Some effort was made to port Python to OpenSSL 1.1.0 (see issue 26470). However, the code still uses several deprecated functions, and fails to compile against OpenSSL 1.1.0 if these functions are disabled.

This may be replicated by building OpenSSL with --api=1.1.0. This will disable all functions marked as deprecated.

I have attached a build log from the cpython master branch.

Downstream bug: https://bugs.gentoo.org/show_bug.cgi?id=592480

Thanks for your report.

Python is going to require legacy functions like TLSv1_method() for a while. They are required to provide constants like PROTOCOL_TLSv1. I have deprecated these constants in 3.6 and they will be removed in 3.8. In the mean time Python is not compatible with OpenSSL api=1.1.0.

Thanks for the reply.

OpenSSL 1.1.0 added functions to control the SSL/TLS version used by SSL contexts created using TLS_method(). You might consider updating the code for existing Python branches to use these functions.

SSL_CTX_set_min_proto_version
SSL_CTX_set_max_proto_version

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

My proposed patch based on python 2.7.14 to remove the use of the API
that was deprecated in openssl 1.1.

This patch allows python 3.4.6 to compile with openssl 1.1 without using
the deprecated API.  It is hacky though as I had to backport changes
that were already in 3.5.4 and 3.6.3.

Also RAND_pseudo_bytes was removed, so I call RAND_bytes instead.

My proposed patch based on python 3.5.4 to remove the use of the API
that was deprecated in openssl 1.1.  As RAND_pseudo_bytes was removed I
call RAND_bytes instead.

My proposed patch based on python 3.6.3 to remove the use of the API
that was deprecated in openssl 1.1.  As RAND_pseudo_bytes was removed I
call RAND_bytes instead.

Thanks for your patches, Mark. A few remarks:

Python 3.5 is in security fix-only mode. The issue is not a security bug.

Python has switched to a different workflow a while ago. Please provide a pull request on GitHub against master (3.7). I'll take care of the backports.

Also your implementation of version specific TLS has multiple flaws, e.g. missing NULL check and missing set_max_proto_version() calls. I opened a new PR.

Thanks, I opened
https://github.com/python/cpython/pull/3943
for the rest of the changes (on top of your changes in
https://github.com/python/cpython/pull/3934)
to allow it to compile with OpenSSL 1.1.0f compiled with
disable-deprecated.

@christian.heimes, is this issue and PR still relevant?  You mention 3.8 in msg291343.  Thanks!

Yes, it's still relevant. I haven't got time to look into the matter yet.

New changeset a871f692b4a2e6c7d45579693e787edc0af1a02c by Christian Heimes in branch 'master':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/a871f692b4a2e6c7d45579693e787edc0af1a02c

New changeset 296db8cc2fd089d0d2f23b7dddafc029be9f1eb6 by Miss Islington (bot) in branch '3.7':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/296db8cc2fd089d0d2f23b7dddafc029be9f1eb6

New changeset 9c0ff178a5d5d0992c0be21a7f343a495338ad73 by Miss Islington (bot) in branch '3.8':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/9c0ff178a5d5d0992c0be21a7f343a495338ad73

New changeset 24a88b008b075bca4494822cc7549c10868ab820 by Miss Islington (bot) in branch '3.9':
bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)
https://github.com/python/cpython/commit/24a88b008b075bca4494822cc7549c10868ab820