classification
Title: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
Type: security Stage: resolved
Components: Build, SSL, Windows Versions: Python 3.4
process
Status: closed Resolution: out of date
Dependencies: Superseder: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
View: 27995
Assigned To: christian.heimes Nosy List: christian.heimes, larry, paul.moore, scw, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2016-09-07 03:21 by scw, last changed 2016-09-25 10:33 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
openssl-upgrade.patch scw, 2016-09-07 03:21 patches to upgrade OpenSSL to 1.0.2h on Windows review
Messages (3)
msg274739 - (view) Author: Shaun Walbridge (scw) * Date: 2016-09-07 03:21
From the release notes of Python 3.4.5, I see that 3.4 is now in "security fixes only" mode, and no new installers will be created. That said, OpenSSL should be kept up to date so third-parties who build binaries from source will receive upstream patches (there are 18 CVEs against OpenSSL 1.0.2d). This patch upgrades OpenSSL to 1.0.2h for Windows builds.

I initially used the same fix applied in #26930 here, but the relevant intermediate OpenSSL headers (crypto/buildinf_amd64.h, crypto/buildinf_x86.h, crypto/opensslconf_amd64.h, crypto/opensslconf_x86.h) aren't included in the openssl-1.0.2h externals repository [1]. The included patch fixes this by forcing the intermediate configuration files to be written, which doesn't seem to add much to the compilation time and avoided deeper changes to the OpenSSL build process, but there likely is a more elegant solution to this issue.

With this patch applied, Python 3.4.5 compiled and tests ran cleanly locally both the x64 and Win32 targets, compiled using Visual Studio 2010. 


1. http://svn.python.org/projects/external/openssl-1.0.2h/
msg274905 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2016-09-07 22:50
I talked this over with Steve Dower, the current "platform expert" for Windows.  As he points out: the 3.4 Windows build is effectively unsupported.  The Windows platform expert for Python 3.4 resigned from core Python development.  Also, of course, all future Python 3.4 releases will be source releases only.  In short: if you make this change, you'd probably be the only person who would test it before it goes out the door.

But!  We still have Windows buildbots that can build Python 3.4.  And, since you're using a version of OpenSSL that we have checked in (on svn.python.org), it is theoretically possible to run this build on the buildbots.

So!  My price is: since you're going to have to coordinate with someone with the commit bit for this, you (and they) need to get this to pass on a Python buildbot.  Create a server-side clone, check in the change, and kick off a custom build.  When you get it working, post the results here, and after that you'll have my blessing to check this in to 3.4.
msg277358 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-25 10:33
1.0.2i is the latest version of the 1.0.2 series, #27995
History
Date User Action Args
2016-09-25 10:33:05christian.heimessetstatus: open -> closed
superseder: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
messages: + msg277358

resolution: out of date
stage: resolved
2016-09-25 10:33:05christian.heimeslinkissue27995 superseder
2016-09-25 10:31:36christian.heimesunlinkissue28248 superseder
2016-09-25 10:30:52christian.heimeslinkissue28248 superseder
2016-09-15 08:01:04christian.heimessetassignee: christian.heimes

components: + SSL
nosy: + christian.heimes
2016-09-07 22:50:03larrysetmessages: + msg274905
2016-09-07 03:25:09larrysetnosy: + larry

title: Upgrade Python 3.4 to OpenSSL 1.0.2h -> Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
2016-09-07 03:21:47scwcreate