The only way to get Python 2.7 to use the current OpenSSL 1.1.1d version for its ssl
module is to rebuild it with that version of OpenSSL. For *nix platforms, this is not too hard; it only involves adjusting some initial configuration files. A quick test on macOS showed that the Python 2.7 source code was actually compatible with the OpenSSL 1.1.1d API so that looked promising.
For Windows however, rebuilding Python 2.7 with OpenSSL 1.1.1d is harder. This is because the build system, which relies on Microsoft's msbuild
, is not as easy to adjust as the make
-based build system on *nix. You can see the associated Visual Studio solution, projects and property files in Python's PCbuild
subdirectory.
Additionally, the differences between the OpenSSL 1.0.2 and 1.1.1 versions is slightly larger on Windows, because library names have changed as well, whereas they have stayed the same for the *nix version.
The required modifications to Python's build system for Windows are not too extensive though. It looks like I was able to achieve what you are looking for, after making the change explained at the bottom of this answer. The actual build can be done with the following command run from Python's PCbuild
subdirectory:
> build --no-tkinter --no-bsddb -e "/p:PlatformToolset=v141"
for a 32-bits build, or
> build --no-tkinter --no-bsddb -e -p x64 "/p:PlatformToolset=v141"
for a 64-bits build. The --no-
options are used to speed up the process and focus on the OpenSSL aspect. v141
stands for Visual Studio 2017, you need to be in a Visual Studio shell for this to work. After that, the following reproduced your test showing the use of OpenSSL 1.1.1d with Python 2.7.17:
> win32\python.exe
Python 2.7.17 (tags/v2.7.17-dirty:c2f86d86e6, Feb 20 2020, 01:04:36) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> print ssl.OPENSSL_VERSION
OpenSSL 1.1.1d 10 Sep 2019
I did not do any testing beyond this.
In summary, the changes to achieve this include
- Removed the
libeay
project from the solution. This was used to build OpenSSL 1.0.2 from source but it is not compatible with OpenSSL 1.1.1. Instead, the solution now relies on the prebuilt OpenSSL 1.1.1d binaries as provided by the Python repo in cpython-bin-deps. Rebuilding OpenSSL yourself as part of the build process is possible but requires more modifications.
- Modified the
get_externals.bat
batch script to download the OpenSSL 1.1.1d prebuilt libraries from the aforementioned cpython-bin-deps repository.
- Modified the
openssl.props
property file that configures several of the _ssl
and _hashlib
project settings, and made some changes to those projects themselves as well. The adjustments mostly taken from the v3.8.1
release of Python, to link with the new OpenSSL libraries and set the include paths correctly. With this modification, OpenSSL is no longer statically linked as it used to be in 2.7.17, but dynamically linked.
- Applied patches to the files
Modules/posixmodule.c
and Modules/timemodule.c
similar to this patch, to allow for building with Visual Studio 2017 -- the same version the prebuilt OpenSSL binaries are created with.
By the way, more stuff than needed gets downloaded in the current build process, including the OpenSSL and nasm source code. This is only to allow for as few modifications to the original build scripts as possible.
If you are interested in the details, you can check out the associated commit in this fork of the cpython repo which I did just for the purpose of clarifying my answer. It is based on the original tag v2.7.17
. You should be able to reproduce the build by checking out that branch v2.7.17_ossl_1.1.1
and running the build command in PCbuild
as mentioned above. If enough people are interested, I may clean it up and keep it around.
py -m OpenSSL.debug
? Have you tried updating each of the listed modules? – Sherysherye