Skip to content

gh-131423: Update to OpenSSL 3.0.16. #131839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 28, 2025
Merged

gh-131423: Update to OpenSSL 3.0.16. #131839

merged 5 commits into from
Mar 28, 2025

Conversation

zooba
Copy link
Member

@zooba zooba commented Mar 28, 2025
edited by bedevere-app bot
Loading

The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates the tests to property interpret these failures as unsupported.
The PCbuild/openssl.vcxproj project is updated, even though it is not used by our own builds.

zooba added 2 commits March 28, 2025 13:01
@zooba
pythongh-131423: Update to OpenSSL 3.0.16.
2a3da59 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix pythongh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
@zooba
Remove unused code from ssl.c
37c1d10
@zooba zooba added OS-windows needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Mar 28, 2025
@zooba zooba requested a review from a team as a code owner March 28, 2025 13:21
@bedevere-app bedevere-app bot mentioned this pull request Mar 28, 2025
Closed
4 tasks
@zooba zooba requested a review from picnixz March 28, 2025 13:26
@zooba zooba requested a review from sethmlarson as a code owner March 28, 2025 13:31
picnixz
picnixz reviewed Mar 28, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to also update the CI (only the 3.0.15 -> 3.0.16)?

Modules/_ssl.c
@@ -4427,6 +4427,12 @@ _ssl__SSLContext_load_dh_params_impl(PySSLContext *self, PyObject *filepath)
FILE *f;
DH *dh;

#if defined(MS_WINDOWS) && defined(_DEBUG)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is _DEBUG the canonical "NDEBUG" for Windows builds? (just asking)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're opposite. _DEBUG basically means linking to the debug CRT (and asserts are enabled), while NDEBUG means linking to the non-debug CRT (and asserts are disabled).

Copy link
Member

@picnixz picnixz Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, what I meant is "is it common to use the _DEBUG macro instead of the !defined(NDEBUG) one" (I think I've only seen Py_DEBUG and NDEBUG usage but not _DEBUG)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it's personal preference? _DEBUG is defined by the compiler based on the runtime library which is what I wanted, while NDEBUG controls the behaviour of assert.

So it's technically possible to define them both at once, but generally you don't, and I wouldn't suggest it in a codebase like ours because it's almost certainly assuming they are mutually exclusive.

@zooba
Copy link
Member Author

zooba commented Mar 28, 2025

Do you want to also update the CI (only the 3.0.15 -> 3.0.16)?

Windows CI should pick up the change from get_externals.bat, so there's nothing else to change? Did someone add something else?

@picnixz
Copy link
Member

picnixz commented Mar 28, 2025

Ah no my bad, I forgot that Ubuntu also tested the 3.0.x versions but they are not related to the Windows ones (namely, we don't have a Windows build only with OpenSSL)

@zooba zooba merged commit d260631 into python:main Mar 28, 2025
42 checks passed
@miss-islington-app
Copy link

Thanks @zooba for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

@zooba zooba deleted the gh-131423 branch March 28, 2025 15:08
@miss-islington-app
Copy link

Sorry, @zooba, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d260631be063d97f1a6d1c8f9fa2ce9b0e4f8a58 3.13

@miss-islington-app
Copy link

Sorry, @zooba, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d260631be063d97f1a6d1c8f9fa2ce9b0e4f8a58 3.12

@bedevere-app
Copy link

bedevere-app bot commented Mar 28, 2025

GH-131848 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Mar 28, 2025
@bedevere-app
Copy link

bedevere-app bot commented Mar 28, 2025

GH-131849 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Mar 28, 2025
zooba added a commit to zooba/cpython that referenced this pull request Mar 28, 2025
@zooba
pythongh-131423: Update to OpenSSL 3.0.16. (pythonGH-131839)
54a6c5c 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix pythongh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
zooba added a commit to zooba/cpython that referenced this pull request Mar 28, 2025
@zooba
pythongh-131423: Update to OpenSSL 3.0.16. (pythonGH-131839)
71c0c6e 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix pythongh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
zooba added a commit that referenced this pull request Mar 28, 2025
@zooba
gh-131423: Update to OpenSSL 3.0.16. (GH-131839)
dfb6372 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
zooba added a commit that referenced this pull request Mar 28, 2025
@zooba
gh-131423: Update to OpenSSL 3.0.16. (GH-131839)
de8bc17 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
@diegorusso diegorusso mentioned this pull request Apr 2, 2025
Merged
seehwan pushed a commit to seehwan/cpython that referenced this pull request Apr 16, 2025
@zooba @seehwan80
pythongh-131423: Update to OpenSSL 3.0.16. (pythonGH-131839)
82b17f4 
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix pythongh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnixz picnixz picnixz approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

@zooba zooba

Labels
OS-windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

test_ssl failures in free threading Windows optimized builds
3 participants
@zooba @picnixz @sethmlarson