Skip to content

gh-146207: Add support for OpenSSL 4.0.0 alpha1#146217

Draft
vstinner wants to merge 5 commits intopython:mainfrom
vstinner:openssl4
Draft

gh-146207: Add support for OpenSSL 4.0.0 alpha1#146217
vstinner wants to merge 5 commits intopython:mainfrom
vstinner:openssl4

Conversation

@vstinner
Copy link
Member

@vstinner vstinner commented Mar 20, 2026
edited by bedevere-app bot
Loading

OpenSSL 4.0.0 alpha1 no longer defines the symbols:

  • SSLv3_method
  • TLSv1_method
  • TLSv1_1_method
  • TLSv1_2_method

@vstinner
pythongh-146207: Add support for OpenSSL 4.0.0 alpha1
9359f01 
OpenSSL 4.0.0 alpha1 no longer defines the symbols:

* SSLv3_method
* TLSv1_method
* TLSv1_1_method
* TLSv1_2_method
@bedevere-app bedevere-app bot mentioned this pull request Mar 20, 2026
Open
@vstinner
Copy link
Member Author

vstinner commented Mar 20, 2026

I didn't test my own change on OpenSSL 4.0.0 alpha1, I only asked @heitbaum to test my change.

@zware
Copy link
Member

zware commented Mar 20, 2026

@vstinner This patch (should, probably :) ) be enough to get you a test in CI, even if we don't want to merge it yet:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2fa2ab768dc..40feaef01ce 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -275,6 +275,7 @@ jobs:
           - { name: openssl, version: 3.4.4 }
           - { name: openssl, version: 3.5.5 }
           - { name: openssl, version: 3.6.1 }
+          - { name: openssl, version: 4.0.0-alpha1 }
           ## AWS-LC
           - { name: aws-lc, version: 1.68.0 }
     env:

@vstinner
Copy link
Member Author

vstinner commented Mar 20, 2026

I applied @zware's patch: Tests / Ubuntu SSL tests (ubuntu-24.04, openssl, 4.0.0-alpha1) job is currently running.

@vstinner This patch (should, probably :) ) be enough to get you a test in CI, even if we don't want to merge it yet

Yeah, I will revert this patch once we get the openssl, 4.0.0-alpha1 CI job result.

@zware
Copy link
Member

zware commented Mar 20, 2026

Not as simple as hoped :(. I can reproduce the CI failure locally, though; there's a missing symlink (or openssl is just looking in the wrong place) for lib -> lib64 in the openssl install directory.

With that, I get these failures:

2 tests failed:                   
    test_ssl test_urllib2_localnet
                                               
43 tests OK.
                                               
0:00:23 load avg: 3.07 Re-running 2 failed tests in verbose mode in subprocesses
0:00:23 load avg: 3.07 Run 2 tests in parallel using 2 worker processes
0:00:24 load avg: 3.07 [1/2/1] test_ssl failed (1 failure)
Re-running test_ssl in verbose mode (matching: test_openssl_version)
test_ssl: testing with 'OpenSSL 4.0.0-alpha1 10 Mar 2026' (4, 0, 0, 0, 0)
          under 'Linux-6.19.7-200.fc43.x86_64-x86_64-with-glibc2.42'                                                                                                                         
          HAS_SNI = True   
          OP_ALL = 0x80000050
          OP_NO_TLSv1_1 = 0x10000000
test_openssl_version (test.test_ssl.BasicSocketTests.test_openssl_version) ... FAIL
                                               
======================================================================
FAIL: test_openssl_version (test.test_ssl.BasicSocketTests.test_openssl_version)
----------------------------------------------------------------------
Traceback (most recent call last):                                                                                                                                                           
  File "/path/to/cpython/bump_multissl_awslc/Lib/test/test_ssl.py", line 590, in test_openssl_version
    self.assertLess(n, 0x40000000)         
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^                                                                                                                                                           
AssertionError: 1073741824 not less than 1073741824     
                                                                                              
----------------------------------------------------------------------                                                                                                                       
Ran 1 test in 0.007s                      
FAILED (failures=1)                                                                                                                                                                          
test test_ssl failed
0:00:24 load avg: 3.07 [2/2/2] test_urllib2_localnet failed (2 errors)                                                                                                                       
Re-running test_urllib2_localnet in verbose mode (matching: test_https, test_https_sni)
test_https (test.test_urllib2_localnet.TestUrlopen.test_https) ... ERROR
stopping HTTPS server                                                                         
joining HTTPS thread                 
test_https_sni (test.test_urllib2_localnet.TestUrlopen.test_https_sni) ... ERROR
stopping HTTPS server            
joining HTTPS thread     
                                               
======================================================================
ERROR: test_https (test.test_urllib2_localnet.TestUrlopen.test_https)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/path/to/cpython/bump_multissl_awslc/Lib/test/test_urllib2_localnet.py", line 569, in test_https
    data = self.urlopen("https://localhost:%s/bizarre" % handler.port, context=context)
  File "/path/to/cpython/bump_multissl_awslc/Lib/test/test_urllib2_localnet.py", line 473, in urlopen
    l.extend(f.readlines(200))
             ~~~~~~~~~~~^^^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/http/client.py", line 714, in readline
    result = self.fp.readline(limit)
  File "/path/to/cpython/bump_multissl_awslc/Lib/socket.py", line 734, in readinto
    return self._sock.recv_into(b)
           ~~~~~~~~~~~~~~~~~~~~^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/ssl.py", line 1355, in recv_into
    return self.read(nbytes, buffer)
           ~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/ssl.py", line 1154, in read
    return self._sslobj.read(len, buffer)
           ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
ssl.SSLError: A failure in the SSL library occurred (_ssl.c:2977)

======================================================================
ERROR: test_https_sni (test.test_urllib2_localnet.TestUrlopen.test_https_sni)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/path/to/cpython/bump_multissl_awslc/Lib/test/test_urllib2_localnet.py", line 585, in test_https_sni
    self.urlopen("https://localhost:%s" % handler.port, context=context)
    ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/test/test_urllib2_localnet.py", line 473, in urlopen
    l.extend(f.readlines(200))
             ~~~~~~~~~~~^^^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/http/client.py", line 714, in readline
    result = self.fp.readline(limit)
  File "/path/to/cpython/bump_multissl_awslc/Lib/socket.py", line 734, in readinto
    return self._sock.recv_into(b)
           ~~~~~~~~~~~~~~~~~~~~^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/ssl.py", line 1355, in recv_into
    return self.read(nbytes, buffer)
           ~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/path/to/cpython/bump_multissl_awslc/Lib/ssl.py", line 1154, in read
    return self._sslobj.read(len, buffer)
           ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
ssl.SSLError: A failure in the SSL library occurred (_ssl.c:2977)

----------------------------------------------------------------------
Ran 2 tests in 0.122s

FAILED (errors=2)
test test_urllib2_localnet failed
2 tests failed again:
    test_ssl test_urllib2_localnet

@vstinner vstinner marked this pull request as draft March 20, 2026 16:42
@vstinner
Copy link
Member Author

vstinner commented Mar 20, 2026

I tested multissltests.py using:

python3 Tools/ssl/multissltests.py --steps=library --base-directory "$PWD/multissl" --openssl '4.0.0-alpha1' --system Linux
./configure --with-pydebug --with-openssl=$PWD/multissl/openssl/4.0.0-alpha1/
make

I fixed a few more issues, but make fails with OPENSSL_sk_set_thunks missing symbol:

[ERROR] _ssl failed to import: /home/vstinner/python/main/build/lib.linux-x86_64-3.15/_ssl.cpython-315d-x86_64-linux-gnu.so: undefined symbol: OPENSSL_sk_set_thunks
[ERROR] _ssl (/home/vstinner/python/main/build/lib.linux-x86_64-3.15/_ssl.cpython-315d-x86_64-linux-gnu.so) is missing

@vstinner
Copy link
Member Author

vstinner commented Mar 20, 2026

there's a missing symlink (or openssl is just looking in the wrong place) for lib -> lib64 in the openssl install directory.

I fixed that with a5152be.

@heitbaum
Copy link
Contributor

heitbaum commented Mar 20, 2026

Tested results in #146207 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead Awaiting requested review from gpshead gpshead is a code owner

@picnixz picnixz Awaiting requested review from picnixz picnixz is a code owner

@ezio-melotti ezio-melotti Awaiting requested review from ezio-melotti ezio-melotti is a code owner

@hugovk hugovk Awaiting requested review from hugovk hugovk is a code owner

@AA-Turner AA-Turner Awaiting requested review from AA-Turner AA-Turner is a code owner

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vstinner @zware @heitbaum