Skip to content

bpo-43466: Add --with-openssl-rpath configure option (GH-24820) #24820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tiran merged 5 commits into from
Mar 19, 2021
Merged

bpo-43466: Add --with-openssl-rpath configure option (GH-24820) #24820

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c7b7308
bpo-43466: Add --with-openssl-rpath configure option
tiran Mar 10, 2021
4bfe11b
Test with latest OpenSSL
tiran Mar 11, 2021
52ecd7b
Rebuild configure script with autoconf 2.69
tiran Mar 17, 2021
615179c
Document new configure option
tiran Mar 17, 2021
4953642
update blurb
tiran Mar 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Document new configure option
  • Loading branch information
@tiran
tiran committed Mar 17, 2021
commit 615179cf330615794ace5180b3ac200b29d633f1
50 changes: 50 additions & 0 deletions Doc/using/unix.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,3 +134,53 @@ some Unices may not have the :program:`env` command, so you may need to hardcode
``/usr/bin/python3`` as the interpreter path.

To use shell commands in your Python scripts, look at the :mod:`subprocess` module.


Custom OpenSSL
==============

1. To use your vendor's OpenSSL configuration and system trust store, locate
the directory with ``openssl.cnf`` file or symlink in ``/etc``. On most
distribution the file is either in ``/etc/ssl`` or ``/etc/pki/tls``. The
directory should also contain a ``cert.pem`` file and/or a ``certs``
directory.

.. code-block:: shell-session

$ find /etc/ -name openssl.cnf -printf "%h\n"
/etc/ssl

2. Download, build, and install OpenSSL. Make sure you use ``install_sw`` and
not ``install``. The ``install_sw`` target does not override
``openssl.cnf``.

.. code-block:: shell-session

$ curl -O https://www.openssl.org/source/openssl-VERSION.tar.gz
$ tar xzf openssl-VERSION
$ pushd openssl-VERSION
$ ./config \
--prefix=/usr/local/custom-openssl \
--openssldir=/etc/ssl
$ make -j1 depend
$ make -j8
$ make install_sw
$ popd

3. Build Python with custom OpenSSL

.. code-block:: shell-session

$ pushd python-3.x.x
$ ./configure -C \
--with-openssl=/usr/local/custom-openssl \
--with-openssl-rpath=auto \
--prefix=/usr/local/python-3.x.x
$ make -j8
$ make altinstall

.. note::

Patch releases of OpenSSL have a backwards compatible ABI. You don't need
to recompile Python to update OpenSSL. It's sufficient to replace the
custom OpenSSL installation with a newer version.
6 changes: 6 additions & 0 deletions Doc/whatsnew/3.10.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1153,6 +1153,12 @@ Build Changes
and ``--with-tcltk-libs`` configuration options.
(Contributed by Manolis Stamatogiannakis in :issue:`42603`.)

* Add ``--with-openssl-rpath`` option to ``configure`` script. The option
simplifies building Python with a custom OpenSSL installation, e.g.
``./configure --with-openssl=/path/to/openssl --with-openssl-rpath=auto``.
(Contributed by Christian Heimes in :issue:`43466`.)



C API Changes
=============
Expand Down