Message 356666 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Lukas.Vacek, christian.heimes
Date	2019-11-15.09:33:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1573810431.77.0.961441864378.issue38794@roundup.psfhosted.org>
In-reply-to

Content
Since this is a request for a new feature, I'm bumping versions to 3.9 and newer. There is no need to add more configure flags to build Python with a custom OpenSSL installation. It's sufficient to build OpenSSL as a shared library and run Python's configure with --with-openssl=/path/to/installed/openssl. Then it's just a matter to configure libdl to load the correct libraries, e.g. with a custom rpath. I like to use LD_RUN_PATH to add an rpath to the ELF header of the _ssl and _hashlib module's shared library. Or you can use Tools/ssl/multissl.py to automate this. This approach works fine on RHEL 6: wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz tar -xzf openssl-1.0.2t.tar.gz pushd openssl-1.0.2t ./config --openssldir=/etc/pki/tls --prefix=/tmp/102t shared make make install popd wget https://www.python.org/ftp/python/3.7.5/Python-3.7.5.tgz tar -xzf Python-3.7.5.tgz pushd Python-3.7.5 export LD_RUN_PATH=/tmp/102t/lib ./configure --with-openssl=/tmp/102t/ -C unset LD_RUN_PATH ldd build/lib.linux-x86_64-3.7/_ssl.cpython-37m-x86_64-linux-gnu.so linux-vdso.so.1 => (0x00007ffcefbb7000) libssl.so.1.0.0 => /tmp/102t/lib/libssl.so.1.0.0 (0x00007f4c586a7000) libcrypto.so.1.0.0 => /tmp/102t/lib/libcrypto.so.1.0.0 (0x00007f4c5826a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4c58047000) libc.so.6 => /lib64/libc.so.6 (0x00007f4c57cb3000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f4c57aae000) /lib64/ld-linux-x86-64.so.2 (0x00005639623f7000) ./python Python 3.7.5 (default, Nov 15 2019, 04:19:28) [GCC 4.4.7 20120313 (Red Hat 4.4.7-23)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl.OPENSSL_VERSION 'OpenSSL 1.0.2t 10 Sep 2019' I'm opposing this PR because it's an unnecessary extension that increases our testing, documentation and support burden. We would have to maintain the feature for at least 5 to 10 years and ensure that it keeps working on all operating systems (also BSD, macOS, AIX, ...) and future versions of OpenSSL.

Since this is a request for a new feature, I'm bumping versions to 3.9 and newer.

There is no need to add more configure flags to build Python with a custom OpenSSL installation. It's sufficient to build OpenSSL as a shared library and run Python's configure with --with-openssl=/path/to/installed/openssl. Then it's just a matter to configure libdl to load the correct libraries, e.g. with a custom rpath. I like to use LD_RUN_PATH to add an rpath to the ELF header of the _ssl and _hashlib module's shared library. Or you can use Tools/ssl/multissl.py to automate this.

This approach works fine on RHEL 6:

wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz
tar -xzf openssl-1.0.2t.tar.gz
pushd openssl-1.0.2t
./config --openssldir=/etc/pki/tls --prefix=/tmp/102t shared
make
make install
popd

wget https://www.python.org/ftp/python/3.7.5/Python-3.7.5.tgz
tar -xzf Python-3.7.5.tgz
pushd Python-3.7.5
export LD_RUN_PATH=/tmp/102t/lib
./configure --with-openssl=/tmp/102t/ -C
unset LD_RUN_PATH

ldd build/lib.linux-x86_64-3.7/_ssl.cpython-37m-x86_64-linux-gnu.so 
        linux-vdso.so.1 =>  (0x00007ffcefbb7000)
        libssl.so.1.0.0 => /tmp/102t/lib/libssl.so.1.0.0 (0x00007f4c586a7000)
        libcrypto.so.1.0.0 => /tmp/102t/lib/libcrypto.so.1.0.0 (0x00007f4c5826a000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4c58047000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f4c57cb3000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f4c57aae000)
        /lib64/ld-linux-x86-64.so.2 (0x00005639623f7000)

./python 
Python 3.7.5 (default, Nov 15 2019, 04:19:28) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-23)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2t  10 Sep 2019'


I'm opposing this PR because it's an unnecessary extension that increases our testing, documentation and support burden. We would have to maintain the feature for at least 5 to 10 years and ensure that it keeps working on all operating systems (also BSD, macOS, AIX, ...) and future versions of OpenSSL.

History
Date	User	Action	Args
2019-11-15 09:33:51	christian.heimes	set	recipients: + christian.heimes, Lukas.Vacek
2019-11-15 09:33:51	christian.heimes	set	messageid: <1573810431.77.0.961441864378.issue38794@roundup.psfhosted.org>
2019-11-15 09:33:51	christian.heimes	link	issue38794 messages
2019-11-15 09:33:51	christian.heimes	create