you complete this issue we'll pay you $300 on OpenCollective!

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions