A Docker image for building combinations of CPython and OpenSSL versions
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.md 2.2 KiB

1 year ago
12345678910111213141516171819202122232425262728293031323334353637
  1. A Docker image for building combinations of CPython and OpenSSL versions
  2. # Building
  3. The full build command is as follows:
  4. docker build \
  5. --build-arg PYTHON_VERSION=3.11.1 \
  6. --build-arg PYTHON_SHA256=85879192f2cffd56cb16c092905949ebf3e5e394b7f764723529637901dfb58f \
  7. --build-arg OPENSSL_VERSION=3.0.7 \
  8. --build-arg OPENSSL_SHA256=83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e \
  9. -t python-openssl:py3.11.1-ssl3.0.7 \
  10. .
  11. The `PYTHON_SHA256` is the SHA-256 hash of that version's `.tar.xz` file. The `OPENSSL_SHA256` is the SHA-256 hash of that version's `.tar.gz` file.
  12. The `Dockerfile` includes the SHA-256 hashes for the most recent versions as of January 2023: OpenSSL 1.0.2u, 1.1.0l, 1.1.1q, 3.0.7 and Python 3.7.16, 3.8.16, 3.9.16, 3.10.9, 3.11.1. For these versions, the corresponding `X_SHA256` argument can be omitted.
  13. # Compatibility
  14. * Python 3.7 added support for OpenSSL 1.1.1.
  15. * Python 3.10 dropped support for OpenSSL 1.0.2 and 1.1.0 and added support for OpenSSL 3.0.
  16. # Tested combinations
  17. * Python 3.8.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  18. * Python 3.9.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  19. * Python 3.10.9 with OpenSSL 1.1.1q and 3.0.7
  20. * Python 3.11.1 with OpenSSL 1.1.1q and 3.0.7
  21. # OpenSSL 1.1.0 bugs
  22. The OpenSSL test suite contains some certificates with relatively short expiration date. Trying to build 1.1.0l will fail on testing due to this. See <https://github.com/openssl/openssl/issues/15179> and <https://github.com/openssl/openssl/issues/18456>.
  23. This is fixed by the `openssl1.1.0-test-certs.patch` patch. It is taken from <https://github.com/openssl/openssl/pull/18446> but with changes in `test/ct_test.c` ported for compatibility.
  24. There is further a test which uses a now-removed part of the Perl module `File::Glob`. This was patched by <https://github.com/openssl/openssl/pull/4040>, and an equivalent patch is provided in `openssl1.1.0-test-fuzz.patch`.
  25. # Using non-Python in the container
  26. OpenSSL in the container is installed under `/usr/local`, which is also declared in the `LD_LIBRARY_PATH` environment variable. When installing an old OpenSSL version, this may break other tools (such as `curl`), which require a newer version. Unset `LD_LIBRARY_PATH` if you need to run those.