See http://stackoverflow.com/questions/33962928/alternative-to-m2cryptos-evp-in-python-3

Mainly because we'd like to have TLS 1.2.

A lot of work has already been done (https://gerrit.ovirt.org/#/q/m2crypto) - is this still in NEW state?

(In reply to Yaniv Kaul from comment #3)
> A lot of work has already been done (https://gerrit.ovirt.org/#/q/m2crypto)

AFAIU almost all the work done there for removing m2crypto is on vdsm, not engine-setup (and similar).

> - is this still in NEW state?

Yes, AFAIU.

IIRC the only relevant patch is [1], which was pushed against a different, more-specific bug, with the intention to support recent fedora (but still with python2 - although that patch does help current bug as well).

I didn't look yet what was done in vdsm. We should probably follow it.

[1] https://gerrit.ovirt.org/#/c/73148/

Gal, following our discussion from yesterday: It seems like we'll have to make 4.3 work in both el7 (python2) and recent fedora (28, or 29). So please check the status of the ssl builtin library in python 2.7, and if it's not good enough (or not as good as python 3), we'll have to make the code work with either m2crypto or ssl, depending on (perhaps) python version.

It might be best to do this by moving all ssl-related code to a separate library, e.g. packaging/setup/ovirt_engine_setup, or even in ovirt-setup-lib, that encapsulates all our uses of ssl, and can work with either. It might be best to do this anyway...

M2Crypto supports py3 from version 0.28 as you can see here:
https://gitlab.com/m2crypto/m2crypto/blob/master/CHANGES

and here: http://py3readiness.org/

we probably need to require m2crypto is above 0.28 but that's for a different bug