[3.4] bpo-26470: Port ssl and hashlib module to OpenSSL 1.1.0. by vstinner · Pull Request #12211 · python/cpython (original) (raw)
Larry: As I told you, I'm perfectly fine with no applying this change to Python 3.4 upstream. We (Red Hat) can easily maintain a downstream patch on the Fedora python34 package.
Sorry, folks, but I just can't bring myself to merge this. It's too big of a last-minute change, and it introduces test failures.
This change doesn't make tests to fail. The difference is that without my change, Python 3.4 fails to build with OpenSSL 1.1.1. With my change, not only compilation succeed but almost all tests pass. The 3 failures as expected (see below).
Also, it looks like Christian did the original work to add OpenSSL 1.1 support in 2016, and at the time he backported to 3.5--but not 3.4. If he didn't backport it then, I don't know why we need to do it now. (Sadly the bpo page sheds no light on why he didn't backport it then. My guess is it's viewed as more of a bugfix / feature than a security fix, which would still be true now.)
Time changed since 2016. More and more Linux distributions switched to OpenSSL 1.1.x.
This was removed here: bc26646 essentially for dropping compatibility with older than 0.9.8 openssl versions.
I don't think that it's a good idea to drop support for old OpenSSL versions from Python 3.4.
I get 3 test failures, but they shouldn't really matter at this point:
I have the same in Python 3.5, so they are not caused by my backport but are "expected". I don't think that it's worth it to fix these tests in Python 3.4 and 3.5.
--
@stratakis: Let's apply this change downstream ;-)