Build with OpenSSL 3.5 #775
Description
Following on from #175, OpenSSL 3.0 is going EOL on 2026-09-07.
CPython 3.10+ has an EOL date longer than this (although the 3.10 support ends very soon after, 2026-10).
We should look at building CPython 3.10+ with the OpenSSL 3.5 series.
In terms of upstream support, this is the state of the Linux SSL tests (at the time of writing):
| CPython Version Branch | Linux SSL tests |
|---|---|
| 3.10 | 1.1.1w, 3.0.11, 3.1.3
|
| 3.11 | 1.1.1w, 3.0.15, 3.1.7, 3.2.3
|
| 3.12 | 3.0.15, 3.1.7, 3.2.3, 3.3.2
|
| 3.13 | 1.1.1w, 3.0.15, 3.1.7, 3.2.3, 3.3.2
|
| 3.14 | 1.1.1w, 3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2
|
Full OpenSSL 3.5 support (meaning passes CPython's SSL tests and support for new error codes) is in Python 3.14, but not earlier versions. This won't be backported: python/cpython#127331 (comment).
Although earlier versions won't have "full" support, it looks like at least 3.13 should work with OpenSSL 3.5 if my reading of python/cpython#137720 is correct.
Unless there are any objections, I will make a PR next week to add OpenSSL 3.5.x (in a similar way to how we have openssl-1.1, and openssl-3.0). I'm hoping, at least for 3.13 and 3.14, building with this will "just work".
P.S. we want to be mindful of #722 when doing this