This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: OpenSSL 1.1.0 deprecated functions
Type: compile error Stage: patch review
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, alex, cheryl.sabella, christian.heimes, devurandom, dstufft, floppymaster, gienah, janssen, miss-islington
Priority: normal Keywords: patch

Created on 2017-04-06 16:34 by floppymaster, last changed 2022-04-11 14:58 by admin.

Files
File name Uploaded Description Edit
build.log floppymaster, 2017-04-06 16:34 build log
python-2.7.14-openssl-1.1.0.patch gienah, 2017-10-09 13:39 python-2.7.14-openssl-1.1.0.patch
python-3.4.6-openssl-1.1.0.patch gienah, 2017-10-09 13:44 python-3.4.6-openssl-1.1.0.patch
python-3.5.4-openssl-1.1.0.patch gienah, 2017-10-09 13:46 python-3.5.4-openssl-1.1.0.patch
python-3.6.3-openssl-1.1.0.patch gienah, 2017-10-09 13:46 python-3.6.3-openssl-1.1.0.patch
Pull Requests
URL Status Linked Edit
PR 3934 closed christian.heimes, 2017-10-09 15:00
PR 3943 open gienah, 2017-10-10 12:40
PR 20397 merged christian.heimes, 2020-05-25 20:39
PR 20565 merged miss-islington, 2020-06-01 06:58
PR 20566 merged miss-islington, 2020-06-01 06:58
PR 20567 merged miss-islington, 2020-06-01 06:58
Messages (15)
msg291236 - (view) Author: Mike Gilbert (floppymaster) * Date: 2017-04-06 16:34
Some effort was made to port Python to OpenSSL 1.1.0 (see issue 26470). However, the code still uses several deprecated functions, and fails to compile against OpenSSL 1.1.0 if these functions are disabled.

This may be replicated by building OpenSSL with --api=1.1.0. This will disable all functions marked as deprecated.

I have attached a build log from the cpython master branch.

Downstream bug: https://bugs.gentoo.org/show_bug.cgi?id=592480
msg291343 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-04-08 20:56
Thanks for your report.

Python is going to require legacy functions like TLSv1_method() for a while. They are required to provide constants like PROTOCOL_TLSv1. I have deprecated these constants in 3.6 and they will be removed in 3.8. In the mean time Python is not compatible with OpenSSL api=1.1.0.
msg291345 - (view) Author: Mike Gilbert (floppymaster) * Date: 2017-04-08 21:36
Thanks for the reply.

OpenSSL 1.1.0 added functions to control the SSL/TLS version used by SSL contexts created using TLS_method(). You might consider updating the code for existing Python branches to use these functions.

SSL_CTX_set_min_proto_version
SSL_CTX_set_max_proto_version

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html
msg303951 - (view) Author: Mark Wright (gienah) * Date: 2017-10-09 13:39
My proposed patch based on python 2.7.14 to remove the use of the API
that was deprecated in openssl 1.1.
msg303953 - (view) Author: Mark Wright (gienah) * Date: 2017-10-09 13:44
This patch allows python 3.4.6 to compile with openssl 1.1 without using
the deprecated API.  It is hacky though as I had to backport changes
that were already in 3.5.4 and 3.6.3.

Also RAND_pseudo_bytes was removed, so I call RAND_bytes instead.
msg303954 - (view) Author: Mark Wright (gienah) * Date: 2017-10-09 13:46
My proposed patch based on python 3.5.4 to remove the use of the API
that was deprecated in openssl 1.1.  As RAND_pseudo_bytes was removed I
call RAND_bytes instead.
msg303955 - (view) Author: Mark Wright (gienah) * Date: 2017-10-09 13:46
My proposed patch based on python 3.6.3 to remove the use of the API
that was deprecated in openssl 1.1.  As RAND_pseudo_bytes was removed I
call RAND_bytes instead.
msg303967 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-10-09 15:03
Thanks for your patches, Mark. A few remarks:

Python 3.5 is in security fix-only mode. The issue is not a security bug.

Python has switched to a different workflow a while ago. Please provide a pull request on GitHub against master (3.7). I'll take care of the backports.

Also your implementation of version specific TLS has multiple flaws, e.g. missing NULL check and missing set_max_proto_version() calls. I opened a new PR.
msg304028 - (view) Author: Mark Wright (gienah) * Date: 2017-10-10 12:46
Thanks, I opened
https://github.com/python/cpython/pull/3943
for the rest of the changes (on top of your changes in
https://github.com/python/cpython/pull/3934)
to allow it to compile with OpenSSL 1.1.0f compiled with
disable-deprecated.
msg369904 - (view) Author: Cheryl Sabella (cheryl.sabella) * (Python committer) Date: 2020-05-25 18:18
@christian.heimes, is this issue and PR still relevant?  You mention 3.8 in msg291343.  Thanks!
msg369906 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-05-25 18:21
Yes, it's still relevant. I haven't got time to look into the matter yet.
msg370535 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-06-01 06:58
New changeset a871f692b4a2e6c7d45579693e787edc0af1a02c by Christian Heimes in branch 'master':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/a871f692b4a2e6c7d45579693e787edc0af1a02c
msg370536 - (view) Author: miss-islington (miss-islington) Date: 2020-06-01 07:11
New changeset 296db8cc2fd089d0d2f23b7dddafc029be9f1eb6 by Miss Islington (bot) in branch '3.7':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/296db8cc2fd089d0d2f23b7dddafc029be9f1eb6
msg370537 - (view) Author: miss-islington (miss-islington) Date: 2020-06-01 07:17
New changeset 9c0ff178a5d5d0992c0be21a7f343a495338ad73 by Miss Islington (bot) in branch '3.8':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/9c0ff178a5d5d0992c0be21a7f343a495338ad73
msg370538 - (view) Author: miss-islington (miss-islington) Date: 2020-06-01 07:18
New changeset 24a88b008b075bca4494822cc7549c10868ab820 by Miss Islington (bot) in branch '3.9':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/24a88b008b075bca4494822cc7549c10868ab820
History
Date User Action Args
2022-04-11 14:58:45adminsetgithub: 74194
2020-06-01 07:18:42miss-islingtonsetmessages: + msg370538
2020-06-01 07:17:22miss-islingtonsetmessages: + msg370537
2020-06-01 07:11:59miss-islingtonsetmessages: + msg370536
2020-06-01 06:58:52miss-islingtonsetpull_requests: + pull_request19808
2020-06-01 06:58:42miss-islingtonsetpull_requests: + pull_request19807
2020-06-01 06:58:32miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request19806
2020-06-01 06:58:20christian.heimessetmessages: + msg370535
2020-05-25 20:39:37christian.heimessetpull_requests: + pull_request19660
2020-05-25 18:21:33christian.heimessetmessages: + msg369906
versions: + Python 3.8, Python 3.9, Python 3.10, - Python 3.7
2020-05-25 18:18:41cheryl.sabellasetnosy: + cheryl.sabella
messages: + msg369904
2018-03-07 07:51:41devurandomsetnosy: + devurandom
2017-10-10 12:46:27gienahsetmessages: + msg304028
2017-10-10 12:40:14gienahsetpull_requests: + pull_request3915
2017-10-09 15:03:13christian.heimessetmessages: + msg303967
2017-10-09 15:00:26christian.heimessetstage: patch review
pull_requests: + pull_request3908
2017-10-09 13:46:49gienahsetfiles: + python-3.6.3-openssl-1.1.0.patch

messages: + msg303955
2017-10-09 13:46:17gienahsetfiles: + python-3.5.4-openssl-1.1.0.patch

messages: + msg303954
2017-10-09 13:44:22gienahsetfiles: + python-3.4.6-openssl-1.1.0.patch

messages: + msg303953
2017-10-09 13:39:56gienahsetfiles: + python-2.7.14-openssl-1.1.0.patch

nosy: + gienah
messages: + msg303951

keywords: + patch
2017-04-09 19:54:51Arfreversetnosy: + Arfrever
2017-04-08 21:36:33floppymastersetmessages: + msg291345
2017-04-08 20:56:27christian.heimessetmessages: + msg291343
2017-04-07 21:36:41terry.reedysetnosy: + janssen, christian.heimes, alex, dstufft
2017-04-06 16:34:45floppymastercreate