Add a CI job for testing OpenSSL 1.1.1 bindings

[picnixz]

The minimal required OpenSSL version is 1.1.1 but we recommend to use OpenSSL 3.x and later for hashlib and ssl. However, we still have many code paths that are conditioned to OpenSSL versions and those are not eagerly tested. I suggest adding an SSL CI job for OpenSSL 1.1.1.

Ideally, I'd like to backport such job up to 3.9, but I'm not sure if I'm allowed to do this as it's not really a security issue.

Linked PRs

• gh-135261: bring back CI job for testing OpenSSL 1.1.1w #135262
• [3.14] gh-135261: bring back CI job for testing OpenSSL 1.1.1w (GH-135262) #138109
• [3.13] gh-135261: bring back CI job for testing OpenSSL 1.1.1w (GH-135262) #138110

[ned-deily]

FWIW, testing of 1.1.1 was deliberately removed in #123700 nine months ago.

[picnixz]

I'll forward the comment I wrote on the PR here as well:

I do want it because we have code that is conditioned to OpenSSL version. And the (official) build requirements are still 1.1.1w so it makes sense to test this. Otherwise I don't know when we test those paths.

See https://docs.python.org/3/using/configure.html#build-requirements as well.

To be clear, the code paths that need to be tested are those in _hashlib, for instance:

cpython/Modules/_hashopenssl.c

Lines 62 to 72 in 8d17a41

	#ifdef Py_HAS_OPENSSL3_SUPPORT
	#define PY_EVP_MD EVP_MD
	#define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties)
	#define PY_EVP_MD_up_ref(md) EVP_MD_up_ref(md)
	#define PY_EVP_MD_free(md) EVP_MD_free(md)
	#else
	#define PY_EVP_MD const EVP_MD
	#define PY_EVP_MD_fetch(algorithm, properties) EVP_get_digestbyname(algorithm)
	#define PY_EVP_MD_up_ref(md) do {} while(0)
	#define PY_EVP_MD_free(md) do {} while(0)
	#endif

cpython/Modules/_hashopenssl.c

Lines 2086 to 2103 in 8d17a41

	#ifdef Py_HAS_OPENSSL3_SUPPORT
	return EVP_default_properties_is_fips_enabled(NULL);
	#else
	ERR_clear_error();
	int result = FIPS_mode();
	if (result == 0) {
	// "If the library was built without support of the FIPS Object Module,
	// then the function will return 0 with an error code of
	// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0x0f06d065)."
	// But 0 is also a valid result value.
	unsigned long errcode = ERR_peek_last_error();
	if (errcode) {
	notify_ssl_error_occurred();
	return -1;
	}
	}
	return result;
	#endif

Also, some constructions are deprecated in OpenSSL 3.0 but are still used (the HMAC_* interface is deprecated, and we should use EVP_MAC instead; this is #134531).

[ned-deily]

Considering that the OpenSSL project officially ended unpaid support for 1.1.1 in 2023, I think we should consider updating our build requirements docs to exclude 1.1.1 rather than reintroduce 1.1.1 support in testing. At the moment the OpenSSL project offers at considerable expense extended support contracts for 1.1.1 . There are also vendors who provide paid extended support contract for various versions of Python. We could leave that support to them for users who need it.

[hugovk]

See also recent discussion in #131423.

[picnixz]

One relevant comment was #131423 (comment). And I actually agreed with dropping 1.1.1 requirements. It's just that my system-wide installation is 1.1.1. It's not an issue for me to upgrade it.

The advantage of dropping 1.1.1 is that it simplifies a lot the code, both in _hashopenssl.c and in _ssl.c. We can also drop the mnemonics from 1.1.1 that would be dead code. But I don't know about LibreSSL/BoringSSL that could be 1.1.1-ish. It's not officially supported, but it also doesn't cost much to keep it maintained for 1.1.1.

However, whatever we choose, if we keep it some code path that only works for OpenSSL 1.1.1, we should somehow test it (because now, we don't test it at all)

[gpshead]

@WillChilds-Klein may be able to provide CI or buildbot setup to help us maintain AWS-LC shaped support (per the discuss thread).

[WillChilds-Klein]

PR for AWS-LC testing in CI is here. AWS-LC's libssl "looks like" OpenSSL 1.1.1's libssl, but we can't provide any strong compatibility guarantees there through time, neither for API nor ABI (particularly not ABI). If OpenSSL 1.1.1 is a meaningful target, it should be tested independently. But, I hope and expect that OpenSSL users will migrate to OpenSSL 3.x as OpenSSL resolves performance gaps between 1.1.x and 3.x.

[picnixz]

The main reason why I want to drop OpenSSL 1.1.1 is due to its API that changes between 1.1.1 and 3.0. If AWS-LC is still looking like 1.1.1, I think dropping OpenSSL 1.1.1 wouldn't make much sense as we would still need some ifdefs here and there I guess (especially for HMAC which has an entirely different API (in 1.1.1, there are dedicated functions, in 3.0 and later it's EVP-MAC based).

So, in the meantime, I'd like to add a simple OpenSSL 1.1.1 job until we decide to entirely remove its support at runtime (currently we do have code that is executed on 1.1.1 and it doesn't make sense if we don't test it IMO).