From 928602c0ac385eca81b90956ba8d36d04e7dd6de Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Fri, 13 Feb 2026 12:48:52 -0600 Subject: [PATCH 1/6] gh-144551: Update Windows builds to use OpenSSL 3.0.19 (GH-144793) --- .../2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst | 1 + Misc/externals.spdx.json | 8 ++++---- PCbuild/get_externals.bat | 4 ++-- PCbuild/python.props | 4 ++-- PCbuild/readme.txt | 2 +- 5 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst diff --git a/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst b/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst new file mode 100644 index 00000000000000..81ff2f4a18c1e7 --- /dev/null +++ b/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst @@ -0,0 +1 @@ +Updated bundled version of OpenSSL to 3.0.19. diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index dba01de8352d52..a4321a8b9d7c1c 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -70,21 +70,21 @@ "checksums": [ { "algorithm": "SHA256", - "checksumValue": "9b07560b6c1afa666bd78b8d3aa5c83fdda02149afdf048596d5b0e0dac1ee55" + "checksumValue": "c6ea8a5423f3966923060db2089f869017dfb10bcf2037394146e7a74caec0a8" } ], - "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.18.tar.gz", + "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.19.tar.gz", "externalRefs": [ { "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.18:*:*:*:*:*:*:*", + "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.19:*:*:*:*:*:*:*", "referenceType": "cpe23Type" } ], "licenseConcluded": "NOASSERTION", "name": "openssl", "primaryPackagePurpose": "SOURCE", - "versionInfo": "3.0.18" + "versionInfo": "3.0.19" }, { "SPDXID": "SPDXRef-PACKAGE-sqlite", diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 9d02e2121cc623..2aed6cfa72d5a2 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -54,7 +54,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.8 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.18 +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.19 set libraries=%libraries% mpdecimal-4.0.0 set libraries=%libraries% sqlite-3.50.4.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0 @@ -79,7 +79,7 @@ echo.Fetching external binaries... set binaries= if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.4 -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.0.18 +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.0.19 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.15.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 if NOT "%IncludeLLVM%"=="false" set binaries=%binaries% llvm-21.1.4.0 diff --git a/PCbuild/python.props b/PCbuild/python.props index 7840e2a1cfc8e2..dcefc28058609f 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -82,8 +82,8 @@ $(libffiDir)$(ArchName)\ $(libffiOutDir)include $(ExternalsDir)\mpdecimal-4.0.0\ - $(ExternalsDir)openssl-3.0.18\ - $(ExternalsDir)openssl-bin-3.0.18\$(ArchName)\ + $(ExternalsDir)openssl-3.0.19\ + $(ExternalsDir)openssl-bin-3.0.19\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ $(ExternalsDir)\zlib-1.3.1\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index c5d38296070e02..dc7b6acb9c043a 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -218,7 +218,7 @@ _lzma https://tukaani.org/xz/ _ssl - Python wrapper for version 3.0.15 of the OpenSSL secure sockets + Python wrapper for version 3.0.19 of the OpenSSL secure sockets library, which is itself downloaded from our binaries repository at https://github.com/python/cpython-bin-deps and built by openssl.vcxproj. From b933ef92619db2a103a26c70e69b6d31978eb566 Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Fri, 13 Feb 2026 13:06:07 -0600 Subject: [PATCH 2/6] gh-144551: Update CI to use latest OpenSSL versions (GH-144794) Also update _ssl_data_36.h to include an added symbol from 3.6.1. --- .github/workflows/build.yml | 2 +- Modules/_ssl_data_36.h | 9 +++++++-- Tools/ssl/multissltests.py | 10 +++++----- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 046e678f8c1b4b..f9a6fb61272e44 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -261,7 +261,7 @@ jobs: # Keep 1.1.1w in our list despite it being upstream EOL and otherwise # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs # supported by important vendors such as AWS-LC. - openssl_ver: [1.1.1w, 3.0.18, 3.3.5, 3.4.3, 3.5.4, 3.6.0] + openssl_ver: [1.1.1w, 3.0.19, 3.3.6, 3.4.4, 3.5.5, 3.6.1] # See Tools/ssl/make_ssl_data.py for notes on adding a new version env: OPENSSL_VER: ${{ matrix.openssl_ver }} diff --git a/Modules/_ssl_data_36.h b/Modules/_ssl_data_36.h index 02b8b66e80fce2..5a2e0d067e2dc7 100644 --- a/Modules/_ssl_data_36.h +++ b/Modules/_ssl_data_36.h @@ -1,6 +1,6 @@ /* File generated by Tools/ssl/make_ssl_data.py */ -/* Generated on 2026-01-17T13:03:49.335767+00:00 */ -/* Generated from Git commit openssl-3.6.0-0-g7b371d80d9 */ +/* Generated on 2026-02-13T18:19:19.227109+00:00 */ +/* Generated from Git commit openssl-3.6.1-0-gc9a9e5b10 */ /* generated from args.lib2errnum */ static struct py_ssl_library_code library_codes[] = { @@ -1668,6 +1668,11 @@ static struct py_ssl_error_code error_codes[] = { #else {"CERTIFICATE_VERIFY_ERROR", 46, 100}, #endif + #ifdef CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA + {"CIPHER_AEAD_IN_ENVELOPED_DATA", ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA}, + #else + {"CIPHER_AEAD_IN_ENVELOPED_DATA", 46, 200}, + #endif #ifdef CMS_R_CIPHER_AEAD_SET_TAG_ERROR {"CIPHER_AEAD_SET_TAG_ERROR", ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR}, #else diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 828fb8b44f9b08..a08e0518f457f5 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -49,11 +49,11 @@ ] OPENSSL_RECENT_VERSIONS = [ - "3.0.18", - "3.3.5", - "3.4.3", - "3.5.4", - "3.6.0", + "3.0.19", + "3.3.6", + "3.4.4", + "3.5.5", + "3.6.1", # See make_ssl_data.py for notes on adding a new version. ] From 629a363ddd2889f023d5925506e61f5b6647accd Mon Sep 17 00:00:00 2001 From: Rafael Weingartner-Ortner <38643099+RafaelWO@users.noreply.github.com> Date: Fri, 13 Feb 2026 20:51:56 +0100 Subject: [PATCH 3/6] gh-136672: Docs: Move parts of Enum HOWTO to API Docs (GH-139176) To avoid duplicate content in the Enum HOWTO and API documentation which is not automatically synced, the section about supported __dunder__ and _sunder names is moved from HOWTO to API docs. See also https://github.com/python/cpython/pull/136791 --- Doc/howto/enum.rst | 82 +++++++------------------------------------- Doc/library/enum.rst | 57 ++++++++++++++++++++++++------ 2 files changed, 58 insertions(+), 81 deletions(-) diff --git a/Doc/howto/enum.rst b/Doc/howto/enum.rst index 7713aede6d564a..93850b57af2c65 100644 --- a/Doc/howto/enum.rst +++ b/Doc/howto/enum.rst @@ -965,75 +965,16 @@ want one of them to be the value:: Finer Points -^^^^^^^^^^^^ - -Supported ``__dunder__`` names -"""""""""""""""""""""""""""""" - -:attr:`~enum.EnumType.__members__` is a read-only ordered mapping of ``member_name``:``member`` -items. It is only available on the class. - -:meth:`~object.__new__`, if specified, must create and return the enum members; it is -also a very good idea to set the member's :attr:`~Enum._value_` appropriately. Once -all the members are created it is no longer used. - - -Supported ``_sunder_`` names -"""""""""""""""""""""""""""" +------------ -- :attr:`~Enum._name_` -- name of the member -- :attr:`~Enum._value_` -- value of the member; can be set in ``__new__`` -- :meth:`~Enum._missing_` -- a lookup function used when a value is not found; - may be overridden -- :attr:`~Enum._ignore_` -- a list of names, either as a :class:`list` or a - :class:`str`, that will not be transformed into members, and will be removed - from the final class -- :meth:`~Enum._generate_next_value_` -- used to get an appropriate value for - an enum member; may be overridden -- :meth:`~Enum._add_alias_` -- adds a new name as an alias to an existing - member. -- :meth:`~Enum._add_value_alias_` -- adds a new value as an alias to an - existing member. See `MultiValueEnum`_ for an example. +Supported ``__dunder__`` and ``_sunder_`` names +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - .. note:: - - For standard :class:`Enum` classes the next value chosen is the highest - value seen incremented by one. - - For :class:`Flag` classes the next value chosen will be the next highest - power-of-two. - - .. versionchanged:: 3.13 - Prior versions would use the last seen value instead of the highest value. - -.. versionadded:: 3.6 ``_missing_``, ``_order_``, ``_generate_next_value_`` -.. versionadded:: 3.7 ``_ignore_`` -.. versionadded:: 3.13 ``_add_alias_``, ``_add_value_alias_`` - -To help keep Python 2 / Python 3 code in sync an :attr:`~Enum._order_` attribute can -be provided. It will be checked against the actual order of the enumeration -and raise an error if the two do not match:: - - >>> class Color(Enum): - ... _order_ = 'RED GREEN BLUE' - ... RED = 1 - ... BLUE = 3 - ... GREEN = 2 - ... - Traceback (most recent call last): - ... - TypeError: member order does not match _order_: - ['RED', 'BLUE', 'GREEN'] - ['RED', 'GREEN', 'BLUE'] - -.. note:: - - In Python 2 code the :attr:`~Enum._order_` attribute is necessary as definition - order is lost before it can be recorded. +The supported ``__dunder__`` and ``_sunder_`` names can be found in the :ref:`Enum API documentation `. _Private__names -""""""""""""""" +^^^^^^^^^^^^^^^ :ref:`Private names ` are not converted to enum members, but remain normal attributes. @@ -1042,7 +983,7 @@ but remain normal attributes. ``Enum`` member type -"""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^ Enum members are instances of their enum class, and are normally accessed as ``EnumClass.member``. In certain situations, such as writing custom enum @@ -1055,7 +996,7 @@ recommended. Creating members that are mixed with other data types -""""""""""""""""""""""""""""""""""""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When subclassing other data types, such as :class:`int` or :class:`str`, with an :class:`Enum`, all values after the ``=`` are passed to that data type's @@ -1069,7 +1010,7 @@ constructor. For example:: Boolean value of ``Enum`` classes and members -""""""""""""""""""""""""""""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enum classes that are mixed with non-:class:`Enum` types (such as :class:`int`, :class:`str`, etc.) are evaluated according to the mixed-in @@ -1084,7 +1025,7 @@ Plain :class:`Enum` classes always evaluate as :data:`True`. ``Enum`` classes with methods -""""""""""""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you give your enum subclass extra methods, like the `Planet`_ class below, those methods will show up in a :func:`dir` of the member, @@ -1097,7 +1038,7 @@ but not of the class:: Combining members of ``Flag`` -""""""""""""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Iterating over a combination of :class:`Flag` members will only return the members that are comprised of a single bit:: @@ -1117,7 +1058,7 @@ are comprised of a single bit:: ``Flag`` and ``IntFlag`` minutia -"""""""""""""""""""""""""""""""" +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Using the following snippet for our examples:: @@ -1478,6 +1419,7 @@ alias:: behaviors as well as disallowing aliases. If the only desired change is disallowing aliases, the :func:`unique` decorator can be used instead. +.. _multi-value-enum: MultiValueEnum ^^^^^^^^^^^^^^^^^ diff --git a/Doc/library/enum.rst b/Doc/library/enum.rst index ec7cbfb52b6e99..de56048f56a243 100644 --- a/Doc/library/enum.rst +++ b/Doc/library/enum.rst @@ -307,6 +307,28 @@ Data Types No longer used, kept for backward compatibility. (class attribute, removed during class creation). + The :attr:`~Enum._order_` attribute can be provided to help keep Python 2 / Python 3 code in sync. + It will be checked against the actual order of the enumeration and raise an error if the two do not match:: + + >>> class Color(Enum): + ... _order_ = 'RED GREEN BLUE' + ... RED = 1 + ... BLUE = 3 + ... GREEN = 2 + ... + Traceback (most recent call last): + ... + TypeError: member order does not match _order_: + ['RED', 'BLUE', 'GREEN'] + ['RED', 'GREEN', 'BLUE'] + + .. note:: + + In Python 2 code the :attr:`~Enum._order_` attribute is necessary as definition + order is lost before it can be recorded. + + .. versionadded:: 3.6 + .. attribute:: Enum._ignore_ ``_ignore_`` is only used during creation and is removed from the @@ -316,6 +338,8 @@ Data Types names will also be removed from the completed enumeration. See :ref:`TimePeriod ` for an example. + .. versionadded:: 3.7 + .. method:: Enum.__dir__(self) Returns ``['__class__', '__doc__', '__module__', 'name', 'value']`` and @@ -346,7 +370,16 @@ Data Types :last_values: A list of the previous values. A *staticmethod* that is used to determine the next value returned by - :class:`auto`:: + :class:`auto`. + + .. note:: + For standard :class:`Enum` classes the next value chosen is the highest + value seen incremented by one. + + For :class:`Flag` classes the next value chosen will be the next highest + power-of-two. + + This method may be overridden, e.g.:: >>> from enum import auto, Enum >>> class PowersOfThree(Enum): @@ -359,6 +392,10 @@ Data Types >>> PowersOfThree.SECOND.value 9 + .. versionadded:: 3.6 + .. versionchanged:: 3.13 + Prior versions would use the last seen value instead of the highest value. + .. method:: Enum.__init__(self, *args, **kwds) By default, does nothing. If multiple values are given in the member @@ -397,6 +434,8 @@ Data Types >>> Build('deBUG') + .. versionadded:: 3.6 + .. method:: Enum.__new__(cls, *args, **kwds) By default, doesn't exist. If specified, either in the enum class @@ -490,7 +529,8 @@ Data Types >>> Color(42) - Raises a :exc:`ValueError` if the value is already linked with a different member. + | Raises a :exc:`ValueError` if the value is already linked with a different member. + | See :ref:`multi-value-enum` for an example. .. versionadded:: 3.13 @@ -889,6 +929,8 @@ Data Types --------------- +.. _enum-dunder-sunder: + Supported ``__dunder__`` names """""""""""""""""""""""""""""" @@ -896,7 +938,7 @@ Supported ``__dunder__`` names items. It is only available on the class. :meth:`~Enum.__new__`, if specified, must create and return the enum members; -it is also a very good idea to set the member's :attr:`!_value_` appropriately. +it is also a very good idea to set the member's :attr:`~Enum._value_` appropriately. Once all the members are created it is no longer used. @@ -912,17 +954,10 @@ Supported ``_sunder_`` names from the final class - :attr:`~Enum._order_` -- no longer used, kept for backward compatibility (class attribute, removed during class creation) + - :meth:`~Enum._generate_next_value_` -- used to get an appropriate value for an enum member; may be overridden - .. note:: - - For standard :class:`Enum` classes the next value chosen is the highest - value seen incremented by one. - - For :class:`Flag` classes the next value chosen will be the next highest - power-of-two. - - :meth:`~Enum._add_alias_` -- adds a new name as an alias to an existing member. - :meth:`~Enum._add_value_alias_` -- adds a new value as an alias to an From 543f56fe8d264315f2413414638216fac01f3ade Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Fri, 13 Feb 2026 15:43:05 -0600 Subject: [PATCH 4/6] gh-144551: Update Windows builds to use OpenSSL 3.5.5 (GH-144796) --- .../2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst | 2 +- Misc/externals.spdx.json | 8 ++++---- PCbuild/get_externals.bat | 4 ++-- PCbuild/python.props | 4 ++-- PCbuild/readme.txt | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst b/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst index 81ff2f4a18c1e7..810985a352baeb 100644 --- a/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst +++ b/Misc/NEWS.d/next/Windows/2026-02-13-11-07-51.gh-issue-144551.ENtMYD.rst @@ -1 +1 @@ -Updated bundled version of OpenSSL to 3.0.19. +Updated bundled version of OpenSSL to 3.5.5. diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json index a4321a8b9d7c1c..c96367f57fb3f2 100644 --- a/Misc/externals.spdx.json +++ b/Misc/externals.spdx.json @@ -70,21 +70,21 @@ "checksums": [ { "algorithm": "SHA256", - "checksumValue": "c6ea8a5423f3966923060db2089f869017dfb10bcf2037394146e7a74caec0a8" + "checksumValue": "619b30acf7d9b13c9d0ba90d17349e8b524c380cd23d39334b143f74dc4e5ec9" } ], - "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.19.tar.gz", + "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.5.5.tar.gz", "externalRefs": [ { "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.19:*:*:*:*:*:*:*", + "referenceLocator": "cpe:2.3:a:openssl:openssl:3.5.5:*:*:*:*:*:*:*", "referenceType": "cpe23Type" } ], "licenseConcluded": "NOASSERTION", "name": "openssl", "primaryPackagePurpose": "SOURCE", - "versionInfo": "3.0.19" + "versionInfo": "3.5.5" }, { "SPDXID": "SPDXRef-PACKAGE-sqlite", diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 2aed6cfa72d5a2..f80a025fb3bc78 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -54,7 +54,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.8 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.19 +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.5.5 set libraries=%libraries% mpdecimal-4.0.0 set libraries=%libraries% sqlite-3.50.4.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0 @@ -79,7 +79,7 @@ echo.Fetching external binaries... set binaries= if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.4 -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.0.19 +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-3.5.5 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.15.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 if NOT "%IncludeLLVM%"=="false" set binaries=%binaries% llvm-21.1.4.0 diff --git a/PCbuild/python.props b/PCbuild/python.props index dcefc28058609f..82e6365bb397a5 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -82,8 +82,8 @@ $(libffiDir)$(ArchName)\ $(libffiOutDir)include $(ExternalsDir)\mpdecimal-4.0.0\ - $(ExternalsDir)openssl-3.0.19\ - $(ExternalsDir)openssl-bin-3.0.19\$(ArchName)\ + $(ExternalsDir)openssl-3.5.5\ + $(ExternalsDir)openssl-bin-3.5.5\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ $(ExternalsDir)\zlib-1.3.1\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index dc7b6acb9c043a..b98a956034c537 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -218,7 +218,7 @@ _lzma https://tukaani.org/xz/ _ssl - Python wrapper for version 3.0.19 of the OpenSSL secure sockets + Python wrapper for version 3.5 of the OpenSSL secure sockets library, which is itself downloaded from our binaries repository at https://github.com/python/cpython-bin-deps and built by openssl.vcxproj. From 7359bb8dacc055bdcbb61f8fa4e375b25eedffd9 Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Fri, 13 Feb 2026 16:50:15 -0600 Subject: [PATCH 5/6] gh-144551: Update OpenSSL version references in Mac/BuildScript/ (GH-144810) --- Mac/BuildScript/README.rst | 2 +- Mac/BuildScript/resources/ReadMe.rtf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Mac/BuildScript/README.rst b/Mac/BuildScript/README.rst index e44e74f3a49234..54341a81c26743 100644 --- a/Mac/BuildScript/README.rst +++ b/Mac/BuildScript/README.rst @@ -73,7 +73,7 @@ download them. - builds the following third-party libraries - * OpenSSL 3.0.x + * OpenSSL 3.5.x * Tcl/Tk 8.6.x * NCurses * SQLite diff --git a/Mac/BuildScript/resources/ReadMe.rtf b/Mac/BuildScript/resources/ReadMe.rtf index ee5ba4707dfea4..d81bcd5c745baa 100644 --- a/Mac/BuildScript/resources/ReadMe.rtf +++ b/Mac/BuildScript/resources/ReadMe.rtf @@ -19,7 +19,7 @@ \f1\b \cf0 \ul \ulc0 Certificate verification and OpenSSL\ \f0\b0 \ulnone \ -This package includes its own private copy of OpenSSL 3.0. The trust certificates in system and user keychains managed by the +This package includes its own private copy of OpenSSL 3.5. The trust certificates in system and user keychains managed by the \f2\i Keychain Access \f0\i0 application and the \f2\i security From fdbc135f9cf57599cca8aeeed947d0b736fdb197 Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Fri, 13 Feb 2026 17:02:11 -0600 Subject: [PATCH 6/6] gh-144551: Update various CI jobs to OpenSSL 3.5 (GH-144808) Also includes a fix to the address sanitizer build to build the `_ssl` module against the expected OpenSSL build. --- .github/workflows/build.yml | 6 +++--- .github/workflows/reusable-macos.yml | 4 ++-- .github/workflows/reusable-ubuntu.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f9a6fb61272e44..f302cb049326b0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -428,7 +428,7 @@ jobs: needs: build-context if: needs.build-context.outputs.run-ubuntu == 'true' env: - OPENSSL_VER: 3.0.18 + OPENSSL_VER: 3.5.5 PYTHONSTRICTEXTENSIONBUILD: 1 steps: - uses: actions/checkout@v6 @@ -539,7 +539,7 @@ jobs: matrix: os: [ubuntu-24.04] env: - OPENSSL_VER: 3.0.18 + OPENSSL_VER: 3.5.5 PYTHONSTRICTEXTENSIONBUILD: 1 ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0 steps: @@ -574,7 +574,7 @@ jobs: run: | echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV" - name: Configure CPython - run: ./configure --config-cache --with-address-sanitizer --without-pymalloc + run: ./configure --config-cache --with-address-sanitizer --without-pymalloc --with-openssl="$OPENSSL_DIR" - name: Build CPython run: make -j4 - name: Display build info diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index 7eef66bd9d9324..6afbf6595d93e3 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -35,7 +35,7 @@ jobs: run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV" - name: Install Homebrew dependencies run: | - brew install pkg-config openssl@3.0 xz gdbm tcl-tk@9 make + brew install pkg-config openssl@3.5 xz gdbm tcl-tk@9 make # Because alternate versions are not symlinked into place by default: brew link --overwrite tcl-tk@9 - name: Configure CPython @@ -50,7 +50,7 @@ jobs: --enable-safety \ ${{ inputs.free-threading && '--disable-gil' || '' }} \ --prefix=/opt/python-dev \ - --with-openssl="$(brew --prefix openssl@3.0)" + --with-openssl="$(brew --prefix openssl@3.5)" - name: Build CPython if : ${{ inputs.free-threading || inputs.os != 'macos-15-intel' }} run: gmake -j8 diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index ad725e92f2b20f..03f41069b8430d 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -27,7 +27,7 @@ jobs: runs-on: ${{ inputs.os }} timeout-minutes: 60 env: - OPENSSL_VER: 3.0.18 + OPENSSL_VER: 3.5.5 PYTHONSTRICTEXTENSIONBUILD: 1 TERM: linux steps: