Add OpenSSL 3.5, build with instead of 3.0

Edward-Knight · Edward-Knight · commit c8659d9fe06f · 2025-09-01T14:18:32.000+01:00
This means all supported Unix platforms (CPython 3.9+),
and Windows from CPython 3.11+.

This initial attempt copies what we did for OpenSSL 3.0.
diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile
@@ -177,6 +177,9 @@ $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP
 $(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh
 	$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0
 
+$(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh
+	$(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5
+
 LIBEDIT_DEPENDS = \
     $(PYTHON_DEP_DEPENDS) \
     $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar \
@@ -263,6 +266,7 @@ PYTHON_DEPENDS_$(1) := \
     $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \
+    $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_TCL),$$(OUTDIR)/tcl-$$(TCL_VERSION)-$$(PACKAGE_SUFFIX).tar) \
diff --git a/cpython-unix/build-openssl-3.5.sh b/cpython-unix/build-openssl-3.5.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+set -ex
+
+ROOT=`pwd`
+
+export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH
+
+tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz
+
+pushd openssl-${OPENSSL_3_5_VERSION}
+
+# Otherwise it gets set to /tools/deps/ssl by default.
+case "${TARGET_TRIPLE}" in
+    *apple*)
+        EXTRA_FLAGS="--openssldir=/private/etc/ssl"
+        ;;
+    *)
+        EXTRA_FLAGS="--openssldir=/etc/ssl"
+        ;;
+esac
+
+# musl is missing support for various primitives.
+# TODO disable secure memory is a bit scary. We should look into a proper
+# workaround.
+if [ "${CC}" = "musl-clang" ]; then
+    EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY"
+fi
+
+# The -arch cflags confuse Configure. And OpenSSL adds them anyway.
+# Strip them.
+EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/}
+EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/}
+
+EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}"
+
+/usr/bin/perl ./Configure \
+  --prefix=/tools/deps \
+  --libdir=lib \
+  ${OPENSSL_TARGET} \
+  no-legacy \
+  no-shared \
+  no-tests \
+  ${EXTRA_FLAGS}
+
+make -j ${NUM_CPUS}
+make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out
diff --git a/cpython-unix/build.py b/cpython-unix/build.py
@@ -274,7 +274,7 @@ def simple_build(
 
         add_target_env(env, host_platform, target_triple, build_env)
 
-        if entry in ("openssl-1.1", "openssl-3.0"):
+        if entry.startswith("openssl-"):
             settings = get_targets(TARGETS_CONFIG)[target_triple]
             env["OPENSSL_TARGET"] = settings["openssl_target"]
 
@@ -1114,6 +1114,7 @@ def main():
             "ncurses",
             "openssl-1.1",
             "openssl-3.0",
+            "openssl-3.5",
             "patchelf",
             "sqlite",
             "tcl",
diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml
@@ -102,7 +102,7 @@ aarch64-apple-darwin:
     - libffi
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - tcl
     - tk
@@ -149,7 +149,7 @@ aarch64-apple-ios:
     - libffi
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -190,7 +190,7 @@ aarch64-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -244,7 +244,7 @@ arm64-apple-tvos:
     - expat
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -279,7 +279,7 @@ armv7-unknown-linux-gnueabi:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -320,7 +320,7 @@ armv7-unknown-linux-gnueabihf:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -361,7 +361,7 @@ mips-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -402,7 +402,7 @@ mipsel-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -443,7 +443,7 @@ ppc64le-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -484,7 +484,7 @@ riscv64-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -525,7 +525,7 @@ s390x-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -574,7 +574,7 @@ thumb7k-apple-watchos:
     - expat
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -627,7 +627,7 @@ x86_64-apple-darwin:
     - libffi
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - tcl
     - tk
@@ -674,7 +674,7 @@ x86_64-apple-ios:
     - libffi
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -717,7 +717,7 @@ x86_64-apple-tvos:
     - expat
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -760,7 +760,7 @@ x86_64-apple-watchos:
     - expat
     - m4
     - mpdecimal
-    - openssl-3.0
+    - openssl-3.5
     - sqlite
     - xz
     - zstd
@@ -799,7 +799,7 @@ x86_64-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -846,7 +846,7 @@ x86_64_v2-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -893,7 +893,7 @@ x86_64_v3-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -940,7 +940,7 @@ x86_64_v4-unknown-linux-gnu:
     - m4
     - mpdecimal
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -985,7 +985,7 @@ x86_64-unknown-linux-musl:
     - mpdecimal
     - musl
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -1030,7 +1030,7 @@ x86_64_v2-unknown-linux-musl:
     - mpdecimal
     - musl
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -1075,7 +1075,7 @@ x86_64_v3-unknown-linux-musl:
     - mpdecimal
     - musl
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -1120,7 +1120,7 @@ x86_64_v4-unknown-linux-musl:
     - mpdecimal
     - musl
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
@@ -1167,7 +1167,7 @@ aarch64-unknown-linux-musl:
     - mpdecimal
     - musl
     - ncurses
-    - openssl-3.0
+    - openssl-3.5
     - patchelf
     - sqlite
     - tcl
diff --git a/cpython-windows/build.py b/cpython-windows/build.py
@@ -470,7 +470,7 @@ def hack_props(
         raise Exception("unhandled architecture: %s" % arch)
 
     try:
-        # CPython 3.11+ builds with OpenSSL 3.0 by default.
+        # CPython 3.11+ builds with OpenSSL 3.x by default.
         static_replace_in_file(
             openssl_props,
             b"<_DLLSuffix>-3</_DLLSuffix>",
@@ -1874,7 +1874,7 @@ def main() -> None:
         if args.python in ("cpython-3.9", "cpython-3.10"):
             openssl_entry = "openssl-1.1"
         else:
-            openssl_entry = "openssl-3.0"
+            openssl_entry = "openssl-3.5"
 
         openssl_archive = BUILD / (
             "%s-%s-%s.tar" % (openssl_entry, target_triple, build_options)
diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py
@@ -247,9 +247,6 @@
         "licenses": ["OpenSSL"],
         "license_file": "LICENSE.openssl-1.1.txt",
     },
-    # We use OpenSSL 3.0 because it is an LTS release and has a longer support
-    # window. If CPython ends up gaining support for 3.1+ releases, we can consider
-    # using the latest available.
     # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading.
     "openssl-3.0": {
         "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz",
@@ -260,6 +257,16 @@
         "licenses": ["Apache-2.0"],
         "license_file": "LICENSE.openssl-3.txt",
     },
+    # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading.
+    "openssl-3.5": {
+        "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz",
+        "size": 53180161,
+        "sha256": "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec",
+        "version": "3.5.2",
+        "library_names": ["crypto", "ssl"],
+        "licenses": ["Apache-2.0"],
+        "license_file": "LICENSE.openssl-3.txt",
+    },
     "nasm-windows-bin": {
         "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz",
         "size": 384826,
diff --git a/src/verify_distribution.py b/src/verify_distribution.py
@@ -147,12 +147,12 @@ def test_ssl(self):
         self.assertTrue(ssl.HAS_TLSv1_2)
         self.assertTrue(ssl.HAS_TLSv1_3)
 
-        # OpenSSL 1.1 on older CPython versions on Windows. 3.0 everywhere
+        # OpenSSL 1.1 on older CPython versions on Windows. 3.5 everywhere
         # else.
         if os.name == "nt" and sys.version_info[0:2] < (3, 11):
             wanted_version = (1, 1, 1, 23, 15)
         else:
-            wanted_version = (3, 0, 0, 16, 0)
+            wanted_version = (3, 5, 0, 2, 0)
 
         self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version)
 
