Author christian.heimes
Recipients barry, christian.heimes, gregory.p.smith, pablogsal, vstinner
Date 2021-03-23.10:04:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
GH-24989 adds -Wl,--exclude-libs just for libssl.a and libcrypto.a IFF support for -Wl,--exclude-libs,ALL is detected by configure. This puts the symbols from the OpenSSL archive files into the LOCAL segment of ELF binaries. The PR does not set -Wl,--exclude-libs,ALL because I like to keep behavior the same as with 3.9.

When OpenSSL is locally build with "no-shared -fPIC", then Python automatically builds a partially static-linked _ssl and _hashlib extension modules that do not pollute the global namespace:

$ ./config \
    --prefix=/home/heimes/dev/python/multissl/openssl/1.1.1j-static \
    --openssldir=/etc/pki/tls \
    no-shared -fPIC
$ ./configure --with-openssl=/home/heimes/dev/python/multissl/openssl/1.1.1j-static
$ make
$ ldd build/lib.linux-x86_64-3.10/ (0x00007fff8dbbc000) => /lib64/ (0x00007fa5a533d000) => /lib64/ (0x00007fa5a5172000)
        /lib64/ (0x00007fa5a56ac000)
$ readelf -Ws build/lib.linux-x86_64-3.10/ | grep SSL_CTX_new
  5617: 0000000000072a90  1133 FUNC    LOCAL  DEFAULT   11 SSL_CTX_new

I deliberately did not update documentation with instructions for static linking. Static linking of OpenSSL has security and compatibility implications. I don't want to officially support it and deal with bug reports. -Wl,--exclude-libs just enables sane partial static-linking.
Date User Action Args
2021-03-23 10:04:34christian.heimessetrecipients: + christian.heimes, barry, gregory.p.smith, vstinner, pablogsal
2021-03-23 10:04:34christian.heimessetmessageid: <>
2021-03-23 10:04:34christian.heimeslinkissue43466 messages
2021-03-23 10:04:34christian.heimescreate