I'm trying to compile python on RHEL because my current python is using an old 1.0.2k ssl version.
(test_env) [brad@reason tlscheck]$ python3 --version
Python 3.9.3
(test_env) [brad@reason tlscheck]$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2k-fips 26 Jan 2017
(test_env) [brad@reason tlscheck]$ openssl version
OpenSSL 1.1.1l 24 Aug 2021
I think the issue is that when I compiled 3.9.3, I had not updated my OpenSSL version. I have since updated my OpenSSL and need to use it with python. So I have downloaded the newest python 3.10, but in the make stage I get an error that it will not make with ssl. I the following message:
Following modules built successfully but were removed because they could not be imported:
_hashlib _ssl
Could not build the ssl module!
Python requires a OpenSSL 1.1.1 or newer
This is the full log of trying to compile: https://pastebin.com/36EntpFz
When I use the configure options that @tony-yip mentioned, I get the following in my configure.
checking for openssl/ssl.h in /etc/ssl... no
checking whether compiling and linking against OpenSSL works... no
I'm determining my openssl location with:
[brad@reason Python-3.10.0]$ openssl version -d
OPENSSLDIR: "/etc/ssl"
To configure, I'm using:
./configure --with-openssl="/etc/ssl"
When I look for ssl.h, I find it in /usr/include/openssl
. So I linked this directory to lib in /etc/ssl
, but it was no help.
[brad@reason Python-3.10.0]$ ls -l /etc/ssl
total 40
lrwxrwxrwx 1 root root 16 Jul 16 2020 certs -> ../pki/tls/certs
-rw-r--r-- 1 root root 412 Oct 12 02:53 ct_log_list.cnf
-rw-r--r-- 1 root root 412 Oct 12 02:53 ct_log_list.cnf.dist
lrwxrwxrwx 1 root root 20 Oct 18 10:22 lib -> /usr/include/openssl
drwxr-xr-x 2 root root 4096 Oct 12 02:53 misc
-rw-r--r-- 1 root root 10909 Oct 12 02:53 openssl.cnf
-rw-r--r-- 1 root root 10909 Oct 12 02:53 openssl.cnf.dist
drwxr-xr-x 2 root root 4096 Oct 12 02:53 private
[brad@reason Python-3.10.0]$ sudo find / -name ssl.h | grep include
find: ‘/tmp/.mount_jetbraAJFEnl’: Permission denied
/home/brad/Downloads/freerdp-2.0.0-rc4/winpr/include/winpr/ssl.h
/home/brad/Downloads/FreeRDP/winpr/include/winpr/ssl.h
/home/brad/Development/tlscheck/openssl-1.1.1l/include/openssl/ssl.h
/usr/include/openssl/ssl.h
/var/lib/docker/overlay2/23e6f3c164ec8939352891c99393669df4ed6e66da1e04ce84616073f08c6051/diff/usr/include/openssl/ssl.h
/var/lib/flatpak/runtime/org.freedesktop.Sdk/x86_64/18.08/c8075e929daaffcbe5c78c9e87c0f0463d75e90d2b59c92355fa486e79c7d0e3/files/include/nss/ssl.h
/var/lib/flatpak/runtime/org.freedesktop.Sdk/x86_64/18.08/c8075e929daaffcbe5c78c9e87c0f0463d75e90d2b59c92355fa486e79c7d0e3/files/include/openssl/ssl.h
find: ‘/run/user/1000/gvfs’: Permission denied
This may be extraneous information, but my libssl.so is here:
[brad@reason Python-3.10.0]$ ls /usr/lib64 | grep ssl
libevent_openssl-2.0.so.5
libevent_openssl-2.0.so.5.1.9
libssl3.so
libssl.so
libssl.so.10
libssl.so.1.0.2k
openssl
Any thoughts on why make isn't able to include ssl, please let me know. Thanks.
CodePudding user response:
Python would use it own bundled ssl suite. In order to use OpenSSL, add flag for OpenSSL when running ./configure. For detail, run ./configure --help
for more options.
--with-openssl=DIR root of the OpenSSL directory
--with-openssl-rpath=[DIR|auto|no]
Set runtime library directory (rpath) for OpenSSL
libraries, no (default): don't set rpath, auto:
auto-detect rpath from --with-openssl and
pkg-config, DIR: set an explicit rpath
--with-ssl-default-suites=[python|openssl|STRING]
override default cipher suites string, python: use
Python's preferred selection (default), openssl:
leave OpenSSL's defaults untouched, STRING: use a
custom string, python and STRING also set TLS 1.2 as
minimum TLS version
CodePudding user response:
You may have done this already
If I were in your place, I will try the updating apt-get package:
sudo apt update
sudo apt upgrade
Updating apt will update openSSL automatically. If it does not work, you could update OpenSSL alone:
apt install openssl
Then generate newly created self-signed certificates from the command line:
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
This command writes a new certificate in cert.pem
with its corresponding private key in key.pem
, with a validity period of 365 days. More about Certificates in this link, look for "Achieving an SSL A Grade" header.