Skip to content

gh-89532: Remove LibreSSL workarounds#28728

Merged
gpshead merged 15 commits into
python:mainfrom
ramikg:remove-libressl-support
Jan 6, 2024
Merged

gh-89532: Remove LibreSSL workarounds#28728
gpshead merged 15 commits into
python:mainfrom
ramikg:remove-libressl-support

Conversation

@ramikg

@ramikg ramikg commented Oct 5, 2021

Copy link
Copy Markdown
Contributor

Python 3.10 drops support for LibreSSL (as per PEP 644), but there are still a few workarounds & mentions of LibreSSL in the source code.

The related PR cleans the code of any LibreSSL workarounds or mentions.

https://bugs.python.org/issue45369

Fixes #89532

@ramikg ramikg changed the title bpo-45369: Remove libressl support bpo-45369: Remove LibreSSL support Oct 5, 2021
@tiran tiran changed the title bpo-45369: Remove LibreSSL support bpo-45369: Remove LibreSSL workarounds Oct 5, 2021

@tiran tiran left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR.

Python 3.10 didn't actively drop support for LibreSSL. For a lack of better wording, we passively removed compatibility with forks that don't provide OpenSSL 1.1.1 API. I still like to keep some code so we can re-add LibreSSL support later.

Comment thread Lib/test/test_ssl.py Outdated
Comment thread Misc/NEWS.d/next/Core and Builtins/2021-10-05-05-00-16.bpo-45369.tluk_X.rst Outdated
Comment thread Tools/ssl/multissltests.py Outdated
@bedevere-bot

Copy link
Copy Markdown

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@tiran tiran added the needs backport to 3.10 only security fixes label Oct 5, 2021

@tiran tiran left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick fix!

@ramikg

ramikg commented Oct 7, 2021

Copy link
Copy Markdown
Contributor Author

I have made the requested changes; please review again

@bedevere-bot

Copy link
Copy Markdown

Thanks for making the requested changes!

@tiran: please review the changes made to this pull request.

@github-actions

github-actions Bot commented Nov 7, 2021

Copy link
Copy Markdown

This PR is stale because it has been open for 30 days with no activity.

@github-actions github-actions Bot added the stale Stale PR or inactive for long period of time. label Nov 7, 2021
@serhiy-storchaka serhiy-storchaka added the needs backport to 3.11 only security fixes label May 20, 2022
@dhewg

dhewg commented Jul 19, 2022

Copy link
Copy Markdown

For a lack of better wording, we passively removed compatibility with forks that don't provide OpenSSL 1.1.1 API. I still like to keep some code so we can re-add LibreSSL support later.

Some time has passed, and I guess this patch sort of reflects the state of Python v3.10 with LibreSSL v3.5.
It looks like the next version will support SSL_CTX_get_security_level too.
What's left then are those four hash functions, which probably won't be added anytime soon.

Does that change anything for Python w.r.t. LibreSSL support?

@dhewg

dhewg commented Jul 19, 2022

Copy link
Copy Markdown

Of course I stumble upon this just after posting.
That sounds like it can solve the issue about the missing hashing functions?

@tiran

tiran commented Jul 19, 2022

Copy link
Copy Markdown
Member

It is unlikely that we will officially support LibreSSL. Even if LibreSSL would become feature compatible with OpenSSL, we just don't have to resources to test and verify that Python works correctly with LibreSSL.

Is LibreSSL still relevant? AFAIK only OpenBSD uses it. All Linux distros have dropped support for LibreSSL, even Gentoo. FreeBSD uses OpenSSL and NetBSD seems to prefer OpenSSL as well (they have OpenSSL 1.1.1n and LibreSSL 2.7.4 from 2018).

@erlend-aasland

Copy link
Copy Markdown
Contributor

@ramikg, can you resolve the conflicts and update the PR?

@ramikg

ramikg commented Jan 5, 2024

Copy link
Copy Markdown
Contributor Author

@ramikg, can you resolve the conflicts and update the PR?

Sure, done.

@gpshead gpshead removed the needs backport to 3.11 only security fixes label Jan 6, 2024

@gpshead gpshead left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR should not remove RAND_egd, that is something OpenSSL provides.

@bedevere-app

bedevere-app Bot commented Jan 6, 2024

Copy link
Copy Markdown

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@erlend-aasland erlend-aasland removed pending The issue will be closed if no feedback is provided stale Stale PR or inactive for long period of time. labels Jan 6, 2024
@ramikg

ramikg commented Jan 6, 2024

Copy link
Copy Markdown
Contributor Author

This PR should not remove RAND_egd, that is something OpenSSL provides.

True. I've brought it back, and reworded the comment to be relevant to OpenSSL.
I've kept the try clause so that OpenSSL builds with OPENSSL_NO_EGD won't break.

(By the way, RAND_egd has already been mostly removed from CPython, as I've mentioned here.)

I have made the requested changes; please review again

@ramikg
ramikg requested a review from gpshead January 6, 2024 20:27
@gpshead gpshead self-assigned this Jan 6, 2024
@gpshead
gpshead enabled auto-merge (squash) January 6, 2024 23:23
@gpshead
gpshead merged commit 84d1f76 into python:main Jan 6, 2024
@ramikg
ramikg deleted the remove-libressl-support branch January 7, 2024 06:12
kulikjak pushed a commit to kulikjak/cpython that referenced this pull request Jan 22, 2024
Remove LibreSSL specific workaround ifdefs from `_ssl.c` and delete the non-version-specific `_ssl_data.h` file (relevant for OpenSSL < 1.1.1, which we no longer support per PEP 644).

Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
aisk pushed a commit to aisk/cpython that referenced this pull request Feb 11, 2024
Remove LibreSSL specific workaround ifdefs from `_ssl.c` and delete the non-version-specific `_ssl_data.h` file (relevant for OpenSSL < 1.1.1, which we no longer support per PEP 644).

Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Glyphack pushed a commit to Glyphack/cpython that referenced this pull request Sep 2, 2024
Remove LibreSSL specific workaround ifdefs from `_ssl.c` and delete the non-version-specific `_ssl_data.h` file (relevant for OpenSSL < 1.1.1, which we no longer support per PEP 644).

Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remove LibreSSL workarounds