Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows

[scw]

BPO	27995
Nosy	@pfmoore, @larryhastings, @tiran, @tjguk, @zware, @zooba, @scw
Superseder	bpo-27995: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
Files	openssl-upgrade.patch: patches to upgrade OpenSSL to 1.0.2h on Windows

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2016-09-25.10:33:05.625>
created_at = <Date 2016-09-07.03:21:47.904>
labels = ['type-security', 'expert-SSL', 'build', 'OS-windows']
title = 'Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows'
updated_at = <Date 2016-09-25.10:33:05.624>
user = 'https://github.com/scw'

bugs.python.org fields:

activity = <Date 2016-09-25.10:33:05.624>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2016-09-25.10:33:05.625>
closer = 'christian.heimes'
components = ['Build', 'Windows', 'SSL']
creation = <Date 2016-09-07.03:21:47.904>
creator = 'scw'
dependencies = []
files = ['44422']
hgrepos = []
issue_num = 27995
keywords = ['patch']
message_count = 3.0
messages = ['274739', '274905', '277358']
nosy_count = 7.0
nosy_names = ['paul.moore', 'larry', 'christian.heimes', 'tim.golden', 'zach.ware', 'steve.dower', 'scw']
pr_nums = []
priority = 'normal'
resolution = 'out of date'
stage = 'resolved'
status = 'closed'
superseder = '27995'
type = 'security'
url = 'https://bugs.python.org/issue27995'
versions = ['Python 3.4']

[scw]

From the release notes of Python 3.4.5, I see that 3.4 is now in "security fixes only" mode, and no new installers will be created. That said, OpenSSL should be kept up to date so third-parties who build binaries from source will receive upstream patches (there are 18 CVEs against OpenSSL 1.0.2d). This patch upgrades OpenSSL to 1.0.2h for Windows builds.

I initially used the same fix applied in bpo-26930 here, but the relevant intermediate OpenSSL headers (crypto/buildinf_amd64.h, crypto/buildinf_x86.h, crypto/opensslconf_amd64.h, crypto/opensslconf_x86.h) aren't included in the openssl-1.0.2h externals repository [1]. The included patch fixes this by forcing the intermediate configuration files to be written, which doesn't seem to add much to the compilation time and avoided deeper changes to the OpenSSL build process, but there likely is a more elegant solution to this issue.

With this patch applied, Python 3.4.5 compiled and tests ran cleanly locally both the x64 and Win32 targets, compiled using Visual Studio 2010.

1. http://svn.python.org/projects/external/openssl-1.0.2h/

[larryhastings]

I talked this over with Steve Dower, the current "platform expert" for Windows. As he points out: the 3.4 Windows build is effectively unsupported. The Windows platform expert for Python 3.4 resigned from core Python development. Also, of course, all future Python 3.4 releases will be source releases only. In short: if you make this change, you'd probably be the only person who would test it before it goes out the door.

But! We still have Windows buildbots that can build Python 3.4. And, since you're using a version of OpenSSL that we have checked in (on svn.python.org), it is theoretically possible to run this build on the buildbots.

So! My price is: since you're going to have to coordinate with someone with the commit bit for this, you (and they) need to get this to pass on a Python buildbot. Create a server-side clone, check in the change, and kick off a custom build. When you get it working, post the results here, and after that you'll have my blessing to check this in to 3.4.

[tiran]

1.0.2i is the latest version of the 1.0.2 series, bpo-27995