OpenSSL 1.1.0 deprecated functions

[ac224bc2-6200-4e59-bd22-a7f440782ac2]

BPO	30008
Nosy	@tiran, @alex, @floppym, @dstufft, @csabella, @markwright, @miss-islington
PRs	python/cpython#3934 python/cpython#3943 python/cpython#20397 python/cpython#20565 python/cpython#20566 python/cpython#20567
Files	build.log: build log python-2.7.14-openssl-1.1.0.patch: python-2.7.14-openssl-1.1.0.patch python-3.4.6-openssl-1.1.0.patch: python-3.4.6-openssl-1.1.0.patch python-3.5.4-openssl-1.1.0.patch: python-3.5.4-openssl-1.1.0.patch python-3.6.3-openssl-1.1.0.patch: python-3.6.3-openssl-1.1.0.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = None closed_at = None created_at = labels = ['3.8', 'build', 'library', '3.9', '3.10'] title = 'OpenSSL 1.1.0 deprecated functions' updated_at = user = 'https://github.com/floppym' ``` bugs.python.org fields: ```python activity = actor = 'miss-islington' assignee = 'none' closed = False closed_date = None closer = None components = ['Library (Lib)'] creation = creator = 'floppymaster' dependencies = [] files = ['46782', '47198', '47199', '47200', '47201'] hgrepos = [] issue_num = 30008 keywords = ['patch'] message_count = 15.0 messages = ['291236', '291343', '291345', '303951', '303953', '303954', '303955', '303967', '304028', '369904', '369906', '370535', '370536', '370537', '370538'] nosy_count = 10.0 nosy_names = ['janssen', 'christian.heimes', 'Arfrever', 'alex', 'devurandom', 'floppymaster', 'dstufft', 'cheryl.sabella', 'gienah', 'miss-islington'] pr_nums = ['3934', '3943', '20397', '20565', '20566', '20567'] priority = 'normal' resolution = None stage = 'patch review' status = 'open' superseder = None type = 'compile error' url = 'https://bugs.python.org/issue30008' versions = ['Python 3.8', 'Python 3.9', 'Python 3.10'] ```

[ac224bc2-6200-4e59-bd22-a7f440782ac2]

Some effort was made to port Python to OpenSSL 1.1.0 (see bpo-26470). However, the code still uses several deprecated functions, and fails to compile against OpenSSL 1.1.0 if these functions are disabled.

This may be replicated by building OpenSSL with --api=1.1.0. This will disable all functions marked as deprecated.

I have attached a build log from the cpython master branch.

Downstream bug: https://bugs.gentoo.org/show_bug.cgi?id=592480

[tiran]

Thanks for your report.

Python is going to require legacy functions like TLSv1_method() for a while. They are required to provide constants like PROTOCOL_TLSv1. I have deprecated these constants in 3.6 and they will be removed in 3.8. In the mean time Python is not compatible with OpenSSL api=1.1.0.

[ac224bc2-6200-4e59-bd22-a7f440782ac2]

Thanks for the reply.

OpenSSL 1.1.0 added functions to control the SSL/TLS version used by SSL contexts created using TLS_method(). You might consider updating the code for existing Python branches to use these functions.

SSL_CTX_set_min_proto_version SSL_CTX_set_max_proto_version

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

[39c5c0d4-b570-455a-abcc-d660c45304c6]

My proposed patch based on python 2.7.14 to remove the use of the API that was deprecated in openssl 1.1.

[39c5c0d4-b570-455a-abcc-d660c45304c6]

This patch allows python 3.4.6 to compile with openssl 1.1 without using the deprecated API. It is hacky though as I had to backport changes that were already in 3.5.4 and 3.6.3.

Also RAND_pseudo_bytes was removed, so I call RAND_bytes instead.

[39c5c0d4-b570-455a-abcc-d660c45304c6]

My proposed patch based on python 3.5.4 to remove the use of the API that was deprecated in openssl 1.1. As RAND_pseudo_bytes was removed I call RAND_bytes instead.

[39c5c0d4-b570-455a-abcc-d660c45304c6]

My proposed patch based on python 3.6.3 to remove the use of the API that was deprecated in openssl 1.1. As RAND_pseudo_bytes was removed I call RAND_bytes instead.

[tiran]

Thanks for your patches, Mark. A few remarks:

Python 3.5 is in security fix-only mode. The issue is not a security bug.

Python has switched to a different workflow a while ago. Please provide a pull request on GitHub against master (3.7). I'll take care of the backports.

Also your implementation of version specific TLS has multiple flaws, e.g. missing NULL check and missing set_max_proto_version() calls. I opened a new PR.

[39c5c0d4-b570-455a-abcc-d660c45304c6]

Thanks, I opened https://github.com/python/cpython/pull/3943 for the rest of the changes (on top of your changes in https://github.com/python/cpython/pull/3934) to allow it to compile with OpenSSL 1.1.0f compiled with disable-deprecated.

[csabella]

@christian.heimes, is this issue and PR still relevant? You mention 3.8 in msg291343. Thanks!

[tiran]

Yes, it's still relevant. I haven't got time to look into the matter yet.

[tiran]

New changeset a871f692b4a2e6c7d45579693e787edc0af1a02c by Christian Heimes in branch 'master': bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) https://github.com/python/cpython/commit/a871f692b4a2e6c7d45579693e787edc0af1a02c

[miss-islington]

New changeset 296db8cc2fd089d0d2f23b7dddafc029be9f1eb6 by Miss Islington (bot) in branch '3.7': bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) https://github.com/python/cpython/commit/296db8cc2fd089d0d2f23b7dddafc029be9f1eb6

[miss-islington]

New changeset 9c0ff178a5d5d0992c0be21a7f343a495338ad73 by Miss Islington (bot) in branch '3.8': bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) https://github.com/python/cpython/commit/9c0ff178a5d5d0992c0be21a7f343a495338ad73

[miss-islington]

New changeset 24a88b008b075bca4494822cc7549c10868ab820 by Miss Islington (bot) in branch '3.9': bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397) https://github.com/python/cpython/commit/24a88b008b075bca4494822cc7549c10868ab820