Hi Richard,
porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
We ship Python 2.7 so that developers can test code that needs to work
on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora
aims to be a developer-friendly distro and so we want to provide the
tools to do that. Even if it's possible to port Python 2.7 to openssl
3.0 safely with reasonable effort, which I doubt, it would lead to a
different Python 2.7, which would no longer work as a testing ground for
people developing for old deployments.
Hi Tomáš,
Charalampos pinged me and asked me to look into this thread. For those who are not
familiar with me, I'm a CPython core developer and primary maintainer of the ssl and
hashlib module. In the past I have ported Python to OpenSSL 1.1.0 and OpenSSL 3.0.
At first I also thought that it would be a lot of work to port Python 2.7 to OpenSSL 3.0.
It turns out that most tests are actually passing. The Debian downstream patches address
the remaining issue.
-
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patche...
fixes version number comparison and a different representation of IPv6 addresses in 3.0.
-
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patche...
fixes error messages. OpenSSL 3.0 uses different error numbers than 1.1.
-
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patche...
fixes a problem with error handling when loading certs
-
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patche...
resolves another issue with version number formats
All four patches are originally written by me and covered by PSF license.
-
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patche...
changes tests to use latest TLS version instead of TLS 1.0. The change is based on another
upstream change by me.
You also have to disable openssl/opensslv.h parsing in setup.py. The code is not clever
enough to understand OpenSSL 3.0's opensslv.h.
In my humble opinion this would make Python 2.7 work sufficient enough with OpenSSL 3.0. I
wouldn't trust it with mission critical production code. But it's ok enough for
CI. Yes, Python 2.7 with OpenSSL 3.0 will behave differently than Python 2.7 with OpenSSL
1.1.1, e.g. some old ciphers and TLS versions may not work. But that's ok. Nobody
should use TLS 1.0 in 2022 any more.
Anyhow it is still too early to drop openssl1.1-devel in Fedora 37. I recommend to mark it
as deprecated in F37 and drop it in a later release.
Christian