A Docker image for building combinations of CPython and OpenSSL versions
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
 
 
JustAnotherArchivist 6f0c24ec1b Initial commit há 1 ano
Dockerfile Initial commit há 1 ano
README.md Initial commit há 1 ano
openssl1.1.0-test-certs.patch Initial commit há 1 ano
openssl1.1.0-test-fuzz.patch Initial commit há 1 ano

README.md

A Docker image for building combinations of CPython and OpenSSL versions

Building

The full build command is as follows:

docker build \
  --build-arg PYTHON_VERSION=3.11.1 \
  --build-arg PYTHON_SHA256=85879192f2cffd56cb16c092905949ebf3e5e394b7f764723529637901dfb58f \
  --build-arg OPENSSL_VERSION=3.0.7 \
  --build-arg OPENSSL_SHA256=83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e \
  -t python-openssl:py3.11.1-ssl3.0.7 \
  .

The PYTHON_SHA256 is the SHA-256 hash of that version’s .tar.xz file. The OPENSSL_SHA256 is the SHA-256 hash of that version’s .tar.gz file.

The Dockerfile includes the SHA-256 hashes for the most recent versions as of January 2023: OpenSSL 1.0.2u, 1.1.0l, 1.1.1q, 3.0.7 and Python 3.7.16, 3.8.16, 3.9.16, 3.10.9, 3.11.1. For these versions, the corresponding X_SHA256 argument can be omitted.

Compatibility

  • Python 3.7 added support for OpenSSL 1.1.1.
  • Python 3.10 dropped support for OpenSSL 1.0.2 and 1.1.0 and added support for OpenSSL 3.0.

Tested combinations

  • Python 3.8.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  • Python 3.9.16 with OpenSSL 1.0.2u, 1.1.0l, and 1.1.1q
  • Python 3.10.9 with OpenSSL 1.1.1q and 3.0.7
  • Python 3.11.1 with OpenSSL 1.1.1q and 3.0.7

OpenSSL 1.1.0 bugs

The OpenSSL test suite contains some certificates with relatively short expiration date. Trying to build 1.1.0l will fail on testing due to this. See https://github.com/openssl/openssl/issues/15179 and https://github.com/openssl/openssl/issues/18456. This is fixed by the openssl1.1.0-test-certs.patch patch. It is taken from https://github.com/openssl/openssl/pull/18446 but with changes in test/ct_test.c ported for compatibility.

There is further a test which uses a now-removed part of the Perl module File::Glob. This was patched by https://github.com/openssl/openssl/pull/4040, and an equivalent patch is provided in openssl1.1.0-test-fuzz.patch.

Using non-Python in the container

OpenSSL in the container is installed under /usr/local, which is also declared in the LD_LIBRARY_PATH environment variable. When installing an old OpenSSL version, this may break other tools (such as curl), which require a newer version. Unset LD_LIBRARY_PATH if you need to run those.