(See also the issue #21356.)

http://buildbot.python.org/all/builders/x86%20OpenBSD%205.5%203.x/builds/1242/steps/test/logs/stdio

======================================================================
FAIL: test_options (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/python-builds/3.x.borja-openbsd-x86/build/Lib/test/test_ssl.py", line 764, in test_options
    ctx.options)
AssertionError: -2130705409 != -2097150977

======================================================================
FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/python-builds/3.x.borja-openbsd-x86/build/Lib/test/test_ssl.py", line 315, in test_openssl_version
    (s, t))
AssertionError: False is not true : ('LibreSSL 2.1', (2, 0, 0, 0, 0))

changeset:   94041:87976d72fd5c
user:        Victor Stinner <victor.stinner@gmail.com>
date:        Tue Jan 06 11:51:06 2015 +0100
files:       Lib/test/test_ssl.py
description:
test_ssl: add more debug to investigate test_openssl_version() failure on
OpenBSD with LibreSSL.

It looks like OPENSSL_VERSION_NUMBER is consistent with OPENSSL_VERSION_INFO (version 2.1). But the OPENSSL_VERSION contains a different version (2.0). It looks like an issue in LibreSSL.

======================================================================
FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/python-builds/3.x.borja-openbsd-x86/build/Lib/test/test_ssl.py", line 315, in test_openssl_version
    (s, t, hex(n)))
AssertionError: False is not true : ('LibreSSL 2.1', (2, 0, 0, 0, 0), '0x20000000')

New changeset 05d7550bd2d9 by Victor Stinner in branch 'default':
Issue #23177: Document that ssl.RAND_egd() is not available with LibreSSL
https://hg.python.org/cpython/rev/05d7550bd2d9

Note that the FreeBSD port modifies the OPENSSL_VERSION_NUMBER and sets the version number to 1.0.1g.
https://svnweb.freebsd.org/ports?view=revision&revision=361642

> Note that the FreeBSD port modifies the OPENSSL_VERSION_NUMBER and sets the version number to 1.0.1g.

Maybe we should remove the test on OPENSSL_VERSION (string) for LibreSSL?

LibreSSL defines in opensslv.h
#define LIBRESSL_VERSION_NUMBER 0x20000000L
#define OPENSSL_VERSION_NUMBER 0x20000000L

And FreeBSD replaces
#define OPENSSL_VERSION_NUMBER 0x1000107fL

Proper way would be to check for LIBRESSL_VERSION_NUMBER string, FreeBSD modifies the OpenSSL version number to indicate its compatibility level (as stated in commit log)

> Proper way would be to check for LIBRESSL_VERSION_NUMBER string, FreeBSD modifies the OpenSSL version number to indicate its compatibility level (as stated in commit log)

Please see the unit test: it checks that the version number and version string are consistent. It's not the case on OpenBSD with LibreSSL (2.0 vs 2.1) nor on FreeBSD (1.0 vs 2.1).

_ssl cannot be compiled with LibreSSL anymore (on OpenBSD 5.5) because of ALPN: see issue #23329.

Hi,

maybe we should add the LIBRESSL_ information available in opensslv.h (as it has be done for OpenSSL):

$ grep LIBRESSL /usr/include/ssl/opensslv.h 
#define LIBRESSL_VERSION_NUMBER 0x20030000L
#define LIBRESSL_VERSION_TEXT   "LibreSSL 2.3.0"
#define OPENSSL_VERSION_TEXT    LIBRESSL_VERSION_TEXT

What do you think about that?

Remi.

I don't care so much of issues introduced by LibreSSL, I don't understand why they broke the API. For me, it doesn't seem right to have a version different if it's a number or if it's a string: OPENSSL_VERSION_NUMBER should be consistent with OPENSSL_VERSION_INFO.

If you propose a patch for Python and it fixes test_ssl, I will apply it :-)

I have fixed all libressl related test failures while I added support for OpenSSL 1.1.0.