Issue 27995: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows (original) (raw)
From the release notes of Python 3.4.5, I see that 3.4 is now in "security fixes only" mode, and no new installers will be created. That said, OpenSSL should be kept up to date so third-parties who build binaries from source will receive upstream patches (there are 18 CVEs against OpenSSL 1.0.2d). This patch upgrades OpenSSL to 1.0.2h for Windows builds.
I initially used the same fix applied in #26930 here, but the relevant intermediate OpenSSL headers (crypto/buildinf_amd64.h, crypto/buildinf_x86.h, crypto/opensslconf_amd64.h, crypto/opensslconf_x86.h) aren't included in the openssl-1.0.2h externals repository [1]. The included patch fixes this by forcing the intermediate configuration files to be written, which doesn't seem to add much to the compilation time and avoided deeper changes to the OpenSSL build process, but there likely is a more elegant solution to this issue.
With this patch applied, Python 3.4.5 compiled and tests ran cleanly locally both the x64 and Win32 targets, compiled using Visual Studio 2010.
I talked this over with Steve Dower, the current "platform expert" for Windows. As he points out: the 3.4 Windows build is effectively unsupported. The Windows platform expert for Python 3.4 resigned from core Python development. Also, of course, all future Python 3.4 releases will be source releases only. In short: if you make this change, you'd probably be the only person who would test it before it goes out the door.
But! We still have Windows buildbots that can build Python 3.4. And, since you're using a version of OpenSSL that we have checked in (on svn.python.org), it is theoretically possible to run this build on the buildbots.
So! My price is: since you're going to have to coordinate with someone with the commit bit for this, you (and they) need to get this to pass on a Python buildbot. Create a server-side clone, check in the change, and kick off a custom build. When you get it working, post the results here, and after that you'll have my blessing to check this in to 3.4.