gh-99951: Warn if there is an OpenSSL major version mismatch #100641
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
This reverts commit f9171f0.
moonsikpark
force-pushed
the
gh-99951-warn-different-openssl-major-versions
branch
from
09e600e
to
c88b3d9
Compare
IMO this is really a Node.js bug for exposing bad symbols, but arguing that it's a bug in the other program does still leave python users having issues so I guess there's a rationale to say python might still want to check it.
That being said, I don't think this is the right fix, it should be an error as it's guaranteed to not work -- you should be prevented from successfully importing the module, just like you would be if the _ssl module failed to load because the libssl library was missing, rather than being overridden.
(Maybe the error should be raised in _ssl rather than ssl? idk)
| f"{_OPENSSL_API_VERSION[0]}.{_OPENSSL_API_VERSION[1]}, " | ||
| "but is using OpenSSL " | ||
| f"{OPENSSL_VERSION_INFO[0]}.{OPENSSL_VERSION_INFO[1]}. " | ||
| "OpenSSL does not guarantee compatibility between different major versions.", |
There was a problem hiding this comment.
This is incorrect -- it's guaranteed to not work. :P
On Linux, at least, openssl's util/mkdef.pl ensures the build has versioned symbols, specifically to ensure that it's safe to load multiple libssl libraries into a single process and you will always get the symbols you actually linked to, and cannot ever get the ones you are guaranteed to be unable to safely and compatibly use.
|
The best way to check this would be to compare |
While it is a rare edge case well beyond the average use case, there could be situation where there is an OpenSSL version mismatch between the version python was compiled against, and the version currently loaded. Because OpenSSL states that major releases can break compatibility with previous versions and checks are cheap, there seems to be no harm if python warns when it happens.
tl;dr: This PR warns users when importing the
sslmodule when the OpenSSL major version mismatch between the version python was compiled against, and the one it is using.