classification
Title: Provide configure option --with-ssl for compilation with custom openssl
Type: enhancement Stage: resolved
Components: Build, SSL Versions: Python 3.6
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Use autoconf to detect OpenSSL and libssl features
View: 32598
Assigned To: christian.heimes Nosy List: berker.peksag, christian.heimes, gregory.p.smith, machyniak, maker, ned.deily, r.david.murray, ronaldoussoren
Priority: normal Keywords: patch

Created on 2014-05-20 13:46 by machyniak, last changed 2018-02-25 20:18 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
issue21541-patch.diff machyniak, 2014-05-20 15:11
Messages (8)
msg218844 - (view) Author: Pavel Machyniak (machyniak) * Date: 2014-05-20 13:46
There is no easy way to build python with custom openssl build. This can lead to miscellaneous problems (like segmentation faults) in various situations/configurations (see eg. http://stackoverflow.com/questions/22409092/coredump-when-compiling-python-with-a-custom-openssl-version). The problems usually arise when different version of openssl headers and libs are used, or when different versions of openssl is required within one process (eg. using python within apache httpd process (mod_wsgi or mod_python) + some other module that uses explicitly updated/newer/incompatible version of openssl).

The best way to workaround this problem would be to have the clear way how to build python with specific openssl version. The best way would by to use configure options --with-ssl=PATH optionally with --with-ssl-includes=PATH and --with-ssl-libs=PATH. In this case, setup.py shall not search for openssl but shall use the explicitly specified one.

I will shortly provide the patch for the current version of configure and setup.py.

See related issues:
 - http://bugs.python.org/issue5575
 - http://bugs.python.org/issue16660
msg218845 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-05-20 14:06
Aren't things like this normally accomplished by editing Modules/Setup?  Granted, that's not the most convenient build API...
msg218846 - (view) Author: Pavel Machyniak (machyniak) * Date: 2014-05-20 15:11
This is the proposed patch (compared 2 trees src & upd where src is latest release 3.4.1, upd is my working). Changes are in: configure, setup.py. Please review it and hopefully integrate to future releases.
msg219385 - (view) Author: Ronald Oussoren (ronaldoussoren) * (Python committer) Date: 2014-05-30 11:20
Isn't Modules/Setup used for builtin modules?

The proposed configure flags are easier to find because similar flags are used by other projects using autoconf. 

Note that on OSX you could use "CFLAGS=-I/path/to/ssl/include LDFLAGS=-L/path/to/ssl/lib", because setup.py contains code to add directories from those flags to its search path for headers and libraries, but only for OSX because I was overly cautious when adding that code.
msg219441 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2014-05-31 04:51
"Isn't Modules/Setup used for builtin modules?"

One of the better kept secrets of Python is that Modules/Setup can be used for building shared modules as well.  I didn't know that until looking into it recently as a result of RDM's comment.  See Issue17095.
msg273899 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2016-08-30 03:37
We use Modules/Setup.local to build the _ssl and _hashlib modules against our an SSL library of our choosing at work using a Setup entry like this:

_ssl _ssl.c $(PY_CORE_CFLAGS) -DUSE_SSL -I%{SSL_ROOT}/include \
	-Wl,--version-script,_ssl.lds \
	-Wl,-Bsymbolic \
	%{SSL_ROOT}/libssl.a %{SSL_ROOT}/libcrypto.a

%{SSL_ROOT} is replaced prior to building using sed to drop in the path to our desired libssl build.

_ssl.lds is a linker script to hide all but the module init function as we are linking statically.

MODULE__ssl {
  global: PyInit__ssl;
  local: *;
};


(all that said, I still see how a configure flag would be nicer for many people even though the existing patch does not look like it would work for our own static linking needs - one reason we do that being to avoid dynamic versioning issues)
msg275250 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2016-09-09 04:21
machyniak: Your patch appears to be missing the diff to configure.ac.
msg312851 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-02-25 20:18
Python 3.7+ uses https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html to detect OpenSSL. It provides --with-openssl=DIR or can utilize pkg-config.

I'm closing this feature issue as duplicate of #32598.
History
Date User Action Args
2018-02-25 20:18:40christian.heimessetstatus: open -> closed
superseder: Use autoconf to detect OpenSSL and libssl features
messages: + msg312851

resolution: duplicate
stage: needs patch -> resolved
2016-09-15 07:49:32christian.heimessetassignee: christian.heimes
components: + SSL
2016-09-09 04:21:00gregory.p.smithsetmessages: + msg275250
stage: patch review -> needs patch
2016-09-08 22:53:12christian.heimeslinkissue5575 superseder
2016-09-08 15:43:49christian.heimessetnosy: + christian.heimes

stage: patch review
2016-08-30 03:37:36gregory.p.smithsetversions: + Python 3.6, - Python 3.4
2016-08-30 03:37:22gregory.p.smithsetnosy: + gregory.p.smith
messages: + msg273899
2016-08-26 20:28:56berker.peksagsetnosy: + berker.peksag
2014-05-31 04:51:53ned.deilysetnosy: + ned.deily
messages: + msg219441
2014-05-30 11:20:42ronaldoussorensetnosy: + ronaldoussoren
messages: + msg219385
2014-05-21 09:55:55makersetnosy: + maker
2014-05-20 15:11:20machyniaksetfiles: + issue21541-patch.diff
keywords: + patch
messages: + msg218846

versions: + Python 3.4, - Python 3.5
2014-05-20 14:06:48r.david.murraysetnosy: + r.david.murray
messages: + msg218845
2014-05-20 13:46:54machyniakcreate