OpenSSL 3.0.0 support (3.8 to 3.10)


I’m working on OpenSSL 3.0.0 support for 3.8, 3.9, and 3.10. Alpha 14 was released last week. The latest alpha has reached a stage of sufficient stability. Most differences between 1.1.1 and 3.0.0 are minor internal changes and not visible to end users. Only hashlib’s usedforsecurity flag needs larger changes, but they will be internal, too. I got tests passing with a couple of patches. You can find more information on ticket Issue 38820: Make Python compatible with OpenSSL 3.0.0 - Python tracker and linked tickets.

My plan is to finish OpenSSL 3.0.0-related work this week and then finalize PEP 644 work next week. It makes backporting easier for me.


can we have a special binary release of python3.8 with OpenSSL 3.0.0 for windows?

Only if you get it from one of the pay-for-support companies such as Anaconda or ActiveState (there may be more, I just don’t have names handy).

Unless there’s some security fix that’s only in OpenSSL 3.0 and not in 1.1, I doubt we’ll even update the sources to build with 3.0. But that’s up to Christian.

OpenSSL 3.0.0 just came out. The new version went through a long development cycle and has lots of internal changes and improvements. I prefer to wait a while and let others iron out the kinks first. Then we can look into updating our binaries to 3.0.0.

Linux distros like Fedora are going to update to the new version soon. Alex and Paul are working on new PyCA cryptography binaries with 3.0.0, too. This will expose more users to the new version and help to discover issues.

In the mean time I’ll keep Python 3.9 to 3.11-dev compatible with OpenSSL 3.0.0. 3.8 is in security-only mode. I’m reluctant to backport changes to 3.8 unless @ambv agrees.

So far we haven’t been porting 3.0.0 specific changes all the way to 3.8 because I understood that the 1.1.1 line will continue to be maintained.

However, since OpenSSL is so closely tied to security, if you’re willing to bring 3.8 to full compatibility with 3.0.0, I will accept all those changes.

To an extent it’s a diminishing return since distros upgrading to 3.0.0 will be probably upgrading Python at the same time. It’s probably more work to backport to 3.8 as well since 3.8 is still compatible with OpenSSL 1.1.0 and 1.0.2.

At the same time we’ll keep maintaining 3.8 until October 2024 so maybe it makes sense to keep it compatible with new operating systems (at least as far as OpenSSL goes).

Entirely up to you.