Home > Software design >  How to compile python3 on RHEL with SSL? SSL cannot be imported
How to compile python3 on RHEL with SSL? SSL cannot be imported

Time:10-20

I'm trying to compile python on RHEL because my current python is using an old 1.0.2k ssl version.

(test_env) [brad@reason tlscheck]$ python3 --version
Python 3.9.3
(test_env) [brad@reason tlscheck]$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2k-fips  26 Jan 2017
(test_env) [brad@reason tlscheck]$ openssl version
OpenSSL 1.1.1l  24 Aug 2021

I think the issue is that when I compiled 3.9.3, I had not updated my OpenSSL version. I have since updated my OpenSSL and need to use it with python. So I have downloaded the newest python 3.10, but in the make stage I get an error that it will not make with ssl. I the following message:

Following modules built successfully but were removed because they could not be imported:
_hashlib              _ssl                                     


Could not build the ssl module!
Python requires a OpenSSL 1.1.1 or newer

This is the full log of trying to compile: https://pastebin.com/36EntpFz

When I use the configure options that @tony-yip mentioned, I get the following in my configure.

checking for openssl/ssl.h in /etc/ssl... no
checking whether compiling and linking against OpenSSL works... no

I'm determining my openssl location with:

[brad@reason Python-3.10.0]$ openssl version -d
OPENSSLDIR: "/etc/ssl"

To configure, I'm using:

./configure --with-openssl="/etc/ssl"

When I look for ssl.h, I find it in /usr/include/openssl. So I linked this directory to lib in /etc/ssl, but it was no help.

[brad@reason Python-3.10.0]$ ls -l /etc/ssl
total 40
lrwxrwxrwx 1 root root    16 Jul 16  2020 certs -> ../pki/tls/certs
-rw-r--r-- 1 root root   412 Oct 12 02:53 ct_log_list.cnf
-rw-r--r-- 1 root root   412 Oct 12 02:53 ct_log_list.cnf.dist
lrwxrwxrwx 1 root root    20 Oct 18 10:22 lib -> /usr/include/openssl
drwxr-xr-x 2 root root  4096 Oct 12 02:53 misc
-rw-r--r-- 1 root root 10909 Oct 12 02:53 openssl.cnf
-rw-r--r-- 1 root root 10909 Oct 12 02:53 openssl.cnf.dist
drwxr-xr-x 2 root root  4096 Oct 12 02:53 private
[brad@reason Python-3.10.0]$ sudo find / -name ssl.h | grep include
find: ‘/tmp/.mount_jetbraAJFEnl’: Permission denied
/home/brad/Downloads/freerdp-2.0.0-rc4/winpr/include/winpr/ssl.h
/home/brad/Downloads/FreeRDP/winpr/include/winpr/ssl.h
/home/brad/Development/tlscheck/openssl-1.1.1l/include/openssl/ssl.h
/usr/include/openssl/ssl.h
/var/lib/docker/overlay2/23e6f3c164ec8939352891c99393669df4ed6e66da1e04ce84616073f08c6051/diff/usr/include/openssl/ssl.h
/var/lib/flatpak/runtime/org.freedesktop.Sdk/x86_64/18.08/c8075e929daaffcbe5c78c9e87c0f0463d75e90d2b59c92355fa486e79c7d0e3/files/include/nss/ssl.h
/var/lib/flatpak/runtime/org.freedesktop.Sdk/x86_64/18.08/c8075e929daaffcbe5c78c9e87c0f0463d75e90d2b59c92355fa486e79c7d0e3/files/include/openssl/ssl.h
find: ‘/run/user/1000/gvfs’: Permission denied

This may be extraneous information, but my libssl.so is here:

[brad@reason Python-3.10.0]$ ls /usr/lib64 | grep ssl
libevent_openssl-2.0.so.5
libevent_openssl-2.0.so.5.1.9
libssl3.so
libssl.so
libssl.so.10
libssl.so.1.0.2k
openssl

Any thoughts on why make isn't able to include ssl, please let me know. Thanks.

CodePudding user response:

Python would use it own bundled ssl suite. In order to use OpenSSL, add flag for OpenSSL when running ./configure. For detail, run ./configure --help for more options.

  --with-openssl=DIR      root of the OpenSSL directory
  --with-openssl-rpath=[DIR|auto|no]
                          Set runtime library directory (rpath) for OpenSSL
                          libraries, no (default): don't set rpath, auto:
                          auto-detect rpath from --with-openssl and
                          pkg-config, DIR: set an explicit rpath
  --with-ssl-default-suites=[python|openssl|STRING]
                          override default cipher suites string, python: use
                          Python's preferred selection (default), openssl:
                          leave OpenSSL's defaults untouched, STRING: use a
                          custom string, python and STRING also set TLS 1.2 as
                          minimum TLS version

CodePudding user response:

You may have done this already

If I were in your place, I will try the updating apt-get package:

sudo apt update
sudo apt upgrade

Updating apt will update openSSL automatically. If it does not work, you could update OpenSSL alone:

apt install openssl

Then generate newly created self-signed certificates from the command line:

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

This command writes a new certificate in cert.pem with its corresponding private key in key.pem, with a validity period of 365 days. More about Certificates in this link, look for "Achieving an SSL A Grade" header.

  • Related