Skip to content

Can't build '_ssl' extension with Python 3.11.2 and OpenSSL 3.1 #103242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jan-busa opened this issue Apr 4, 2023 · 3 comments
Closed

Can't build '_ssl' extension with Python 3.11.2 and OpenSSL 3.1 #103242

jan-busa opened this issue Apr 4, 2023 · 3 comments
Labels
3.11 only security fixes build The build process and cross-build topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@jan-busa
Copy link

jan-busa commented Apr 4, 2023
edited by bedevere-bot
Loading

Bug report

I have tried to build latest tagged release of Python v3.11.2 on a CentOS7 system with locally built OpenSSL library v3.1.0. During configuration step ssl library and headers are properly found. When I build Python I encounter error:

building '_ssl' extension
gcc -pthread .... /Modules/_ssl.o
_ssl.c: In function '_ssl__SSLContext_set_ecdh_curve':
/.../Python/Modules/_ssl.c:4344:11: error: implicit declaration of function 'EC_KEY_new_by_curve_name' [-Werror=implicit-function-declaration]
 4344 |     key = EC_KEY_new_by_curve_name(nid);
      |           ^~~~~~~~~~~~~~~~~~~~~~~~
/.../Python/Modules/_ssl.c:4344:9: warning: assignment to 'EC_KEY *' {aka 'struct ec_key_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
 4344 |     key = EC_KEY_new_by_curve_name(nid);
      |         ^
/.../Python/Modules/_ssl.c:4350:5: error: implicit declaration of function 'EC_KEY_free'; did you mean 'EVP_KEM_free'? [-Werror=implicit-function-declaration]
 4350 |     EC_KEY_free(key);
      |     ^~~~~~~~~~~
      |     EVP_KEM_free
cc1: some warnings being treated as errors

Looking inside OpenSSL sources for mentioned functions EC_KEY_new_by_curve_name and EC_KEY_free I can see in the file include/openssl/ec.h that they have been deprecated. I suppose that these functions need to be removed from Python's file Python/Modules/_ssl.c but I don't know anything about the details of OpenSSL so I would appreciate any help what to do in this case.

Your environment

  • virtual computer running CentOS7
  • GCC 12.2
  • Python 3.12.2
  • OpenSSL 3.1
  • configure called with:
./configure --prefix="$INSTALLROOT"
            ${OPENSSL_ROOT:+--with-openssl=$OPENSSL_ROOT}
            ${OPENSSL_ROOT:+--with-openssl-rpath=no}
            --enable-shared --with-system-expat --with-ensurepip=install

Linked PRs
@jan-busa jan-busa added the type-bug An unexpected behavior, bug, or error label Apr 4, 2023
@AlexWaygood AlexWaygood added build The build process and cross-build topic-SSL labels Apr 4, 2023
@sobolevn sobolevn added the 3.11 only security fixes label Apr 4, 2023
@corona10
Copy link
Member

corona10 commented Apr 8, 2023

cc @gpshead

@corona10
Copy link
Member

corona10 commented Apr 8, 2023
edited
Loading

Hmm, interesting, I succeeded in building CPython with OpenSSL 3.1.0 on my Ubuntu machine (without any change).

corona10@CPython-devel:~/cpython$ ./python
Python 3.12.0a7+ (heads/main:0ba0ca05d2, Apr  8 2023, 16:56:15) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 3.1.0 14 Mar 2023'
>>> ssl._OPENSSL_API_VERSION
(3, 1, 0, 0, 0)
corona10@CPython-devel:~/cpython$ openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

corona10 added a commit to corona10/cpython that referenced this issue Apr 8, 2023
@corona10
pythongh-103242: Migrate SSLContext.set_ecdh_curve not to use depreca…
b672b30 
…ted OpenSSL APIs
@bedevere-bot bedevere-bot mentioned this issue Apr 8, 2023
Merged
gpshead pushed a commit that referenced this issue Apr 8, 2023
@corona10
gh-103242: Migrate SSLContext.set_ecdh_curve not to use deprecated AP…
3516704 
…Is (#103378)

Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs.
@bedevere-bot bedevere-bot mentioned this issue Apr 8, 2023
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 8, 2023
@corona10 @miss-islington
pythongh-103242: Migrate SSLContext.set_ecdh_curve not to use depreca…
34c8c4d 
…ted APIs (pythonGH-103378)

Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs.
(cherry picked from commit 3516704)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
@gpshead
Copy link
Member

gpshead commented Apr 8, 2023

My "understanding" of the OpenSSL APIs is that the old API still exists but can require a compiler define to expose it? Regardless, moving to the modern API is preferred. Thanks for the report and the PR. the 3.11 change will automerge after CI.

@gpshead gpshead closed this as completed Apr 8, 2023
miss-islington added a commit that referenced this issue Apr 8, 2023
@miss-islington @corona10
gh-103242: Migrate SSLContext.set_ecdh_curve not to use deprecated AP…
4fa5fda 
…Is (GH-103378)

Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs.
(cherry picked from commit 3516704)

Co-authored-by: Dong-hee Na <donghee.na@python.org>
warsaw pushed a commit to warsaw/cpython that referenced this issue Apr 11, 2023
@corona10 @warsaw
pythongh-103242: Migrate SSLContext.set_ecdh_curve not to use depreca…
0a0de10 
…ted APIs (python#103378)

Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs.
@coderabbitai coderabbitai bot mentioned this issue Apr 18, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.11 only security fixes build The build process and cross-build topic-SSL type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gpshead @sobolevn @corona10 @jan-busa @AlexWaygood