`manylinux_2_28` incorrectly uses OpenSSL 1.1.1k instead of 3.0.12

[bastimeyer]

The manylinux_2_28 images appear to be linking against the system's OpenSSL version (1.1.1k). The manylinux2014 images don't have this problem and are properly using the one built by the Dockerfile (3.0.12). All Python builds are affected by this, 3.8..3.12.

manylinux_2_28

$ docker run --rm -it quay.io/pypa/manylinux_2_28_x86_64:latest bash -c 'set -x; /opt/python/cp312-cp312/bin/python -c "import ssl;print(ssl.OPENSSL_VERSION)"; ldd /opt/python/cp312-cp312/lib/python3.12/lib-dynload/_ssl.cpython-312-x86_64-linux-gnu.so'
+ /opt/python/cp312-cp312/bin/python -c 'import ssl;print(ssl.OPENSSL_VERSION)'
OpenSSL 1.1.1k  FIPS 25 Mar 2021
+ ldd /opt/python/cp312-cp312/lib/python3.12/lib-dynload/_ssl.cpython-312-x86_64-linux-gnu.so
        linux-vdso.so.1 (0x00007fffe07f8000)
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007faeade00000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007faead800000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007faead400000)
        libc.so.6 => /lib64/libc.so.6 (0x00007faead000000)
        libz.so.1 => /lib64/libz.so.1 (0x00007faeacc00000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007faeac800000)
        /lib64/ld-linux-x86-64.so.2 (0x00007faeae200000)

manylinux2014

$ docker run --rm -it quay.io/pypa/manylinux2014_x86_64:latest bash -c 'set -x; /opt/python/cp312-cp312/bin/python -c "import ssl;print(ssl.OPENSSL_VERSION)"; ldd /opt/python/cp312-cp312/lib/python3.12/lib-dynload/_ssl.cpython-312-x86_64-linux-gnu.so'
+ /opt/python/cp312-cp312/bin/python -c 'import ssl;print(ssl.OPENSSL_VERSION)'
OpenSSL 3.0.12 24 Oct 2023
+ ldd /opt/python/cp312-cp312/lib/python3.12/lib-dynload/_ssl.cpython-312-x86_64-linux-gnu.so
        linux-vdso.so.1 =>  (0x00007fff84114000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fef1ba00000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fef1b600000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fef1c400000)

[mayeut]

This is done on purpose. manylinux does not rebuild OpenSSL if the system OpenSSL is new enough (>= 1.1.1): https://github.com/pypa/manylinux/blob/e7e3b8c2cb9a4564b2b735df75115ce1cea5c290/docker/build_scripts/build-openssl.sh#L19

[bastimeyer]

This is done on purpose.

Thanks for the hint.

Is there a reason for this other than shaving off a few minutes of build-time while still meeting Python's bare minimum OpenSSL version constraints? (PEP 644 - from October 2020)

Build-times of the latest commit:

• manylinux2014_x86_64: 32m54s on GitHub (built)
• manylinux2014_aarch64: 44m45s on TravisCI (built)
• manylinux2014_ppc64le: 51m47s on TravisCI (built)
• manylinux_2_28_x86_64: 18m51s on GitHub (skipped)
• manylinux_2_28_aarch64: 34m26s on TravisCI (skipped)
• manylinux_2_28_ppc64le: 53m03s on TravisCI (skipped)
• musllinux_1_1_x86_64: 17m12s on GitHub (skipped)
• musllinux_1_1_aarch64: 33m31s on TravisCI (skipped)
• musllinux_1_1_ppc64le: 45m55s on TravisCI (skipped)

OpenSSL 1.1.1k is from March 2021. The 1.1.1 branch has reached its EOL in September 2023 with 1.1.1w being the last release: https://endoflife.date/openssl

For the sake of consistency, as well as control over which OpenSSL version gets bundled, OpenSSL should be built regardless of what the package management of the docker images provides, and it shouldn't be just linked against.

[mayeut]

RedHat/AlmaLinux has its own security policy so OpenSSL 1.1.1 still receives security updates despite it being EOL upstream. While 1.1.1k upstream is from March 2021, you can see that the one from the image received security updates that are much more recent:

[root@b7887bc9e322 /]# dnf changelog openssl 
Listing all changelogs
Changelogs for openssl-1:1.1.1k-12.el8_9.aarch64
* Thu Nov 30 12:00:00 AM 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
  (a proper fix for CVE-2020-25659)
  Resolves: RHEL-17696
...

It saves both build time & download time (images are smaller).

For the sake of consistency

There's no consistency to be expected regarding the runtime version of OpenSSL of a python interpreter except for PEP 644.

The only commitment made here is that we do respect PEP 644 and that we don't use an OpenSSL version not receiving security updates if possible.