gh-131423: Update OpenSSL data to 3.4.1 on Linux#131618
Uh oh!
There was an error while loading. Please reload this page.
Conversation
Since mnemonics from 3.4.1 are different (renumbered) from 3.4.0. To ease future updates, we assume the following: `_ssl_data_<MAJOR><PATCH>.h` contains the latest OpenSSL data. If the previous `_ssl_data_<MAJOR><PATCH>.h` file is incompatible with the newest one (e.g., because some mnemonics were renamed or removed), the old one is renamed to `_ssl_data_<MAJOR><MINOR><PATCH>.h` where <PATCH> is the patch number it was based upon. In this commit, OpenSSL 3.4.1 mnemonics are not compatible with OpenSSL 3.4.0 mnemonics as they were renumbered. Therefore, `_ssl_data_34.h` is renamed to `_ssl_data_340.h` and `_ssl_data_34x.h` now contains OpenSSL 3.4.1 mnemonics. We also refined the mnemonics that are selected, discarding those that are mnemonics-like but should not be used as such (e.g., ERR_LIB_MASK and ERR_LIB_OFFSET for OpenSSL 1.1.1).
picnixzforce-pushed the ci/update/ssl-versions-131423 branch from 05ee142 to 5bbc702Comparepicnixz requested review from a team, AA-Turner, corona10, erlend-aasland, ezio-melotti and hugovk as code owners
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
| # FEAT(picnixz): in the future, we may want to also check | ||
| # the consistency of the OpenSSL files with an external tool. |
There was a problem hiding this comment.
Could you track that in an issue instead?
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
picnixz commented Mar 24, 2025
arf, I'm not on my Linux so I can't regen :< I'm leaving tomorrow morning so I'm not really sure I'll be able to commit before leaving, but otherwise, just take over the PR and regen the data! |
Uh oh!
There was an error while loading. Please reload this page.
ned-deily left a comment
ned-deily left a comment There was a problem hiding this comment.
The macOS build-installer.py changes LGTM, thanks!
picnixz changed the title picnixz added the 🔨 test-with-buildbots 
bedevere-bot commented Apr 5, 2025
🤖 New build scheduled with the buildbot fleet by @picnixz for commit 905f1a5 🤖 Results will be shown at: https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F131618%2Fmerge If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again. |
bedevere-bot removed the 🔨 test-with-buildbots picnixz commented Apr 5, 2025
To avoid surprises, I'm running the build bots. If they pass, I'll merge this one so that we can close the other issue. I think the Windows-related failures were recently solved as well |
The iOS failure is known (PR #132050) |
picnixz commented Apr 6, 2025
I want to think about something. Mnenmonics were updated in 3.4.1 compared to 3.4.0, but that's only because I knew that they were changed. However, we're actually having a #if (OPENSSL_VERSION_NUMBER >= 0x30100000L) #include"_ssl_data_34.h"So I think I'll need a way to check first that when OpenSSL mnemonics changed so that we regenerate the correct files per version. |
ned-deily commented Apr 6, 2025
@picnixz, with the 3.14.a7, 3.13.3, and 3.12.10 releases approaching in two days, I plan to update the macOS installers for those releases to use 3.0.16. If you don't expect to be able to merge this PR before then, I can pull out the build-installer.py change into a separate PR since it has no relation to any of the other changes in this PR. (And that's why I prefer to keep changes like this separate.) |
picnixz commented Apr 6, 2025
To be on the safe side, please do so. I don't want to block the macOS side with my interrogations. Hopefully I'll be able to merge this before the release. |
Uh oh!
There was an error while loading. Please reload this page.
Misc/NEWS.d/next/macOS/2025-03-23-11-32-09.gh-issue-131423.s1Lvli.rst Outdated Show resolvedHide resolved
Uh oh!
There was an error while loading. Please reload this page.
Note: 3.4.1 includes CVE patches but since we're still in alpha, we can say that those security patches are not really necessary now (in addition, they affect components that are not directly exposed by Python IIRC). So, I'll postpone this until after the release (I don't want to have surprises where a mnemonic change would be actually annoying for a user) |
picnixz changed the title picnixz changed the title 
picnixz commented Apr 25, 2025
I'll merge this one and work on #132745. |
picnixz merged commit 6a9bfee into python:mainUh oh!
There was an error while loading. Please reload this page.
picnixz commented Apr 25, 2025
Rationale for not backporting: #131423 (comment). |
6 participants
I've also updated the
make_ssl_data.pyscript that @encukou has recently updated as well. I completed with instructions that I thought usefull for future maintainers.📚 Documentation preview 📚: https://cpython-previews--131618.org.readthedocs.build/