classification
Title: ssl.OPENSSL_VERSION still reporting 1.1.1i on windows 3.8.9/3.9.4
Type: security Stage: resolved
Components: Windows Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Bill Collins, christian.heimes, lukasz.langa, miss-islington, pablogsal, paul.moore, steve.dower, tim.golden, xtreak, zach.ware
Priority: release blocker Keywords: patch

Created on 2021-04-06 10:23 by Bill Collins, last changed 2021-04-09 12:02 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 25213 merged steve.dower, 2021-04-06 11:35
PR 25214 merged steve.dower, 2021-04-06 13:26
PR 25223 merged miss-islington, 2021-04-06 15:04
Messages (17)
msg390303 - (view) Author: Bill Collins (Bill Collins) * Date: 2021-04-06 10:23
>>> import sys,ssl
>>> sys.version
'3.9.4 (tags/v3.9.4:1f2e308, Apr  4 2021, 13:27:16) [MSC v.1928 64 bit (AMD64)]'
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.1.1i  8 Dec 2020'

I may well be holding it wrong, but something seems off.
msg390307 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 11:01
No, I think I was holding git wrong (and built 1.1.1i again instead of 1.1.1k).

Guess we get to do more releases...
msg390308 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-06 11:05
Uh :(

No more holiday releases, please. The RMs and release team need their vacation.
msg390309 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 11:09
> No more holiday releases, please. The RMs and release team need their vacation.

I agree, can you ask OpenSSL to stop releasing fixes? (or alternatively, can you convince everyone to let us switch to the native TLS stack on Windows where the upstream fixes are released before they are announced to the world ;) )
msg390317 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2021-04-06 12:02
Given that the PR is against master is this issue present in Python 3.10 alphas too since last alpha was released today.
msg390318 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 12:05
It is, but I wouldn't hold up an alpha or beta release because of this.
msg390320 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 12:08
New changeset 354b015c176b10ee7e2218ba4f3bbc9455cb893f by Steve Dower in branch 'master':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
https://github.com/python/cpython/commit/354b015c176b10ee7e2218ba4f3bbc9455cb893f
msg390324 - (view) Author: Ɓukasz Langa (lukasz.langa) * (Python committer) Date: 2021-04-06 12:30
I elect to replace 3.9.4 Windows installers.

1. It's a Windows installer specific problem, no other users are affected.

2. You can always reinstall. You can tell by the dates reported by the REPL or in fact by checking ssl.OPENSSL_VERSION.

3. There will be 3.9.5 on May 3 anyway soon enough.
msg390328 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 13:19
Yeeeessss.... we caaaann.... I think we may regret it, but happy to go with it if you'd prefer.

FWIW, the code change isn't necessary if you do a totally clean rebuild. However, most builders do not do totally clean rebuilds, so the code change ensures that they are not caught out.

(Confirmation just came through another channel, so I'm doing a rebuild of the v3.9.4 and v3.8.9 tags now.)
msg390342 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 15:03
New changeset 611aa39142f156508945ac312724474c493a6691 by Steve Dower in branch '3.9':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
https://github.com/python/cpython/commit/611aa39142f156508945ac312724474c493a6691
msg390343 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 15:05
A new 3.9.4 and 3.8.9 release is available for download from python.org. The Nuget and Windows Store packages will have to remain as the original versions, since those do not allow us to overwrite with the same version number.
msg390346 - (view) Author: miss-islington (miss-islington) Date: 2021-04-06 15:22
New changeset 9a988b8cd8344808a03c9a2ba0c9ba2188240eae by Miss Islington (bot) in branch '3.8':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
https://github.com/python/cpython/commit/9a988b8cd8344808a03c9a2ba0c9ba2188240eae
msg390351 - (view) Author: Bill Collins (Bill Collins) * Date: 2021-04-06 16:20
Thanks for the quick action on this!

I've downloaded the new 3.8.9/3.9.4 installers, but they are unable to run over my existing 3.8.9/3.9.4 installs; "Unable to install python 3.9.4 (64-bit) due to an existing install." This is probably fine as I can just uninstall/reinstall (I hope), so just FYI.

I've upgraded my 32-bit install from 3.9.2 to the new 3.9.4 installer without issue.

Are you able to also update the embeddable packages please?
msg390363 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-06 19:05
> Are you able to also update the embeddable packages please?

They've been updated, it's just the CDN hasn't purged those files. I 
need to add those files to the script.

It should show up within 24 hours, if I don't start doing the script 
tonight.
msg390516 - (view) Author: Bill Collins (Bill Collins) * Date: 2021-04-08 09:07
The embeddable dists for 3.9.4 have updated, but the 3.8.9 packages are still showing the builds from April 2nd.
msg390538 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-08 16:36
I just purged the CDN again and it seems to be fine now.
msg390597 - (view) Author: Bill Collins (Bill Collins) * Date: 2021-04-09 08:31
Confirmed, thanks!
History
Date User Action Args
2021-04-09 12:02:51vstinnersetnosy: - vstinner
2021-04-09 08:31:57Bill Collinssetmessages: + msg390597
2021-04-08 16:36:52steve.dowersetmessages: + msg390538
2021-04-08 09:07:26Bill Collinssetmessages: + msg390516
2021-04-06 19:05:19steve.dowersetmessages: + msg390363
2021-04-06 16:20:26Bill Collinssetmessages: + msg390351
2021-04-06 15:22:57miss-islingtonsetmessages: + msg390346
2021-04-06 15:05:38steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg390343

stage: patch review -> resolved
2021-04-06 15:04:07miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request23960
2021-04-06 15:03:59steve.dowersetmessages: + msg390342
2021-04-06 13:26:11steve.dowersetpull_requests: + pull_request23952
2021-04-06 13:19:25steve.dowersetmessages: + msg390328
2021-04-06 12:30:38lukasz.langasetmessages: + msg390324
2021-04-06 12:08:38steve.dowersetmessages: + msg390320
2021-04-06 12:05:01steve.dowersetmessages: + msg390318
versions: + Python 3.10
2021-04-06 12:02:22xtreaksetnosy: + xtreak, pablogsal
messages: + msg390317
2021-04-06 11:35:40steve.dowersetkeywords: + patch
stage: patch review
pull_requests: + pull_request23951
2021-04-06 11:09:56steve.dowersetmessages: + msg390309
2021-04-06 11:07:12vstinnersetnosy: + vstinner
2021-04-06 11:05:18christian.heimessetnosy: + christian.heimes
messages: + msg390308
2021-04-06 11:01:04steve.dowersetpriority: normal -> release blocker
nosy: + lukasz.langa
messages: + msg390307

2021-04-06 10:23:58Bill Collinscreate