https://github.com/python/cpython/commit/7a703c8f1942c8bd07943458962f6e59d2892757
commit: 7a703c8f1942c8bd07943458962f6e59d2892757
branch: main
author: Zachary Ware <z...@python.org>
committer: zware <zachary.w...@gmail.com>
date: 2025-08-13T23:18:03-05:00
summary:
gh-132339: Add support for OpenSSL 3.5 (GH-137720)
* Add OpenSSL 3.5.2 definitions to Modules/_ssl_data_35.h (moved from
Modules/_ssl_data_34.h)
* Demote OpenSSL 3.1 to "old", remove it from CI
* Update all OpenSSL versions to latest patchlevel in CI config and
multissltests defaults
* Add OpenSSL 3.5.2 to CI configuration and multissltests default list
* Fix a typo in the argument parser description of multissltests.py
files:
A Misc/NEWS.d/next/Build/2025-08-13-12-10-12.gh-issue-132339.3Czz5y.rst
A Modules/_ssl_data_35.h
D Modules/_ssl_data_34.h
M .github/workflows/build.yml
M Modules/_ssl.c
M Tools/ssl/multissltests.py
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 56f222cd94ab6f..d0204df035a720 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -270,7 +270,7 @@ jobs:
fail-fast: false
matrix:
os: [ubuntu-24.04]
- openssl_ver: [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
+ openssl_ver: [3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2]
# See Tools/ssl/make_ssl_data.py for notes on adding a new version
env:
OPENSSL_VER: ${{ matrix.openssl_ver }}
diff --git
a/Misc/NEWS.d/next/Build/2025-08-13-12-10-12.gh-issue-132339.3Czz5y.rst
b/Misc/NEWS.d/next/Build/2025-08-13-12-10-12.gh-issue-132339.3Czz5y.rst
new file mode 100644
index 00000000000000..493be0ca2da966
--- /dev/null
+++ b/Misc/NEWS.d/next/Build/2025-08-13-12-10-12.gh-issue-132339.3Czz5y.rst
@@ -0,0 +1 @@
+Add support for OpenSSL 3.5.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a74654b7573f45..fde49fd0d2cd09 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) {
/* Include generated data (error codes) */
/* See make_ssl_data.h for notes on adding a new version. */
#if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
-#include "_ssl_data_34.h"
+#include "_ssl_data_35.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
#include "_ssl_data_340.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
diff --git a/Modules/_ssl_data_34.h b/Modules/_ssl_data_35.h
similarity index 98%
rename from Modules/_ssl_data_34.h
rename to Modules/_ssl_data_35.h
index 99718c5e605acf..9e69eaa910f003 100644
--- a/Modules/_ssl_data_34.h
+++ b/Modules/_ssl_data_35.h
@@ -1,6 +1,6 @@
/* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-03-26T13:47:34.223146+00:00 */
-/* Generated from Git commit openssl-3.4.1-0-ga26d85337d */
+/* Generated on 2025-08-13T16:42:33.155822+00:00 */
+/* Generated from Git commit openssl-3.5.2-0-g0893a6235 */
/* generated from args.lib2errnum */
static struct py_ssl_library_code library_codes[] = {
@@ -1283,6 +1283,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"FAILED_BUILDING_OWN_CHAIN", 58, 164},
#endif
+ #ifdef CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY
+ {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", ERR_LIB_CMP,
CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY},
+ #else
+ {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", 58, 203},
+ #endif
#ifdef CMP_R_FAILED_EXTRACTING_PUBKEY
{"FAILED_EXTRACTING_PUBKEY", ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_PUBKEY},
#else
@@ -1343,6 +1348,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_ROOTCAKEYUPDATE", 58, 195},
#endif
+ #ifdef CMP_R_MISSING_CENTRAL_GEN_KEY
+ {"MISSING_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_MISSING_CENTRAL_GEN_KEY},
+ #else
+ {"MISSING_CENTRAL_GEN_KEY", 58, 204},
+ #endif
#ifdef CMP_R_MISSING_CERTID
{"MISSING_CERTID", ERR_LIB_CMP, CMP_R_MISSING_CERTID},
#else
@@ -1513,6 +1523,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNCLEAN_CTX", 58, 191},
#endif
+ #ifdef CMP_R_UNEXPECTED_CENTRAL_GEN_KEY
+ {"UNEXPECTED_CENTRAL_GEN_KEY", ERR_LIB_CMP,
CMP_R_UNEXPECTED_CENTRAL_GEN_KEY},
+ #else
+ {"UNEXPECTED_CENTRAL_GEN_KEY", 58, 205},
+ #endif
#ifdef CMP_R_UNEXPECTED_CERTPROFILE
{"UNEXPECTED_CERTPROFILE", ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE},
#else
@@ -2308,6 +2323,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"BAD_PBM_ITERATIONCOUNT", 56, 100},
#endif
+ #ifdef CRMF_R_CMS_NOT_SUPPORTED
+ {"CMS_NOT_SUPPORTED", ERR_LIB_CRMF, CRMF_R_CMS_NOT_SUPPORTED},
+ #else
+ {"CMS_NOT_SUPPORTED", 56, 122},
+ #endif
#ifdef CRMF_R_CRMFERROR
{"CRMFERROR", ERR_LIB_CRMF, CRMF_R_CRMFERROR},
#else
@@ -2323,16 +2343,41 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"ERROR_DECODING_CERTIFICATE", 56, 104},
#endif
+ #ifdef CRMF_R_ERROR_DECODING_ENCRYPTEDKEY
+ {"ERROR_DECODING_ENCRYPTEDKEY", ERR_LIB_CRMF,
CRMF_R_ERROR_DECODING_ENCRYPTEDKEY},
+ #else
+ {"ERROR_DECODING_ENCRYPTEDKEY", 56, 123},
+ #endif
#ifdef CRMF_R_ERROR_DECRYPTING_CERTIFICATE
{"ERROR_DECRYPTING_CERTIFICATE", ERR_LIB_CRMF,
CRMF_R_ERROR_DECRYPTING_CERTIFICATE},
#else
{"ERROR_DECRYPTING_CERTIFICATE", 56, 105},
#endif
+ #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY
+ {"ERROR_DECRYPTING_ENCRYPTEDKEY", ERR_LIB_CRMF,
CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY},
+ #else
+ {"ERROR_DECRYPTING_ENCRYPTEDKEY", 56, 124},
+ #endif
+ #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE
+ {"ERROR_DECRYPTING_ENCRYPTEDVALUE", ERR_LIB_CRMF,
CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE},
+ #else
+ {"ERROR_DECRYPTING_ENCRYPTEDVALUE", 56, 125},
+ #endif
#ifdef CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY
{"ERROR_DECRYPTING_SYMMETRIC_KEY", ERR_LIB_CRMF,
CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY},
#else
{"ERROR_DECRYPTING_SYMMETRIC_KEY", 56, 106},
#endif
+ #ifdef CRMF_R_ERROR_SETTING_PURPOSE
+ {"ERROR_SETTING_PURPOSE", ERR_LIB_CRMF, CRMF_R_ERROR_SETTING_PURPOSE},
+ #else
+ {"ERROR_SETTING_PURPOSE", 56, 126},
+ #endif
+ #ifdef CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY
+ {"ERROR_VERIFYING_ENCRYPTEDKEY", ERR_LIB_CRMF,
CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY},
+ #else
+ {"ERROR_VERIFYING_ENCRYPTEDKEY", 56, 127},
+ #endif
#ifdef CRMF_R_FAILURE_OBTAINING_RANDOM
{"FAILURE_OBTAINING_RANDOM", ERR_LIB_CRMF,
CRMF_R_FAILURE_OBTAINING_RANDOM},
#else
@@ -2358,6 +2403,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"POPOSKINPUT_NOT_SUPPORTED", 56, 113},
#endif
+ #ifdef CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN
+ {"POPO_INCONSISTENT_CENTRAL_KEYGEN", ERR_LIB_CRMF,
CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN},
+ #else
+ {"POPO_INCONSISTENT_CENTRAL_KEYGEN", 56, 128},
+ #endif
#ifdef CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY
{"POPO_INCONSISTENT_PUBLIC_KEY", ERR_LIB_CRMF,
CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY},
#else
@@ -3963,6 +4013,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"PBKDF2_ERROR", 6, 181},
#endif
+ #ifdef EVP_R_PIPELINE_NOT_SUPPORTED
+ {"PIPELINE_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PIPELINE_NOT_SUPPORTED},
+ #else
+ {"PIPELINE_NOT_SUPPORTED", 6, 230},
+ #endif
#ifdef EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED
{"PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED", ERR_LIB_EVP,
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED},
#else
@@ -3978,6 +4033,36 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"PRIVATE_KEY_ENCODE_ERROR", 6, 146},
#endif
+ #ifdef EVP_R_PROVIDER_ASYM_CIPHER_FAILURE
+ {"PROVIDER_ASYM_CIPHER_FAILURE", ERR_LIB_EVP,
EVP_R_PROVIDER_ASYM_CIPHER_FAILURE},
+ #else
+ {"PROVIDER_ASYM_CIPHER_FAILURE", 6, 232},
+ #endif
+ #ifdef EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED
+ {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", ERR_LIB_EVP,
EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED},
+ #else
+ {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", 6, 235},
+ #endif
+ #ifdef EVP_R_PROVIDER_KEYMGMT_FAILURE
+ {"PROVIDER_KEYMGMT_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE},
+ #else
+ {"PROVIDER_KEYMGMT_FAILURE", 6, 233},
+ #endif
+ #ifdef EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED
+ {"PROVIDER_KEYMGMT_NOT_SUPPORTED", ERR_LIB_EVP,
EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED},
+ #else
+ {"PROVIDER_KEYMGMT_NOT_SUPPORTED", 6, 236},
+ #endif
+ #ifdef EVP_R_PROVIDER_SIGNATURE_FAILURE
+ {"PROVIDER_SIGNATURE_FAILURE", ERR_LIB_EVP,
EVP_R_PROVIDER_SIGNATURE_FAILURE},
+ #else
+ {"PROVIDER_SIGNATURE_FAILURE", 6, 234},
+ #endif
+ #ifdef EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED
+ {"PROVIDER_SIGNATURE_NOT_SUPPORTED", ERR_LIB_EVP,
EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED},
+ #else
+ {"PROVIDER_SIGNATURE_NOT_SUPPORTED", 6, 237},
+ #endif
#ifdef EVP_R_PUBLIC_KEY_NOT_RSA
{"PUBLIC_KEY_NOT_RSA", ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA},
#else
@@ -3998,6 +4083,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE", 6, 228},
#endif
+ #ifdef EVP_R_TOO_MANY_PIPES
+ {"TOO_MANY_PIPES", ERR_LIB_EVP, EVP_R_TOO_MANY_PIPES},
+ #else
+ {"TOO_MANY_PIPES", 6, 231},
+ #endif
#ifdef EVP_R_TOO_MANY_RECORDS
{"TOO_MANY_RECORDS", ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS},
#else
@@ -4753,6 +4843,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_PUBLIC_KEY_TYPE", 9, 110},
#endif
+ #ifdef PEM_R_UNSUPPORTED_PVK_KEY_TYPE
+ {"UNSUPPORTED_PVK_KEY_TYPE", ERR_LIB_PEM, PEM_R_UNSUPPORTED_PVK_KEY_TYPE},
+ #else
+ {"UNSUPPORTED_PVK_KEY_TYPE", 9, 133},
+ #endif
#ifdef PKCS12_R_CALLBACK_FAILED
{"CALLBACK_FAILED", ERR_LIB_PKCS12, PKCS12_R_CALLBACK_FAILED},
#else
@@ -5543,6 +5638,16 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_XCGHASH", 57, 135},
#endif
+ #ifdef PROV_R_ML_DSA_NO_FORMAT
+ {"ML_DSA_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_DSA_NO_FORMAT},
+ #else
+ {"ML_DSA_NO_FORMAT", 57, 245},
+ #endif
+ #ifdef PROV_R_ML_KEM_NO_FORMAT
+ {"ML_KEM_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_KEM_NO_FORMAT},
+ #else
+ {"ML_KEM_NO_FORMAT", 57, 246},
+ #endif
#ifdef PROV_R_MODULE_INTEGRITY_FAILURE
{"MODULE_INTEGRITY_FAILURE", ERR_LIB_PROV,
PROV_R_MODULE_INTEGRITY_FAILURE},
#else
@@ -5593,6 +5698,16 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NO_PARAMETERS_SET", 57, 177},
#endif
+ #ifdef PROV_R_NULL_LENGTH_POINTER
+ {"NULL_LENGTH_POINTER", ERR_LIB_PROV, PROV_R_NULL_LENGTH_POINTER},
+ #else
+ {"NULL_LENGTH_POINTER", 57, 247},
+ #endif
+ #ifdef PROV_R_NULL_OUTPUT_BUFFER
+ {"NULL_OUTPUT_BUFFER", ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER},
+ #else
+ {"NULL_OUTPUT_BUFFER", 57, 248},
+ #endif
#ifdef PROV_R_ONESHOT_CALL_OUT_OF_ORDER
{"ONESHOT_CALL_OUT_OF_ORDER", ERR_LIB_PROV,
PROV_R_ONESHOT_CALL_OUT_OF_ORDER},
#else
@@ -5728,6 +5843,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNABLE_TO_RESEED", 57, 204},
#endif
+ #ifdef PROV_R_UNEXPECTED_KEY_PARAMETERS
+ {"UNEXPECTED_KEY_PARAMETERS", ERR_LIB_PROV,
PROV_R_UNEXPECTED_KEY_PARAMETERS},
+ #else
+ {"UNEXPECTED_KEY_PARAMETERS", 57, 249},
+ #endif
#ifdef PROV_R_UNSUPPORTED_CEK_ALG
{"UNSUPPORTED_CEK_ALG", ERR_LIB_PROV, PROV_R_UNSUPPORTED_CEK_ALG},
#else
@@ -5748,6 +5868,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_NUMBER_OF_ROUNDS", 57, 152},
#endif
+ #ifdef PROV_R_UNSUPPORTED_SELECTION
+ {"UNSUPPORTED_SELECTION", ERR_LIB_PROV, PROV_R_UNSUPPORTED_SELECTION},
+ #else
+ {"UNSUPPORTED_SELECTION", 57, 250},
+ #endif
#ifdef PROV_R_UPDATE_CALL_OUT_OF_ORDER
{"UPDATE_CALL_OUT_OF_ORDER", ERR_LIB_PROV,
PROV_R_UPDATE_CALL_OUT_OF_ORDER},
#else
@@ -5763,6 +5888,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"VALUE_ERROR", 57, 138},
#endif
+ #ifdef PROV_R_WRONG_CIPHERTEXT_SIZE
+ {"WRONG_CIPHERTEXT_SIZE", ERR_LIB_PROV, PROV_R_WRONG_CIPHERTEXT_SIZE},
+ #else
+ {"WRONG_CIPHERTEXT_SIZE", 57, 251},
+ #endif
#ifdef PROV_R_WRONG_FINAL_BLOCK_LENGTH
{"WRONG_FINAL_BLOCK_LENGTH", ERR_LIB_PROV,
PROV_R_WRONG_FINAL_BLOCK_LENGTH},
#else
@@ -5938,6 +6068,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"PRNG_NOT_SEEDED", 36, 100},
#endif
+ #ifdef RAND_R_RANDOM_POOL_IS_EMPTY
+ {"RANDOM_POOL_IS_EMPTY", ERR_LIB_RAND, RAND_R_RANDOM_POOL_IS_EMPTY},
+ #else
+ {"RANDOM_POOL_IS_EMPTY", 36, 142},
+ #endif
#ifdef RAND_R_RANDOM_POOL_OVERFLOW
{"RANDOM_POOL_OVERFLOW", ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW},
#else
@@ -6923,6 +7058,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"DIGEST_CHECK_FAILED", 20, 149},
#endif
+ #ifdef SSL_R_DOMAIN_USE_ONLY
+ {"DOMAIN_USE_ONLY", ERR_LIB_SSL, SSL_R_DOMAIN_USE_ONLY},
+ #else
+ {"DOMAIN_USE_ONLY", 20, 422},
+ #endif
#ifdef SSL_R_DTLS_MESSAGE_TOO_BIG
{"DTLS_MESSAGE_TOO_BIG", ERR_LIB_SSL, SSL_R_DTLS_MESSAGE_TOO_BIG},
#else
@@ -7213,6 +7353,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"LIBRARY_HAS_NO_CIPHERS", 20, 161},
#endif
+ #ifdef SSL_R_LISTENER_USE_ONLY
+ {"LISTENER_USE_ONLY", ERR_LIB_SSL, SSL_R_LISTENER_USE_ONLY},
+ #else
+ {"LISTENER_USE_ONLY", 20, 421},
+ #endif
#ifdef SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED
{"MAXIMUM_ENCRYPTED_PKTS_REACHED", ERR_LIB_SSL,
SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED},
#else
@@ -7243,6 +7388,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
#endif
+ #ifdef SSL_R_MISSING_QUIC_TLS_FUNCTIONS
+ {"MISSING_QUIC_TLS_FUNCTIONS", ERR_LIB_SSL,
SSL_R_MISSING_QUIC_TLS_FUNCTIONS},
+ #else
+ {"MISSING_QUIC_TLS_FUNCTIONS", 20, 423},
+ #endif
#ifdef SSL_R_MISSING_RSA_CERTIFICATE
{"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
#else
@@ -8983,6 +9133,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY", 34, 159},
#endif
+ #ifdef X509V3_R_PURPOSE_NOT_UNIQUE
+ {"PURPOSE_NOT_UNIQUE", ERR_LIB_X509V3, X509V3_R_PURPOSE_NOT_UNIQUE},
+ #else
+ {"PURPOSE_NOT_UNIQUE", 34, 173},
+ #endif
#ifdef X509V3_R_SECTION_NOT_FOUND
{"SECTION_NOT_FOUND", ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND},
#else
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index f4c8fde8346fd9..e632adafaaa0a0 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -44,14 +44,15 @@
OPENSSL_OLD_VERSIONS = [
"1.1.1w",
+ "3.1.8",
]
OPENSSL_RECENT_VERSIONS = [
"3.0.16",
- "3.1.8",
- "3.2.4",
- "3.3.3",
- "3.4.1",
+ "3.2.5",
+ "3.3.4",
+ "3.4.2",
+ "3.5.2",
# See make_ssl_data.py for notes on adding a new version.
]
@@ -74,8 +75,7 @@
parser = argparse.ArgumentParser(
prog='multissl',
description=(
- "Run CPython tests with multiple cryptography libraries"
- "versions."
+ "Run CPython tests with multiple cryptography libraries/versions."
),
)
parser.add_argument(
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com
