classification
Title: Broken OpenSSL version in Windows builds
Type: behavior Stage: resolved
Components: Build, Windows Versions: Python 3.4, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: loewis Nosy List: Yogesh.Chaudhari, georg.brandl, larry, loewis, pitrou, python-dev, sdrees
Priority: release blocker Keywords: patch

Created on 2013-05-12 11:24 by pitrou, last changed 2013-05-15 22:27 by loewis. This issue is now closed.

Files
File name Uploaded Description Edit
issue17962.patch Yogesh.Chaudhari, 2013-05-12 14:44 Patch to use openssl1.0.1e review
Messages (12)
msg189018 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-12 11:24
3.3 and default are currently fetching OpenSSL 1.0.1d for the Windows builds.

It seems OpenSSL 1.0.1d was a kind of "brown paper bag" release, they've released 1.0.1e since (some of test_ssl can fail on 1.0.1d and succeed on 1.0.1e, as experienced on my Linux setup; the Windows buildbots also exhibit similar failures).

Following is their description of the fix:

“Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]”
msg189039 - (view) Author: Yogesh Chaudhari (Yogesh.Chaudhari) * Date: 2013-05-12 14:44
The following patch will make use of 1.0.1e version of OpenSSL
msg189052 - (view) Author: Roundup Robot (python-dev) Date: 2013-05-12 17:55
New changeset d047928ae3f6 by Georg Brandl in branch '3.3':
Closes #17962: Build with OpenSSL 1.0.1e on Windows.
http://hg.python.org/cpython/rev/d047928ae3f6
msg189073 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-12 23:25
Apparently it lacks the required SVN addition:

The system cannot find the file specified.
svn: E170000: URL 'http://svn.python.org/projects/external/openssl-1.0.1e' doesn't exist
msg189077 - (view) Author: Yogesh Chaudhari (Yogesh.Chaudhari) * Date: 2013-05-12 23:56
I am not sure how http://www.openssl.org/source/openssl-1.0.1e.tar.gz can be provided to python svn. Doesn't that require svn credentials to check-out/add/check-in?
msg189100 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-13 05:58
Yes, someone with SVN write access (Georg?) will have to do it.
msg189101 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2013-05-13 06:13
I could, but the checked-in 1.0.1d is different from the tarball in some respects, so it's better for Martin to do this.
msg189106 - (view) Author: Yogesh Chaudhari (Yogesh.Chaudhari) * Date: 2013-05-13 08:25
I would like to take a crack at it. Would it be possible(I mean permission wise)? How can I proceed?
msg189108 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-13 08:49
I don't know how much work there is. Perhaps you want to produce a diff between the current "external" 1.0.1d and the upstream version. Otherwise just let Georg or Martin handle it ;)
msg189125 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2013-05-13 12:02
I don't know what there is to do, so I can give no instructions.  It's best to let Martin handle it.
msg189128 - (view) Author: Yogesh Chaudhari (Yogesh.Chaudhari) * Date: 2013-05-13 13:24
@Antoine and @Georg:

You are right. There is nothing much to be done. The only difference is those of auto-generated files like Makefile and other config files created after running ./config script. 

This just needs a simple add/commit from the openssl site. It seems there is nothing else AFAICS
msg189316 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-05-15 22:27
I have now updated the code.

Yogesh: It is somewhat more that just committing the source; the assembler files need to be generated. The objective is to not require Perl on the build machines.
History
Date User Action Args
2013-05-15 22:27:05loewissetstatus: open -> closed

messages: + msg189316
2013-05-13 13:24:04Yogesh.Chaudharisetmessages: + msg189128
2013-05-13 12:02:42georg.brandlsetmessages: + msg189125
2013-05-13 08:49:36pitrousetmessages: + msg189108
2013-05-13 08:25:23Yogesh.Chaudharisetmessages: + msg189106
2013-05-13 06:13:14georg.brandlsetassignee: loewis
messages: + msg189101
2013-05-13 05:58:08pitrousetmessages: + msg189100
2013-05-12 23:56:51Yogesh.Chaudharisetmessages: + msg189077
2013-05-12 23:25:35pitrousetstatus: closed -> open

messages: + msg189073
2013-05-12 17:55:18python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg189052

resolution: fixed
stage: resolved
2013-05-12 14:44:57Yogesh.Chaudharisetfiles: + issue17962.patch

nosy: + Yogesh.Chaudhari
messages: + msg189039

keywords: + patch
2013-05-12 14:14:54sdreessetnosy: + sdrees
2013-05-12 11:24:05pitroucreate