Before upgrading to OpenSSL 3.0.17 or newer, look at python/cpython#136881

[geofft]

I saw this go by on the Debian OpenSSL packagers list (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110254#10).

According to python/cpython#136881, there is a change in the OpenSSL point releases from July 1, including 3.0.17 LTS, that breaks a test case on Python 3.12. There's a fix in Python 3.13, but it will not be backported to older versions. It sounds like you can either locally revert the change in OpenSSL, or locally backport the change to Python.

I haven't looked at what the bug actually is and how much it matters, but we're in a position to apply patches to both OpenSSL and Python as needed, so it's probably good for us to not ship this bug. We're currently on 3.0.16, but we ought to upgrade to the latest point release (or to 3.5.x LTS, perhaps).

I also haven't looked at whether it has been reported as a regression to the OpenSSL team and might be fixed in a later OpenSSL point release, and whether it's present in versions of Python older than 3.12.

[Edward-Knight]

I didn't run into this issue when updating to OpenSSL 3.5 in #782 - perhaps we can close this issue?

[geofft]

Well, we're not yet running the upstream test suite in CI (which we should!) and it sounds like the failure is nondeterministic, but my reading of the upstream bug is that this was fixed in 3.5.3 (openssl/openssl@c4c92f3), which I'm landing in #797, so I'm comfortable closing this and shipping 3.5. (I also haven't yet managed to reproduce the crash with 3.5.2 after a very small amount of trying.)