From dadab7bb95bc399f845aa2b72888148c9c762e10 Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Sat, 4 Oct 2025 12:51:49 -0500 Subject: [PATCH] gh-139573: Update OpenSSL in CI --- .github/workflows/build.yml | 6 +++--- .github/workflows/reusable-ubuntu.yml | 2 +- Doc/using/configure.rst | 2 +- Modules/_ssl_data_35.h | 9 +++++++-- Tools/ssl/multissltests.py | 10 +++++----- 5 files changed, 17 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ebfaf32e193bcb..47d38b7542913c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -273,7 +273,7 @@ jobs: # Keep 1.1.1w in our list despite it being upstream EOL and otherwise # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs # supported by important vendors such as AWS-LC. - openssl_ver: [1.1.1w, 3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2] + openssl_ver: [1.1.1w, 3.0.18, 3.2.6, 3.3.5, 3.4.3, 3.5.4] # See Tools/ssl/make_ssl_data.py for notes on adding a new version env: OPENSSL_VER: ${{ matrix.openssl_ver }} @@ -438,7 +438,7 @@ jobs: needs: build-context if: needs.build-context.outputs.run-tests == 'true' env: - OPENSSL_VER: 3.0.16 + OPENSSL_VER: 3.0.18 PYTHONSTRICTEXTENSIONBUILD: 1 steps: - uses: actions/checkout@v4 @@ -558,7 +558,7 @@ jobs: matrix: os: [ubuntu-24.04] env: - OPENSSL_VER: 3.0.16 + OPENSSL_VER: 3.0.18 PYTHONSTRICTEXTENSIONBUILD: 1 ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0 steps: diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index 76b19fd5d1a72e..7f8b9fdf5d6639 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -30,7 +30,7 @@ jobs: runs-on: ${{ inputs.os }} timeout-minutes: 60 env: - OPENSSL_VER: 3.0.15 + OPENSSL_VER: 3.0.18 PYTHONSTRICTEXTENSIONBUILD: 1 TERM: linux steps: diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index b3a9e081edc9f5..b05e0600114757 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -22,7 +22,7 @@ Features and minimum versions required to build CPython: * Support for threads. -* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.16 is the recommended +* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.18 is the recommended minimum version for the :mod:`ssl` and :mod:`hashlib` extension modules. * SQLite 3.15.2 for the :mod:`sqlite3` extension module. diff --git a/Modules/_ssl_data_35.h b/Modules/_ssl_data_35.h index 9e69eaa910f003..e4919b550e3a89 100644 --- a/Modules/_ssl_data_35.h +++ b/Modules/_ssl_data_35.h @@ -1,6 +1,6 @@ /* File generated by Tools/ssl/make_ssl_data.py */ -/* Generated on 2025-08-13T16:42:33.155822+00:00 */ -/* Generated from Git commit openssl-3.5.2-0-g0893a6235 */ +/* Generated on 2025-10-04T17:49:19.148321+00:00 */ +/* Generated from Git commit openssl-3.5.4-0-gc1eeb9406 */ /* generated from args.lib2errnum */ static struct py_ssl_library_code library_codes[] = { @@ -5338,6 +5338,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"FIPS_MODULE_ENTERING_ERROR_STATE", 57, 224}, #endif + #ifdef PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR + {"FIPS_MODULE_IMPORT_PCT_ERROR", ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR}, + #else + {"FIPS_MODULE_IMPORT_PCT_ERROR", 57, 253}, + #endif #ifdef PROV_R_FIPS_MODULE_IN_ERROR_STATE {"FIPS_MODULE_IN_ERROR_STATE", ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE}, #else diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index c0559446982eab..56976de49989ec 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -48,11 +48,11 @@ ] OPENSSL_RECENT_VERSIONS = [ - "3.0.16", - "3.2.5", - "3.3.4", - "3.4.2", - "3.5.2", + "3.0.18", + "3.2.6", + "3.3.5", + "3.4.3", + "3.5.4", # See make_ssl_data.py for notes on adding a new version. ]