Use openSSL 3.0.x for Python 3.8+

docker/Dockerfile

@@ -90,8 +90,8 @@ RUN export SQLITE_AUTOCONF_ROOT=sqlite-autoconf-3430100 && \
     manylinux-entrypoint /build_scripts/build-sqlite3.sh
 
 COPY build_scripts/build-openssl.sh /build_scripts/
-RUN export OPENSSL_ROOT=openssl-1.1.1w && \
-    export OPENSSL_HASH=cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 && \
+RUN export OPENSSL_ROOT=openssl-3.0.10 && \
+    export OPENSSL_HASH=1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323 && \
     export OPENSSL_DOWNLOAD_URL=https://www.openssl.org/source && \
     manylinux-entrypoint /build_scripts/build-openssl.sh
 

docker/build_scripts/build-cpython.sh

@@ -39,16 +39,23 @@ if [ "${CPYTHON_VERSION}" == "3.6.15" ]; then
 	CFLAGS_EXTRA="${CFLAGS_EXTRA} -fno-tree-loop-vectorize -fno-tree-slp-vectorize"
 fi
 if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ] ; then
-    # Python 3.11+
+	# Python 3.11+
 	export TCLTK_LIBS="-ltk8.6 -ltcl8.6"
 fi
+PYVERS="${CPYTHON_VERSION%.*}"
+if ! [ -d /usr/local/openssl3 ] || [ "${PYVERS}" == "3.6" ] || [ "${PYVERS}" == "3.7" ]; then
+	OPENSSL_OPTIONS=""
+else
+	OPENSSL_OPTIONS="--with-openssl=/usr/local/openssl3"
+fi
 
 # configure with hardening options only for the interpreter & stdlib C extensions
 # do not change the default for user built extension (yet?)
 ./configure \
 	CFLAGS_NODIST="${MANYLINUX_CFLAGS} ${MANYLINUX_CPPFLAGS} ${CFLAGS_EXTRA}" \
 	LDFLAGS_NODIST="${MANYLINUX_LDFLAGS}" \
-	--prefix=${PREFIX} --disable-shared --with-ensurepip=no > /dev/null
+	--prefix=${PREFIX} --disable-shared --with-ensurepip=no \
+	$OPENSSL_OPTIONS > /dev/null
 make > /dev/null
 make install > /dev/null
 popd

docker/build_scripts/build-openssl.sh

@@ -29,21 +29,28 @@ if [ "${SMALLEST}" = "${OPENSSL_MIN_VERSION}" ]; then
 	exit 0
 fi
 
-if which yum; then
-	yum erase -y openssl-devel
-else
-	apk del openssl-dev
-fi
+#if which yum; then
+#	yum erase -y openssl-devel
+#else
+#	apk del openssl-dev
+#fi
 
+# Install a more recent openssl 3.0.x
 fetch_source ${OPENSSL_ROOT}.tar.gz ${OPENSSL_DOWNLOAD_URL}
 check_sha256sum ${OPENSSL_ROOT}.tar.gz ${OPENSSL_HASH}
 tar -xzf ${OPENSSL_ROOT}.tar.gz
 pushd ${OPENSSL_ROOT}
-./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl CPPFLAGS="${MANYLINUX_CPPFLAGS}" CFLAGS="${MANYLINUX_CFLAGS} -fPIC" CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null
-make > /dev/null
+./config no-shared \
+	--prefix=/usr/local/openssl3 --libdir=lib \
+	--openssldir=`find /etc/ -name openssl.cnf -printf "%h\n"` \
+	CPPFLAGS="${MANYLINUX_CPPFLAGS}" \
+	CFLAGS="${MANYLINUX_CFLAGS} -fPIC" \
+	CXXFLAGS="${MANYLINUX_CXXFLAGS} -fPIC" \
+	LDFLAGS="${MANYLINUX_LDFLAGS} -fPIC" > /dev/null
+make -j1 depend > /dev/null
+make -j6 > /dev/null
 make install_sw > /dev/null
 popd
 rm -rf ${OPENSSL_ROOT} ${OPENSSL_ROOT}.tar.gz
 
-
-/usr/local/ssl/bin/openssl version
+/usr/local/openssl3/bin/openssl version

docker/build_scripts/install-build-packages.sh

@@ -14,7 +14,7 @@ source $MY_DIR/build_utils.sh
 # make sure the corresponding library is added to RUNTIME_DEPS if applicable
 
 if [ "${BASE_POLICY}" == "manylinux" ]; then
-	COMPILE_DEPS="bzip2-devel ncurses-devel readline-devel gdbm-devel libpcap-devel xz-devel openssl openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libidn-devel curl-devel uuid-devel libffi-devel kernel-headers libdb-devel"
+	COMPILE_DEPS="bzip2-devel ncurses-devel readline-devel gdbm-devel libpcap-devel xz-devel openssl openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libidn-devel curl-devel uuid-devel libffi-devel kernel-headers libdb-devel perl-IPC-Cmd"
 	if [ "${AUDITWHEEL_POLICY}" == "manylinux2014" ]; then
 		PACKAGE_MANAGER=yum
 		COMPILE_DEPS="${COMPILE_DEPS} libXft-devel"

tests/run_tests.sh

@@ -35,6 +35,10 @@ for PYTHON in /opt/python/*/bin/python; do
 		$PYTHON -c 'import sqlite3; print(sqlite3.sqlite_version); assert sqlite3.sqlite_version_info[0:2] >= (3, 34)'
 		# Make sure tkinter module can be loaded properly
 		$PYTHON -c 'import tkinter; print(tkinter.TkVersion); assert tkinter.TkVersion >= 8.6'
+		# Make sure openssl module can be loaded properly
+		if [ "${PYVERS}" != "3.6" ] && [ "${PYVERS}" != "3.7" ]; then
+			$PYTHON -c 'import ssl; print(ssl.OPENSSL_VERSION); assert ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)'
+		fi
 	fi
 	# pythonX.Y / pypyX.Y shall be available directly in PATH
 	LINK_VERSION=$(${LINK_PREFIX}${PYVERS} -V)

update_native_dependencies.py

@@ -55,7 +55,7 @@ def _update_with_root(tool, dry_run):
         "openssl": "openssl/openssl",
     }
     major = {
-        "openssl": "1.1",
+        "openssl": "3.0",
     }
     dockerfile = Path(__file__).parent / "docker" / "Dockerfile"
     lines = dockerfile.read_text().splitlines()
@@ -68,10 +68,6 @@ def _update_with_root(tool, dry_run):
         latest_version = latest(repo[tool], major=major.get(tool, None))
         if latest_version > current_version:
             root = f"{tool}-{latest_version}"
-            if root == "openssl-1.1.1r":
-                # withdrawn version
-                print(f"Skipping {root}")
-                break
             url = re.match(f"^    export {tool.upper()}_DOWNLOAD_URL=(?P<url>\\S+) && \\\\$", lines[i + 2])["url"]
             url = url.replace(f"${{{tool.upper()}_ROOT}}", root)
             sha256 = _sha256(f"{url}/{root}.tar.gz")