Support building ssl and hashlib modules against AWS-LC

Thanks to the support and collaboration of ssl module maintainers, as of PR 133624, mainline CPython is now fully build- and test-compatible with mainline AWS-LC.

As a final step in this integration, I’d like to propose adding an AWS-LC CI job to CPython’s CI alongside the OpenSSL 3.x tests. We’ve tested this integration in AWS-LC’s CI for well over a year now, and are committed to preserving CPython 3.10+ compatibility in future AWS-LC releases.

Some implementation thoughts:

  • The CI job could be marked as “non-required” initially
  • Job pins AWS-LC to a specific release/version for stability
  • Only test one version and build mode of AWS-LC (i.e. non-FIPS) in CPython’s CI as AWS-LC has plenty such coverage
  • Test code exists for testing against non-OpenSSL libssl/libcrypto, namely LibreSSL. This would be easy to extend for AWS-LC

If the community agrees that adding an AWS-LC CI job to CPython’s GitHub is directionally good, I’m happy to post a PR where we can hash out the details.

cc @picnixz @gpshead @encukou

2 Likes