[3.14] gh-139573: Update OpenSSL in CI (GH-139577) (#139583)

gh-139573: Update OpenSSL in CI (GH-139577) (cherry picked from commit 98e748b3a0) Co-authored-by: Zachary Ware <zach@python.org>
2025-11-24 12:20:42 +00:00 · 2025-10-05 06:50:26 +02:00 · 2025-10-05 06:50:26 +02:00 · 8cb73119c6
commit 8cb73119c6
parent bc85a34f8a
5 changed files with 17 additions and 12 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -320,7 +320,7 @@ jobs:
        # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
        # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
        # supported by important vendors such as AWS-LC.
-        openssl_ver: [1.1.1w, 3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2]
+        openssl_ver: [1.1.1w, 3.0.18, 3.2.6, 3.3.5, 3.4.3, 3.5.4]
        # See Tools/ssl/make_ssl_data.py for notes on adding a new version
    env:
      OPENSSL_VER: ${{ matrix.openssl_ver }}
@ -410,7 +410,7 @@ jobs:
    needs: build-context
    if: needs.build-context.outputs.run-tests == 'true'
    env:
-      OPENSSL_VER: 3.0.16
+      OPENSSL_VER: 3.0.18
      PYTHONSTRICTEXTENSIONBUILD: 1
    steps:
    - uses: actions/checkout@v4
@ -530,7 +530,7 @@ jobs:
      matrix:
        os: [ubuntu-24.04]
    env:
-      OPENSSL_VER: 3.0.16
+      OPENSSL_VER: 3.0.18
      PYTHONSTRICTEXTENSIONBUILD: 1
      ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
    steps:
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@ -30,7 +30,7 @@ jobs:
    runs-on: ${{ inputs.os }}
    timeout-minutes: 60
    env:
-      OPENSSL_VER: 3.0.15
+      OPENSSL_VER: 3.0.18
      PYTHONSTRICTEXTENSIONBUILD: 1
      TERM: linux
    steps:
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@ -22,7 +22,7 @@ Features and minimum versions required to build CPython:
 * Support for threads.
-* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.16 is the recommended
+* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.18 is the recommended
  minimum version for the :mod:`ssl` and :mod:`hashlib` extension modules.
 * SQLite 3.15.2 for the :mod:`sqlite3` extension module.
--- a/Modules/_ssl_data_35.h
+++ b/Modules/_ssl_data_35.h
@ -1,6 +1,6 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-08-13T16:42:33.155822+00:00 */
+/* Generated on 2025-10-04T17:49:19.148321+00:00 */
-/* Generated from Git commit openssl-3.5.2-0-g0893a6235 */
+/* Generated from Git commit openssl-3.5.4-0-gc1eeb9406 */
 /* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
@ -5338,6 +5338,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"FIPS_MODULE_ENTERING_ERROR_STATE", 57, 224},
  #endif
  #ifdef PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR
    {"FIPS_MODULE_IMPORT_PCT_ERROR", ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR},
  #else
    {"FIPS_MODULE_IMPORT_PCT_ERROR", 57, 253},
  #endif
  #ifdef PROV_R_FIPS_MODULE_IN_ERROR_STATE
    {"FIPS_MODULE_IN_ERROR_STATE", ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE},
  #else
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@ -48,11 +48,11 @@ OPENSSL_OLD_VERSIONS = [
 ]
 OPENSSL_RECENT_VERSIONS = [
-    "3.0.16",
+    "3.0.18",
-    "3.2.5",
+    "3.2.6",
-    "3.3.4",
+    "3.3.5",
-    "3.4.2",
+    "3.4.3",
-    "3.5.2",
+    "3.5.4",
    # See make_ssl_data.py for notes on adding a new version.
 ]