Thanks to the support and collaboration of ssl module maintainers, as of PR 133624, mainline CPython is now fully build- and test-compatible with mainline AWS-LC.
As a final step in this integration, I’d like to propose adding an AWS-LC CI job to CPython’s CI alongside the OpenSSL 3.x tests. We’ve tested this integration in AWS-LC’s CI for well over a year now, and are committed to preserving CPython 3.10+ compatibility in future AWS-LC releases.
Some implementation thoughts:
- The CI job could be marked as “non-required” initially
- Job pins AWS-LC to a specific release/version for stability
- Only test one version and build mode of AWS-LC (i.e. non-FIPS) in CPython’s CI as AWS-LC has plenty such coverage
- Test code exists for testing against non-OpenSSL libssl/libcrypto, namely LibreSSL. This would be easy to extend for AWS-LC
If the community agrees that adding an AWS-LC CI job to CPython’s GitHub is directionally good, I’m happy to post a PR where we can hash out the details.