-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop support for OpenSSL<1.1.1 #2168
Comments
|
|
For reference, PEP 644 was accepted for Python 3.10. |
how about requiring OpenSSL 1.1.0g or newer? This would fix #2636 |
I think that requiring 1.1.1+ for v2 is reasonable, which is what RHEL 8 and Debian stable support. While RHEL 7 is still supporting 1.0.2k+, it is end of life, and for context they still ship urllib3 1.10! Also, while we have CI for 1.1.1 and 3.0.0, we don't have anything for 1.0.2 or 1.1.0. |
requiring 1.1.1+ will also allow dropping of pyopenssl inject_into_urllib3 https://github.com/psf/requests/search?q=inject_into_urllib3&type=code and if urllib3 drops ssl 1.0.1 then SecureTransport can go too: https://github.com/pypa/pip/blob/bf91a079791f2daf4339115fb39ce7d7e33a9312/src/pip/_internal/utils/inject_securetransport.py#L24 |
It'd be interesting to see which flavors of Linux are both using OpenSSL <1.1.1 and likely to update to urllib3 v2.0 as a part of their system libraries specifically. I suspect the list is extremely small. Given that information I'd like to consider only supporting OpenSSL 1.1.1+ for v2.0 unless we find an example that's still using OpenSSL <1.1.1. Does anyone have such an example? |
From this link: https://repology.org/project/openssl/versions Linux flavors of interest:
|
@pquentin Brought up the case where a downstream packaged pip unbundles urllib3, if the user were to upgrade their system's installation of urllib3 they'd essentially brick their system and not be able to downgrade urllib3 using pip alone. I'm not sure there's a way we can both use static build system and disallow users from installing urllib3 v2.0 on a system with OpenSSL <1.1.1 so any guard rails here would be for cleaning up the mess afterwards? Perhaps we can point to documentation on how to unmangle your system if you've upgraded urllib3 after running pip install with system Python? |
The system unbundled system pip is usually on a very old python version |
True, so the system would also have to have Python 3.7-3.9 installed to have this issue since urllib3 v2.0 requires 3.7+ and 3.10 requires OpenSSL 1.1.1+. |
Are there any distributions with an unbundled pip with openssl < 1.1.1 running on python 3.7+? |
Probably not. Outside of anyone else bringing a good reason for us to support OpenSSL 1.1.0 or earlier we're going to drop support of OpenSSL <1.1.1. Going to update this issue appropriately. |
@mgorny Is requiring OpenSSL 1.1.1+ for urllib3 2.0 going to be a problem for Gentoo? |
Not at all, Gentoo stable is at 1.1.1o already. |
(Thanks for asking) |
Amazon Linux 2 has an openssl11 package but comes with OpenSSL 1.0.2 preinstalled:
But then it's also preinstalled with Python 2.7:
Updated the list above with that information. I don't think that changes our plans. (I'm also not claiming that issue even if I completed the first item.) |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as outdated.
This comment was marked as outdated.
Could not import extension sphinx.builders.linkcheck (exception: urllib3 v2.0 only supports OpenSSL 1.1.1+ currently the 'ssl' module is compiled with OpenSSL 1.0.2n 7 Dec 2017. See: urllib3/urllib3#2168) Signed-off-by: jshwi <stephen@jshwisolutions.com>
Co-authored-by: johnhg <johnhg@ucar.edu> Co-authored-by: Julie Prestopnik <jpresto@ucar.edu> Co-authored-by: cristianastan2 <cstan@gmu.edu> Co-authored-by: John Halley Gotway <johnhg@ucar.edu> Co-authored-by: bikegeek <minnawin@ucar.edu> Co-authored-by: Lisa Goodrich <lisag@ucar.edu> Co-authored-by: Julie Prestopnik <jpresto@seneca.rap.ucar.edu> Co-authored-by: George McCabe <23407799+georgemccabe@users.noreply.github.com> Co-authored-by: Hank Fisher <fisherh@ucar.edu> Co-authored-by: Dan Adriaansen <dadriaan@ucar.edu> Co-authored-by: jprestop <jpresto@ucar.edu> Co-authored-by: Tracy Hertneky <hertneky@seneca.rap.ucar.edu> Co-authored-by: Giovanni Rosa <giovanni.rosa@unimol.it> Co-authored-by: j-opatz <59586397+j-opatz@users.noreply.github.com> Co-authored-by: Mrinal Biswas <biswas@seneca.rap.ucar.edu> Co-authored-by: j-opatz <jopatz@ucar.edu> Co-authored-by: Daniel Adriaansen <dadriaan@ucar.edu> Co-authored-by: bikegeek <3753118+bikegeek@users.noreply.github.com> Co-authored-by: Will Mayfield <59745143+willmayfield@users.noreply.github.com> Co-authored-by: lisagoodrich <33230218+lisagoodrich@users.noreply.github.com> Co-authored-by: metplus-bot <97135045+metplus-bot@users.noreply.github.com> Co-authored-by: Tracy Hertneky <39317287+hertneky@users.noreply.github.com> Co-authored-by: Giovanni Rosa <g.rosa1@studenti.unimol.it> Co-authored-by: mrinalbiswas <biswas@ucar.edu> Co-authored-by: Christina Kalb <kalb@ucar.edu> Co-authored-by: jason-english <73247785+jason-english@users.noreply.github.com> fix Contributor's Guide GitHub Workflow page (#1774) fix release (#1790) fix GitHub Actions warnings (#1864) fix #1884 develop PCPCombine {custom} in subtract method (#1887) fix #1939 develop - failure reading obs when zipped file also exists (#1941) Closes #1986 fix develop Fix broken documentation links (#2004) fix #2026 develop StatAnalysis looping (#2028) fix priority of obs_window config variables so that wrapper-specific version is preferred over generic OBS_WINDOW_BEGIN/END (#2062) fix #2070 var list numeric order (#2072) fix #2087 develop docs_pdf (#2091) fix #2096/#2098 develop - fix skip if output exists and do not error if no commands were run (#2099) Fix for Dockerfile smell DL4000 (#2112) fix #2082 develop regrid.convert/censor_thresh/censor_val (#2140) fix #2082 main_v5.0 regrid.convert/censor_thresh/censor_val (#2101) fix #2137 develop PointStat -obs_valid_beg/end (#2141) fix failured introduced by urllib3 (see urllib3/urllib3#2168) fix #2161 develop PCPCombine additional field arguments in -subtract mode (#2162) fix #2168 develop - StatAnalysis time shift (#2169) fix releases. (#2183) fix #2189 develop - spaces in complex thresholds (#2191) fix #2179 develop TCPairs fix -diag argument (#2187) fixes (#2200) fix diff tests (#2217) fix automated tests (#2237) fix #2235 rename multivar_itensity to multivar_intensity_flag (#2236)
This comment was marked as outdated.
This comment was marked as outdated.
This changes it to "3.7" rather than specifically requesting 3.7.1. The specific patch version 3.7.1 may have been specified because that is the lowest version of Python this software supports (and is given as such in setup.cfg). But requesting a version number on CI like 3.7 gets whatever 3.7.* patch version is available, which in practice, these days, is always at least 3.7.1 and usually a much later patch. (Likewise, the other versions, like 3.11, don't require 3.11.0 and get later patch versions.) Changing it from 3.7.1 to 3.7 to allow a later patch version fixes the following error: Traceback: /usr/local/lib/python3.7/importlib/__init__.py:127: in import_module return _bootstrap._gcd_import(name[level:], package, level) openai/__init__.py:19: in <module> from openai.api_resources import ( openai/api_resources/__init__.py:1: in <module> from openai.api_resources.audio import Audio # noqa: F401 openai/api_resources/audio.py:4: in <module> from openai import api_requestor, util openai/api_requestor.py:22: in <module> import requests /usr/local/lib/python3.7/site-packages/requests/__init__.py:43: in <module> import urllib3 /usr/local/lib/python3.7/site-packages/urllib3/__init__.py:42: in <module> "urllib3 v2.0 only supports OpenSSL 1.1.1+, currently " E ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.1.0f 25 May 2017'. See: urllib3/urllib3#2168
In case it helps others – official guidance on what to do with this error is here: urllib3 - Migrating from 1.x to 2.0 – Common upgrading issues. In particular this details good options for users of AWS Lambda, RHEL 7, Read the Docs, Amazon Linux 2 (for example Vercel). |
Co-authored-by: johnhg <johnhg@ucar.edu> Co-authored-by: Julie Prestopnik <jpresto@ucar.edu> Co-authored-by: cristianastan2 <cstan@gmu.edu> Co-authored-by: John Halley Gotway <johnhg@ucar.edu> Co-authored-by: bikegeek <minnawin@ucar.edu> Co-authored-by: Lisa Goodrich <lisag@ucar.edu> Co-authored-by: Julie Prestopnik <jpresto@seneca.rap.ucar.edu> Co-authored-by: George McCabe <23407799+georgemccabe@users.noreply.github.com> Co-authored-by: Hank Fisher <fisherh@ucar.edu> Co-authored-by: Dan Adriaansen <dadriaan@ucar.edu> Co-authored-by: jprestop <jpresto@ucar.edu> Co-authored-by: Tracy Hertneky <hertneky@seneca.rap.ucar.edu> Co-authored-by: Giovanni Rosa <giovanni.rosa@unimol.it> Co-authored-by: j-opatz <59586397+j-opatz@users.noreply.github.com> Co-authored-by: Mrinal Biswas <biswas@seneca.rap.ucar.edu> Co-authored-by: j-opatz <jopatz@ucar.edu> Co-authored-by: Daniel Adriaansen <dadriaan@ucar.edu> Co-authored-by: Jonathan Vigh <jvigh@ucar.edu> Co-authored-by: bikegeek <3753118+bikegeek@users.noreply.github.com> Co-authored-by: Will Mayfield <59745143+willmayfield@users.noreply.github.com> Co-authored-by: lisagoodrich <33230218+lisagoodrich@users.noreply.github.com> Co-authored-by: metplus-bot <97135045+metplus-bot@users.noreply.github.com> Co-authored-by: Tracy Hertneky <39317287+hertneky@users.noreply.github.com> Co-authored-by: Giovanni Rosa <g.rosa1@studenti.unimol.it> Co-authored-by: mrinalbiswas <biswas@ucar.edu> Co-authored-by: Christina Kalb <kalb@ucar.edu> Co-authored-by: jason-english <73247785+jason-english@users.noreply.github.com> fix Contributor's Guide GitHub Workflow page (#1774) fix release (#1790) fix GitHub Actions warnings (#1864) fix #1884 develop PCPCombine {custom} in subtract method (#1887) fix #1939 develop - failure reading obs when zipped file also exists (#1941) Closes #1986 fix develop Fix broken documentation links (#2004) fix #2026 develop StatAnalysis looping (#2028) fix priority of obs_window config variables so that wrapper-specific version is preferred over generic OBS_WINDOW_BEGIN/END (#2062) fix #2070 var list numeric order (#2072) fix #2087 develop docs_pdf (#2091) fix #2096/#2098 develop - fix skip if output exists and do not error if no commands were run (#2099) Fix for Dockerfile smell DL4000 (#2112) fix #2082 develop regrid.convert/censor_thresh/censor_val (#2140) fix #2082 main_v5.0 regrid.convert/censor_thresh/censor_val (#2101) fix #2137 develop PointStat -obs_valid_beg/end (#2141) fix failured introduced by urllib3 (see urllib3/urllib3#2168) fix #2161 develop PCPCombine additional field arguments in -subtract mode (#2162) fix #2168 develop - StatAnalysis time shift (#2169) fix releases. (#2183) fix #2189 develop - spaces in complex thresholds (#2191) fix #2179 develop TCPairs fix -diag argument (#2187) fixes (#2200) fix diff tests (#2217) fix automated tests (#2237) fix #2235 rename multivar_itensity to multivar_intensity_flag (#2236) fix #2241 Create directory containing -out_stat file (#2242) fix #2245 use unique run ID to name logger instance (#2247) fix #2244 develop fix diff tests (#2254)
The AR release notes job fails on the below error. Error: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips Ref: urllib3/urllib3#2168 Change-Id: I857b74140f604eab53de98f2edbeeb754272c468 Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.13 to 2.0.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.0.4</h2> <ul> <li>Added support for union operators to <code>HTTPHeaderDict</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2254">#2254</a>)</li> <li>Added <code>BaseHTTPResponse</code> to <code>urllib3.__all__</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/3078">#3078</a>)</li> <li>Fixed <code>urllib3.connection.HTTPConnection</code> to raise the <code>http.client.connect</code> audit event to have the same behavior as the standard library HTTP client (<a href="https://redirect.github.com/urllib3/urllib3/issues/2757">#2757</a>)</li> <li>Relied on the standard library for checking hostnames in supported PyPy releases (<a href="https://redirect.github.com/urllib3/urllib3/issues/3087">#3087</a>)</li> </ul> <h2>2.0.3</h2> <ul> <li>Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL. <a href="https://redirect.github.com/urllib3/urllib3/issues/3020">#3020</a></li> <li>Deprecated URLs which don't have an explicit scheme <a href="https://redirect.github.com/urllib3/urllib3/pull/2950">#2950</a></li> <li>Fixed response decoding with Zstandard when compressed data is made of several frames. <a href="https://redirect.github.com/urllib3/urllib3/issues/3008">#3008</a></li> <li>Fixed <code>assert_hostname=False</code> to correctly skip hostname check. <a href="https://redirect.github.com/urllib3/urllib3/issues/3051">#3051</a></li> </ul> <h2>2.0.2</h2> <ul> <li>Fixed <code>HTTPResponse.stream()</code> to continue yielding bytes if buffered decompressed data was still available to be read even if the underlying socket is closed. This prevents a compressed response from being truncated. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3009">urllib3/urllib3#3009</a>)</li> </ul> <h2>2.0.1</h2> <ul> <li>Fixed a socket leak when fingerprint or hostname verifications fail. (<a href="https://redirect.github.com/urllib3/urllib3/issues/2991">#2991</a>)</li> <li>Fixed an error when <code>HTTPResponse.read(0)</code> was the first <code>read</code> call or when the internal response body buffer was otherwise empty. (<a href="https://redirect.github.com/urllib3/urllib3/issues/2998">#2998</a>)</li> </ul> <h2>2.0.0</h2> <p>Read the <a href="https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html">v2.0 migration guide</a> for help upgrading to the latest version of urllib3.</p> <h1>Removed</h1> <ul> <li>Removed support for Python 2.7, 3.5, and 3.6 (<a href="https://redirect.github.com/urllib3/urllib3/issues/883">#883</a>, <a href="https://redirect.github.com/urllib3/urllib3/issues/2336">#2336</a>).</li> <li>Removed fallback on certificate <code>commonName</code> in <code>match_hostname()</code> function. This behavior was deprecated in May 2000 in RFC 2818. Instead only <code>subjectAltName</code> is used to verify the hostname by default. To enable verifying the hostname against <code>commonName</code> use <code>SSLContext.hostname_checks_common_name = True</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2113">#2113</a>).</li> <li>Removed support for Python with an <code>ssl</code> module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives. Python is moving to require OpenSSL with PEP 644 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2168">#2168</a>).</li> <li>Removed support for OpenSSL versions earlier than 1.1.1 or that don't have SNI support. When an incompatible OpenSSL version is detected an <code>ImportError</code> is raised (<a href="https://redirect.github.com/urllib3/urllib3/issues/2168">#2168</a>).</li> <li>Removed the list of default ciphers for OpenSSL 1.1.1+ and SecureTransport as their own defaults are already secure (<a href="https://redirect.github.com/urllib3/urllib3/issues/2082">#2082</a>).</li> <li>Removed <code>urllib3.contrib.appengine.AppEngineManager</code> and support for Google App Engine Standard Environment (<a href="https://redirect.github.com/urllib3/urllib3/issues/2044">#2044</a>).</li> <li>Removed deprecated <code>Retry</code> options <code>method_whitelist</code>, <code>DEFAULT_REDIRECT_HEADERS_BLACKLIST</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2086">#2086</a>).</li> <li>Removed <code>urllib3.HTTPResponse.from_httplib</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2648">#2648</a>).</li> <li>Removed default value of <code>None</code> for the <code>request_context</code> parameter of <code>urllib3.PoolManager.connection_from_pool_key</code>. This change should have no effect on users as the default value of <code>None</code> was an invalid option and was never used (<a href="https://redirect.github.com/urllib3/urllib3/issues/1897">#1897</a>).</li> <li>Removed the <code>urllib3.request</code> module. <code>urllib3.request.RequestMethods</code> has been made a private API. This change was made to ensure that <code>from urllib3 import request</code> imported the top-level <code>request()</code> function instead of the <code>urllib3.request</code> module (<a href="https://redirect.github.com/urllib3/urllib3/issues/2269">#2269</a>).</li> <li>Removed support for SSLv3.0 from the <code>urllib3.contrib.pyopenssl</code> even when support is available from the compiled OpenSSL library (<a href="https://redirect.github.com/urllib3/urllib3/issues/2233">#2233</a>).</li> <li>Removed the deprecated <code>urllib3.contrib.ntlmpool</code> module (<a href="https://redirect.github.com/urllib3/urllib3/issues/2339">#2339</a>).</li> <li>Removed <code>DEFAULT_CIPHERS</code>, <code>HAS_SNI</code>, <code>USE_DEFAULT_SSLCONTEXT_CIPHERS</code>, from the private module <code>urllib3.util.ssl_</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2168">#2168</a>).</li> <li>Removed <code>urllib3.exceptions.SNIMissingWarning</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2168">#2168</a>).</li> <li>Removed the <code>_prepare_conn</code> method from <code>HTTPConnectionPool</code>. Previously this was only used to call <code>HTTPSConnection.set_cert()</code> by <code>HTTPSConnectionPool</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/1985">#1985</a>).</li> <li>Removed <code>tls_in_tls_required</code> property from <code>HTTPSConnection</code>. This is now determined from the <code>scheme</code> parameter in <code>HTTPConnection.set_tunnel()</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/1985">#1985</a>).</li> </ul> <h1>Deprecated</h1> <ul> <li>Deprecated <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> which will be removed in urllib3 v2.1.0. Instead use <code>HTTPResponse.headers</code> and <code>HTTPResponse.headers.get(name, default)</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/1543">#1543</a>, <a href="https://redirect.github.com/urllib3/urllib3/issues/2814">#2814</a>).</li> <li>Deprecated <code>urllib3.contrib.pyopenssl</code> module which will be removed in urllib3 v2.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2691">#2691</a>).</li> <li>Deprecated <code>urllib3.contrib.securetransport</code> module which will be removed in urllib3 v2.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2692">#2692</a>).</li> <li>Deprecated <code>ssl_version</code> option in favor of <code>ssl_minimum_version</code>. <code>ssl_version</code> will be removed in urllib3 v2.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2110">#2110</a>).</li> <li>Deprecated the <code>strict</code> parameter as it's not longer needed in Python 3.x. It will be removed in urllib3 v2.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2267">#2267</a>)</li> <li>Deprecated the <code>NewConnectionError.pool</code> attribute which will be removed in urllib3 v2.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/2271">#2271</a>).</li> <li>Deprecated <code>format_header_param_html5</code> and <code>format_header_param</code> in favor of <code>format_multipart_header_param</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2257">#2257</a>).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.0.4 (2023-07-19)</h1> <ul> <li>Added support for union operators to <code>HTTPHeaderDict</code> (<code>[#2254](urllib3/urllib3#2254) <https://github.com/urllib3/urllib3/issues/2254></code>__)</li> <li>Added <code>BaseHTTPResponse</code> to <code>urllib3.__all__</code> (<code>[#3078](urllib3/urllib3#3078) <https://github.com/urllib3/urllib3/issues/3078></code>__)</li> <li>Fixed <code>urllib3.connection.HTTPConnection</code> to raise the <code>http.client.connect</code> audit event to have the same behavior as the standard library HTTP client (<code>[#2757](urllib3/urllib3#2757) <https://github.com/urllib3/urllib3/issues/2757></code>__)</li> <li>Relied on the standard library for checking hostnames in supported PyPy releases (<code>[#3087](urllib3/urllib3#3087) <https://github.com/urllib3/urllib3/issues/3087></code>__)</li> </ul> <h1>2.0.3 (2023-06-07)</h1> <ul> <li>Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL. (<code>[#3020](urllib3/urllib3#3020) <https://github.com/urllib3/urllib3/issues/3020></code>__)</li> <li>Deprecated URLs which don't have an explicit scheme (<code>[#2950](urllib3/urllib3#2950) <https://github.com/urllib3/urllib3/pull/2950></code>_)</li> <li>Fixed response decoding with Zstandard when compressed data is made of several frames. (<code>[#3008](urllib3/urllib3#3008) <https://github.com/urllib3/urllib3/issues/3008></code>__)</li> <li>Fixed <code>assert_hostname=False</code> to correctly skip hostname check. (<code>[#3051](urllib3/urllib3#3051) <https://github.com/urllib3/urllib3/issues/3051></code>__)</li> </ul> <h1>2.0.2 (2023-05-03)</h1> <ul> <li>Fixed <code>HTTPResponse.stream()</code> to continue yielding bytes if buffered decompressed data was still available to be read even if the underlying socket is closed. This prevents a compressed response from being truncated. (<code>[#3009](urllib3/urllib3#3009) <https://github.com/urllib3/urllib3/issues/3009></code>__)</li> </ul> <h1>2.0.1 (2023-04-30)</h1> <ul> <li>Fixed a socket leak when fingerprint or hostname verifications fail. (<code>[#2991](urllib3/urllib3#2991) <https://github.com/urllib3/urllib3/issues/2991></code>__)</li> <li>Fixed an error when <code>HTTPResponse.read(0)</code> was the first <code>read</code> call or when the internal response body buffer was otherwise empty. (<code>[#2998](urllib3/urllib3#2998) <https://github.com/urllib3/urllib3/issues/2998></code>__)</li> </ul> <h1>2.0.0 (2023-04-26)</h1> <p>Read the <code>v2.0 migration guide <https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html></code>__ for help upgrading to the latest version of urllib3.</p> <h2>Removed</h2> <ul> <li>Removed support for Python 2.7, 3.5, and 3.6 (<code>[#883](urllib3/urllib3#883) <https://github.com/urllib3/urllib3/issues/883></code><strong>, <code>[#2336](urllib3/urllib3#2336) <https://github.com/urllib3/urllib3/issues/2336></code></strong>).</li> <li>Removed fallback on certificate <code>commonName</code> in <code>match_hostname()</code> function. This behavior was deprecated in May 2000 in RFC 2818. Instead only <code>subjectAltName</code> is used to verify the hostname by default. To enable verifying the hostname against <code>commonName</code> use <code>SSLContext.hostname_checks_common_name = True</code> (<code>[#2113](urllib3/urllib3#2113) <https://github.com/urllib3/urllib3/issues/2113></code>__).</li> <li>Removed support for Python with an <code>ssl</code> module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives. Python is moving to require OpenSSL with PEP 644 (<code>[#2168](urllib3/urllib3#2168) <https://github.com/urllib3/urllib3/issues/2168></code>__).</li> <li>Removed support for OpenSSL versions earlier than 1.1.1 or that don't have SNI support. When an incompatible OpenSSL version is detected an <code>ImportError</code> is raised (<code>[#2168](urllib3/urllib3#2168) <https://github.com/urllib3/urllib3/issues/2168></code>__).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/c9fa144545eedb5dc4a2cc3f255e95602a1d7db0"><code>c9fa144</code></a> Release version 2.0.4 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3084">#3084</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/d40d146765a7f7a899427c8add54de67b4b6599a"><code>d40d146</code></a> Add Illia to CODEOWNERS</li> <li><a href="https://github.com/urllib3/urllib3/commit/0a375d19243efb08c9d8a0f3356701ca11ef9791"><code>0a375d1</code></a> Raise <code>http.client.connect</code> audit events in <code>HTTPConnection</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2859">#2859</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/c056eb3df6aae4d1dff0365baded46235d413520"><code>c056eb3</code></a> Bump actions/setup-python from 4.6.0 to 4.7.0</li> <li><a href="https://github.com/urllib3/urllib3/commit/a1c184b298823f13dd34c783d56ea538848282f1"><code>a1c184b</code></a> Remove warnings filters fixed in pytest 7.4.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3086">#3086</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/609c5464cc9d2673549b651b713e07424517fa85"><code>609c546</code></a> Add support for union operators to <code>HTTPHeaderDict</code> (<a href="https://redirect.github.com/urllib3/urllib3/issues/2943">#2943</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/05b21ca5d29764aae60c72e4e3bfceead0f70f95"><code>05b21ca</code></a> Bump cryptography from 41.0.0 to 41.0.2</li> <li><a href="https://github.com/urllib3/urllib3/commit/9aa0d4f6cb0d4b34e20fafed4481ac7d785d4969"><code>9aa0d4f</code></a> Bump cryptography from 39.0.1 to 41.0.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3057">#3057</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/326c4238cbabe85007aa7b1f2e80b880fd01d903"><code>326c423</code></a> Rely on the standard library for checking hostnames in supported PyPy releases</li> <li><a href="https://github.com/urllib3/urllib3/commit/d0ac08d58511c4121138bd46436076409d21acbf"><code>d0ac08d</code></a> Bump gh-action-pypi-publish to v1.8.8</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/1.26.13...2.0.4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=pip&previous-version=1.26.13&new-version=2.0.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Could not import extension sphinx.builders.linkcheck (exception: urllib3 v2.0 only supports OpenSSL 1.1.1+ currently the 'ssl' module is compiled with OpenSSL 1.0.2n 7 Dec 2017. See: urllib3/urllib3#2168) Signed-off-by: jshwi <stephen@jshwisolutions.com>
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This only applies to LibreSSL, and I believe @gohmc uses OpenSSL. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
TLDR: if on Ubuntu, reinstall Python having openssl >= 1.1.1 Had similar problem on our own Ubuntu server. We wanted to keep dependecies updated, so pinning It appears you don't need to install newer version of python. You can install the same version. The solution was
You can check what version of openssl is "baked into" your python distribution: import ssl
print(ssl.OPENSSL_VERSION_INFO) For us it worked with Python 3.9 managed by pyenv. |
Hey folks, thanks to everyone who's given feedback on this issue. We're going to lock the discussion for now and point people to our migration guide which covers what you should do to continue using the latest version of urllib3. There were some integration issues that have been resolved or documented in the latest versions of urllib3, requests, botocore, and other packages. To make that apparent to casual readers we will be minimizing the comments in the discussion that are related to these issues or have been covered in the migration guide. Please follow the official migration guide and if the case you're experiencing isn't covered please open a new issue or ask in our community Discord. |
Context
The TLS situation in Python has considerably improved since the early years of urllib3, thanks to the hard work of persons like Christian Heimes and Cory Benfield. urllib3 took advantage of new features even when only a subset of users could use it, and still accepts OpenSSL versions that don't have SNI, for example.
Here's what OpenSSL currently supports:
RHEL 6 supports 1.0.1e+ and RHEL 7 only supports 1.0.2k and beyond.
We also know that Python 3.10+ will require OpenSSL 1.1.1+ thanks to PEP 644.
Given this the only operating systems that would be in a tough spot if we decide to drop support for OpenSSL <1.1.1 are OSes who:
The combination of the above three is very unlikely. We've identified a few OSes we'd like to evaluate to make sure before we release v2.0:
Minimum requirements
💰 You can get paid to complete this issue! Please read the docs for more information.
ImportError
if not OpenSSL orssl.OPENSSL_VERSION < (1, 1, 1)
with a message about urllib3 v2.0 requiring OpenSSL 1.1.1+ssl
module that are due to OpenSSL <1.1.1 (minimum_version
,HAS_SNI
,_is_openssl_gt_v1_1_1
, more examples below)The text was updated successfully, but these errors were encountered: