JustAnotherArchivist 6f0c24ec1b | 1 year ago | |
---|---|---|
Dockerfile | 1 year ago | |
README.md | 1 year ago | |
openssl1.1.0-test-certs.patch | 1 year ago | |
openssl1.1.0-test-fuzz.patch | 1 year ago |
A Docker image for building combinations of CPython and OpenSSL versions
The full build command is as follows:
docker build \
--build-arg PYTHON_VERSION=3.11.1 \
--build-arg PYTHON_SHA256=85879192f2cffd56cb16c092905949ebf3e5e394b7f764723529637901dfb58f \
--build-arg OPENSSL_VERSION=3.0.7 \
--build-arg OPENSSL_SHA256=83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e \
-t python-openssl:py3.11.1-ssl3.0.7 \
.
The PYTHON_SHA256
is the SHA-256 hash of that version’s .tar.xz
file. The OPENSSL_SHA256
is the SHA-256 hash of that version’s .tar.gz
file.
The Dockerfile
includes the SHA-256 hashes for the most recent versions as of January 2023: OpenSSL 1.0.2u, 1.1.0l, 1.1.1q, 3.0.7 and Python 3.7.16, 3.8.16, 3.9.16, 3.10.9, 3.11.1. For these versions, the corresponding X_SHA256
argument can be omitted.
The OpenSSL test suite contains some certificates with relatively short expiration date. Trying to build 1.1.0l will fail on testing due to this. See https://github.com/openssl/openssl/issues/15179 and https://github.com/openssl/openssl/issues/18456.
This is fixed by the openssl1.1.0-test-certs.patch
patch. It is taken from https://github.com/openssl/openssl/pull/18446 but with changes in test/ct_test.c
ported for compatibility.
There is further a test which uses a now-removed part of the Perl module File::Glob
. This was patched by https://github.com/openssl/openssl/pull/4040, and an equivalent patch is provided in openssl1.1.0-test-fuzz.patch
.
OpenSSL in the container is installed under /usr/local
, which is also declared in the LD_LIBRARY_PATH
environment variable. When installing an old OpenSSL version, this may break other tools (such as curl
), which require a newer version. Unset LD_LIBRARY_PATH
if you need to run those.