A Docker image for building combinations of CPython and OpenSSL versions
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
JustAnotherArchivist 6f0c24ec1b Initial commit 1 year ago
Dockerfile Initial commit 1 year ago
README.md Initial commit 1 year ago
openssl1.1.0-test-certs.patch Initial commit 1 year ago
openssl1.1.0-test-fuzz.patch Initial commit 1 year ago

README.md

A Docker image for building combinations of CPython and OpenSSL versions

Building

The full build command is as follows:

docker build \
  --build-arg PYTHON_VERSION=3.11.1 \
  --build-arg PYTHON_SHA256=85879192f2cffd56cb16c092905949ebf3e5e394b7f764723529637901dfb58f \
  --build-arg OPENSSL_VERSION=3.0.7 \
  --build-arg OPENSSL_SHA256=83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e \
  -t python-openssl:py3.11.1-ssl3.0.7 \
  .

The PYTHON_SHA256 is the SHA-256 hash of that version’s .tar.xz file. The OPENSSL_SHA256 is the SHA-256 hash of that version’s .tar.gz file.

The Dockerfile includes the SHA-256 hashes for the most recent versions as of January 2023: OpenSSL 1.0.2u, 1.1.0l, 1.1.1q, 3.0.7 and Python 3.7.16, 3.8.16, 3.9.16, 3.10.9, 3.11.1. For these versions, the corresponding X_SHA256 argument can be omitted.

Compatibility

  • Python 3.7 added support for OpenSSL 1.1.1.
  • Python 3.10 dropped support for OpenSSL 1.0.2 and 1.1.0 and added support for OpenSSL 3.0.

Tested combinations

  • Python 3.8.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  • Python 3.9.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  • Python 3.10.9 with OpenSSL 1.1.1q and 3.0.7
  • Python 3.11.1 with OpenSSL 1.1.1q and 3.0.7

OpenSSL 1.1.0 bugs

The OpenSSL test suite contains some certificates with relatively short expiration date. Trying to build 1.1.0l will fail on testing due to this. See https://github.com/openssl/openssl/issues/15179 and https://github.com/openssl/openssl/issues/18456. This is fixed by the openssl1.1.0-test-certs.patch patch. It is taken from https://github.com/openssl/openssl/pull/18446 but with changes in test/ct_test.c ported for compatibility.

There is further a test which uses a now-removed part of the Perl module File::Glob. This was patched by https://github.com/openssl/openssl/pull/4040, and an equivalent patch is provided in openssl1.1.0-test-fuzz.patch.

Using non-Python in the container

OpenSSL in the container is installed under /usr/local, which is also declared in the LD_LIBRARY_PATH environment variable. When installing an old OpenSSL version, this may break other tools (such as curl), which require a newer version. Unset LD_LIBRARY_PATH if you need to run those.