https://github.com/python/cpython/commit/a126893fa80c4ee5f0bac8a84a49491c19edd511 commit: a126893fa80c4ee5f0bac8a84a49491c19edd511 branch: main author: Hugo van Kemenade <[email protected]> committer: hugovk <[email protected]> date: 2026-01-20T17:25:31+02:00 summary:
gh-143960: Add support for OpenSSL 3.6, drop EOL 3.2 (#143961) Co-authored-by: Gregory P. Smith <[email protected]> files: A Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst A Modules/_ssl_data_36.h D Modules/_ssl_data_35.h M .github/workflows/build.yml M Modules/_ssl.c M Tools/ssl/make_ssl_data.py M Tools/ssl/multissltests.py diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2dc610ce37cc4c..e7f7aa5172e082 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -261,7 +261,7 @@ jobs: # Keep 1.1.1w in our list despite it being upstream EOL and otherwise # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs # supported by important vendors such as AWS-LC. - openssl_ver: [1.1.1w, 3.0.18, 3.2.6, 3.3.5, 3.4.3, 3.5.4] + openssl_ver: [1.1.1w, 3.0.18, 3.3.5, 3.4.3, 3.5.4, 3.6.0] # See Tools/ssl/make_ssl_data.py for notes on adding a new version env: OPENSSL_VER: ${{ matrix.openssl_ver }} diff --git a/Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst b/Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst new file mode 100644 index 00000000000000..2b8e01f937db76 --- /dev/null +++ b/Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst @@ -0,0 +1 @@ +Add support for OpenSSL 3.6, drop EOL 3.2. Patch by Hugo van Kemenade. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 7dd57e7892af41..2bcf864e759b91 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) { /* Include generated data (error codes) */ /* See Tools/ssl/make_ssl_data.py for notes on adding a new version. */ #if (OPENSSL_VERSION_NUMBER >= 0x30401000L) -#include "_ssl_data_35.h" +#include "_ssl_data_36.h" #elif (OPENSSL_VERSION_NUMBER >= 0x30100000L) #include "_ssl_data_340.h" #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) diff --git a/Modules/_ssl_data_35.h b/Modules/_ssl_data_36.h similarity index 99% rename from Modules/_ssl_data_35.h rename to Modules/_ssl_data_36.h index e4919b550e3a89..02b8b66e80fce2 100644 --- a/Modules/_ssl_data_35.h +++ b/Modules/_ssl_data_36.h @@ -1,6 +1,6 @@ /* File generated by Tools/ssl/make_ssl_data.py */ -/* Generated on 2025-10-04T17:49:19.148321+00:00 */ -/* Generated from Git commit openssl-3.5.4-0-gc1eeb9406 */ +/* Generated on 2026-01-17T13:03:49.335767+00:00 */ +/* Generated from Git commit openssl-3.6.0-0-g7b371d80d9 */ /* generated from args.lib2errnum */ static struct py_ssl_library_code library_codes[] = { @@ -1863,6 +1863,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"NOT_KEK", 46, 123}, #endif + #ifdef CMS_R_NOT_KEM + {"NOT_KEM", ERR_LIB_CMS, CMS_R_NOT_KEM}, + #else + {"NOT_KEM", 46, 197}, + #endif #ifdef CMS_R_NOT_KEY_AGREEMENT {"NOT_KEY_AGREEMENT", ERR_LIB_CMS, CMS_R_NOT_KEY_AGREEMENT}, #else @@ -2058,6 +2063,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"UNKNOWN_ID", 46, 150}, #endif + #ifdef CMS_R_UNKNOWN_KDF_ALGORITHM + {"UNKNOWN_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNKNOWN_KDF_ALGORITHM}, + #else + {"UNKNOWN_KDF_ALGORITHM", 46, 198}, + #endif #ifdef CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM {"UNSUPPORTED_COMPRESSION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM}, #else @@ -2078,6 +2088,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"UNSUPPORTED_ENCRYPTION_TYPE", 46, 192}, #endif + #ifdef CMS_R_UNSUPPORTED_KDF_ALGORITHM + {"UNSUPPORTED_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM}, + #else + {"UNSUPPORTED_KDF_ALGORITHM", 46, 199}, + #endif #ifdef CMS_R_UNSUPPORTED_KEK_ALGORITHM {"UNSUPPORTED_KEK_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KEK_ALGORITHM}, #else @@ -5763,6 +5778,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"PSS_SALTLEN_TOO_SMALL", 57, 172}, #endif + #ifdef PROV_R_REPEATED_PARAMETER + {"REPEATED_PARAMETER", ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER}, + #else + {"REPEATED_PARAMETER", 57, 252}, + #endif #ifdef PROV_R_REQUEST_TOO_LARGE_FOR_DRBG {"REQUEST_TOO_LARGE_FOR_DRBG", ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG}, #else diff --git a/Tools/ssl/make_ssl_data.py b/Tools/ssl/make_ssl_data.py index 286f0e5f54a779..439dbaf882db68 100755 --- a/Tools/ssl/make_ssl_data.py +++ b/Tools/ssl/make_ssl_data.py @@ -17,8 +17,8 @@ git tag --list 'openssl-*' git switch --detach openssl-3.4.1 -After generating the definitions, compare the result with newest pre-existing file. -You can use a command like: +After generating the definitions, compare the result with the newest +pre-existing file. You can use a command like: git diff --no-index Modules/_ssl_data_340.h Modules/_ssl_data_341.h diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 56976de49989ec..828fb8b44f9b08 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -45,14 +45,15 @@ OPENSSL_OLD_VERSIONS = [ "1.1.1w", "3.1.8", + "3.2.6", ] OPENSSL_RECENT_VERSIONS = [ "3.0.18", - "3.2.6", "3.3.5", "3.4.3", "3.5.4", + "3.6.0", # See make_ssl_data.py for notes on adding a new version. ] _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
