Python SNI

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Python SNI

Lee Jones

Hi all,

 

We are currently using Python 2.7.6 that is shipped with Ubuntu 14.04.

 

My understanding is that Server Name Identification (SNI) is only supported in Python 2.7.9.

 

Does anyone know if there are plans to include SNI support in the current Ubuntu 14.04 Python version?

 

Thanks

Lee


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Python SNI

Luke Faraone-2
Hi Lee,

Ubuntu's Stable Release Updates policy doesn't generally permit adding new features to released packages.

Cheers,
Luke Faraone

On 14 November 2017 at 21:57, Lee Jones <[hidden email]> wrote:

Hi all,

 

We are currently using Python 2.7.6 that is shipped with Ubuntu 14.04.

 

My understanding is that Server Name Identification (SNI) is only supported in Python 2.7.9.

 

Does anyone know if there are plans to include SNI support in the current Ubuntu 14.04 Python version?

 

Thanks

Lee


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel




--
Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs; MIT SIPB
lfaraone on irc.[freenode,oftc].net -- https://luke.wf/ohhello
PGP fprint: 8C82 3DED 10AA 8041 639E  1210 5ACE 8D6E 0C14 A470

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Python SNI

Thomas Ward
If you need the nonstandard python I would suggest rolling a virtualenv for Python in your system. It works fairly well - i’ve got multiple newer Python running on my Xenial box for things that need it.



*Sent from my iPhone.  Please excuse any typos, as they are likely to happen by accident.*

On Nov 16, 2017, at 14:44, Luke Faraone <[hidden email]> wrote:

Hi Lee,

Ubuntu's Stable Release Updates policy doesn't generally permit adding new features to released packages.

Cheers,
Luke Faraone

On 14 November 2017 at 21:57, Lee Jones <[hidden email]> wrote:

Hi all,

 

We are currently using Python 2.7.6 that is shipped with Ubuntu 14.04.

 

My understanding is that Server Name Identification (SNI) is only supported in Python 2.7.9.

 

Does anyone know if there are plans to include SNI support in the current Ubuntu 14.04 Python version?

 

Thanks

Lee


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel




--
Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs; MIT SIPB
lfaraone on irc.[freenode,oftc].net -- https://luke.wf/ohhello
PGP fprint: 8C82 3DED 10AA 8041 639E  1210 5ACE 8D6E 0C14 A470
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Python SNI

Lee Jones

Hi Luke/Thomas,

 

Thanks for the response!

 

We want to avoid installing Python from source if possible - we run a mission critical system in production and need to ensure that we use the version of Python provided with Ubuntu; our view is that this version is stable and installing a version from source could lead to compatibility issues.

 

We appreciate that Stable Release Updates policy, however we were wondering if SNI could be considered for backporting based on a security concern? Over the past twelve months SNI has grown in popularity and many web hosting companies have now adopted it. Without supporting SNI, it is not possible to verify the common name in the website SSL certificate with the website domain.  

 

Please let me know your thoughts on this and really appreciate your time!

 

Thanks

Lee

 

From: Thomas Ward <[hidden email]>
Date: Thursday, 16 November 2017 at 19:56
To: Luke Faraone <[hidden email]>
Cc: Lee Jones <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: Python SNI

 

If you need the nonstandard python I would suggest rolling a virtualenv for Python in your system. It works fairly well - i’ve got multiple newer Python running on my Xenial box for things that need it.

 

 

*Sent from my iPhone.  Please excuse any typos, as they are likely to happen by accident.*


On Nov 16, 2017, at 14:44, Luke Faraone <[hidden email]> wrote:

Hi Lee,

 

Ubuntu's Stable Release Updates policy doesn't generally permit adding new features to released packages.

 

Cheers,

Luke Faraone

 

On 14 November 2017 at 21:57, Lee Jones <[hidden email]> wrote:

Hi all,

 

We are currently using Python 2.7.6 that is shipped with Ubuntu 14.04.

 

My understanding is that Server Name Identification (SNI) is only supported in Python 2.7.9.

 

Does anyone know if there are plans to include SNI support in the current Ubuntu 14.04 Python version?

 

Thanks

Lee


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel



 

--

Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs; MIT SIPB
lfaraone on irc.[freenode,oftc].net -- https://luke.wf/ohhello
PGP fprint: 8C82 3DED 10AA 8041 639E  1210 5ACE 8D6E 0C14 A470

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Python SNI

Colin Watson
On Thu, Nov 16, 2017 at 08:14:39PM +0000, Lee Jones wrote:

> We want to avoid installing Python from source if possible - we run a
> mission critical system in production and need to ensure that we use
> the version of Python provided with Ubuntu; our view is that this
> version is stable and installing a version from source could lead to
> compatibility issues.
>
> We appreciate that Stable Release Updates policy, however we were
> wondering if SNI could be considered for backporting based on a
> security concern? Over the past twelve months SNI has grown in
> popularity and many web hosting companies have now adopted it. Without
> supporting SNI, it is not possible to verify the common name in the
> website SSL certificate with the website domain.

One thing I'd say is that this does carry a somewhat higher risk of
regressions for users of the package than usual.

When we upgraded launchpad.net from Ubuntu 12.04 to 16.04 earlier this
year, we of course ended up with the SNI changes as a result, but
because it was part of a scheduled upgrade we were able to make most of
the code changes that we had to make to cope with this in advance.  (For
example, we now have to tell python-openid about the certificate of our
test OpenID provider in our test suite, which we couldn't do before
because urllib2.urlopen didn't take a "cafile" argument in earlier
versions of Python.)  Even with that preparation, we missed a bit and
suffered a regression in production related to commercial subscriptions
(https://bugs.launchpad.net/launchpad/+bug/1688361).  As a scheduled
upgrade, though, this was something we could deal with and gain most of
the assurance we needed in advance by running our test suite on 16.04;
it would have been much more problematic if it had suddenly appeared as
part of routine stable upgrades.

The SNI changes to Python are pretty extensive and touch quite a few
modules.  If I were in your position, I would instead be organising a
scheduled upgrade to 16.04.  (Indeed, I pretty much was in your position
earlier this year - Launchpad is a mission-critical production site -
and this is exactly what we did.)  This would bring in the SNI changes
as well as many other improvements; you're going to have to do it anyway
eventually; and it wouldn't carry the same risk of regressions for other
users.

I'm not in a position to answer for Ubuntu's Python maintenance; this is
just some perspective as a user.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Python SNI

Lee Jones
Hi Colin,

Thanks for the response.

Based on your feedback we’ve decided to move forward and upgrade to Ubuntu 16 (

Again, thanks for your feedback it’s been much appreciated!

Thanks
Lee

On 17/11/2017, 10:38, "Colin Watson" <[hidden email]> wrote:

    On Thu, Nov 16, 2017 at 08:14:39PM +0000, Lee Jones wrote:
    > We want to avoid installing Python from source if possible - we run a
    > mission critical system in production and need to ensure that we use
    > the version of Python provided with Ubuntu; our view is that this
    > version is stable and installing a version from source could lead to
    > compatibility issues.
    >
    > We appreciate that Stable Release Updates policy, however we were
    > wondering if SNI could be considered for backporting based on a
    > security concern? Over the past twelve months SNI has grown in
    > popularity and many web hosting companies have now adopted it. Without
    > supporting SNI, it is not possible to verify the common name in the
    > website SSL certificate with the website domain.
   
    One thing I'd say is that this does carry a somewhat higher risk of
    regressions for users of the package than usual.
   
    When we upgraded launchpad.net from Ubuntu 12.04 to 16.04 earlier this
    year, we of course ended up with the SNI changes as a result, but
    because it was part of a scheduled upgrade we were able to make most of
    the code changes that we had to make to cope with this in advance.  (For
    example, we now have to tell python-openid about the certificate of our
    test OpenID provider in our test suite, which we couldn't do before
    because urllib2.urlopen didn't take a "cafile" argument in earlier
    versions of Python.)  Even with that preparation, we missed a bit and
    suffered a regression in production related to commercial subscriptions
    (https://bugs.launchpad.net/launchpad/+bug/1688361).  As a scheduled
    upgrade, though, this was something we could deal with and gain most of
    the assurance we needed in advance by running our test suite on 16.04;
    it would have been much more problematic if it had suddenly appeared as
    part of routine stable upgrades.
   
    The SNI changes to Python are pretty extensive and touch quite a few
    modules.  If I were in your position, I would instead be organising a
    scheduled upgrade to 16.04.  (Indeed, I pretty much was in your position
    earlier this year - Launchpad is a mission-critical production site -
    and this is exactly what we did.)  This would bring in the SNI changes
    as well as many other improvements; you're going to have to do it anyway
    eventually; and it wouldn't carry the same risk of regressions for other
    users.
   
    I'm not in a position to answer for Ubuntu's Python maintenance; this is
    just some perspective as a user.
   
    --
    Colin Watson                                       [[hidden email]]
   

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel