Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl and hashlib: Remove functions deprecated in Python 3.10 #94199

Open
vstinner opened this issue Jun 24, 2022 · 2 comments
Open

ssl and hashlib: Remove functions deprecated in Python 3.10 #94199

vstinner opened this issue Jun 24, 2022 · 2 comments
Labels
type-bug

Comments

@vstinner
Copy link
Member

@vstinner vstinner commented Jun 24, 2022

The commit 2875c60 deprecated many ssl and hashlib functions in Python 3.10:

  • ssl.OP_NO_SSLv2
  • ssl.OP_NO_SSLv3
  • ssl.OP_NO_TLSv1
  • ssl.OP_NO_TLSv1_1
  • ssl.OP_NO_TLSv1_2
  • ssl.OP_NO_TLSv1_3
  • ssl.PROTOCOL_SSLv2
  • ssl.PROTOCOL_SSLv3
  • ssl.PROTOCOL_SSLv23 (alias for PROTOCOL_TLS)
  • ssl.PROTOCOL_TLS
  • ssl.PROTOCOL_TLSv1
  • ssl.PROTOCOL_TLSv1_1
  • ssl.PROTOCOL_TLSv1_2
  • ssl.TLSVersion.SSLv3
  • ssl.TLSVersion.TLSv1
  • ssl.TLSVersion.TLSv1_1
  • ssl.wrap_socket()
  • ssl.RAND_pseudo_bytes()
  • ssl.RAND_egd() (already removed since it's not supported by OpenSSL 1.1.1)
  • ssl.SSLContext() without a protocol argument
  • ssl.match_hostname()
  • hashlib.pbkdf2_hmac() (pure Python implementation, fast OpenSSL function will stay)

They emit a DeprecationWarning in Python 3.10 and 3.11. According to PEP 387, they can now be removed in Python 3.12.

I'm not sure that we should actively remove all of these deprecated features, it should be decided on a case by case basis. Backward compatibility is even more complex when it's about security and old security protocols like SSL and old TLS versions.
@vstinner vstinner added the type-bug label Jun 24, 2022
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove hashlib.pbkdf2_hmac() Python implementation
b44cd33 
Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is safer.
@bedevere-bot bedevere-bot mentioned this issue Jun 24, 2022
Open
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove hashlib.pbkdf2_hmac() Python implementation
1af7444 
Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove ssl.RAND_pseudo_bytes() function
a559137 
Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python
3.6: use os.urandom() or ssl.RAND_bytes() instead.
@bedevere-bot bedevere-bot mentioned this issue Jun 24, 2022
Merged
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove the ssl.wrap_socket() function
6924e6d 
Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
SSLContext.wrap_socket() method.
@bedevere-bot bedevere-bot mentioned this issue Jun 24, 2022
Draft
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove hashlib.pbkdf2_hmac() Python implementation
ed87e13 
Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.
vstinner added a commit that referenced this issue Jun 24, 2022
@vstinner
gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)
d435a18 
Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python
3.6: use os.urandom() or ssl.RAND_bytes() instead.
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove the ssl.wrap_socket() function
4557426 
Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
SSLContext.wrap_socket() method.
vstinner added a commit to vstinner/cpython that referenced this issue Jun 24, 2022
@vstinner
pythongh-94199: Remove ssl.match_hostname() function
8bc8f78 
Remove the ssl.match_hostname() function. The ssl.match_hostname()
was deprecated in Python 3.7. OpenSSL performs hostname matching
since Python 3.7, Python no longer uses the ssl.match_hostname()
function.
@bedevere-bot bedevere-bot mentioned this issue Jun 24, 2022
Merged
@vstinner
Copy link
Member Author

@vstinner vstinner commented Jun 24, 2022

@vstinner
Copy link
Member Author

@vstinner vstinner commented Jun 24, 2022

What's New in Python 3.10 lists many deprecated ssl functions and announces: "will be removed in 3.11" (Python 3.11).

But in the meanwhile, PEP 387 was updated to require a feature to be deprecated for 2 Python releases (Python 3.10 and 3.11), not only a single Python release. Some functions were deprecated way before Python 3.10 (emit a DeprecationWarning).

tiran pushed a commit that referenced this issue Jun 25, 2022
@vstinner
gh-94199: Remove ssl.match_hostname() function (#94224)
944c7d8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vstinner