On 17.06.2014 20:27, Steve Dower wrote:
> Yates, Andy (CS Houston, TX) wrote:
>> Python Dev,
>> Andy here. I have a Windows product based on Python and I'm getting hammered to
>> release a version that includes the fix in OpenSSL 1.0.1h. My product is built
>> on a Windows system using Python installed from the standard Python installer at
>> Python.org. I would be grateful if I could get some advice on my options. Will
>> Python.org be releasing a Windows installer with the fix any time soon or will
>> it be at the next scheduled release in November? If it is November, there's no
>> way I can wait that long. Now what? Would it be best to build my own Python? Is
>> it possible to drop in new OpenSSL versions on Windows without rebuilding
>> Python? Looking for some guidance on how to handle these OpenSSL issues on
>> Windows.
>
> You'll only need to rebuild the _ssl and _hashlib extension modules with the new OpenSSL version. The easiest way to do this is to build from source (which has already been updated for 1.0.1h if you use the externals scripts in Tools\buildbot), and you should just be able to drop _ssl.pyd and _hashlib.pyd on top of a normal install.
>
> Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It would make this kind of in-place upgrade easier when people need to do it. Any thoughts? (Does OpenSSL even support it?)

Yes, no problem at all, but you'd still have to either do a new release
every time a new OpenSSL problem is found (don't think that's an
option for Python) or provide new compiled versions
compatible with the Python modules needing the OpenSSL libs or
instructions on how to build these.

Note that the hash routines are rarely affected by these OpenSSL
bugs. They usually only affect the SSL/TLS protocol parts.

Alternatively, you could make use of our pyOpenSSL distribution,
which includes pyOpenSSL and the OpenSSL libs (also for Windows):

http://www.egenix.com/products/python/pyOpenSSL/

We created this to address the problem of having to update
OpenSSL rather often. It doesn't support Python 3 yet, but
on the plus side, you do get OpenSSL libs which are compiled
with the same compiler versions used for the Python.org
installers.

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/

In article
<***@BLUPR03MB389.namprd03.prod.outlook.com
>,
Steve Dower <***@microsoft.com> wrote:
> You'll only need to rebuild the _ssl and _hashlib extension modules with the
> new OpenSSL version. The easiest way to do this is to build from source
> (which has already been updated for 1.0.1h if you use the externals scripts
> in Tools\buildbot), and you should just be able to drop _ssl.pyd and
> _hashlib.pyd on top of a normal install.

Should we consider doing a re-spin of the Windows installers for 2.7.7
with 1.0.1h? Or consider doing a 2.7.8 in the near future to address
this and various 2.7.7 regressions that have been identified so far
(Issues 21652 and 21672)?

> Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It
> would make this kind of in-place upgrade easier when people need to do it.
> Any thoughts? (Does OpenSSL even support it?)

OpenSSL is often dynamically linked in Python builds on various other
platforms, for example, on Linux or OS X.

--
Ned Deily,
***@acm.org

Am 17.06.14 20:27, schrieb Steve Dower:
> You'll only need to rebuild the _ssl and _hashlib extension modules
> with the new OpenSSL version. The easiest way to do this is to build
> from source (which has already been updated for 1.0.1h if you use the
> externals scripts in Tools\buildbot), and you should just be able to
> drop _ssl.pyd and _hashlib.pyd on top of a normal install.
>
> Aside: I wonder if it's worth changing to dynamically linking to
> OpenSSL? It would make this kind of in-place upgrade easier when
> people need to do it. Any thoughts? (Does OpenSSL even support it?)

We originally considered using prebuilt binaries, such as

http://slproweb.com/products/Win32OpenSSL.html

This is tricky because of CRT issues: they will likely bind to a
different version of the CRT, and
a) it is unclear whether this would reliably work, and
b) requires the Python installer to include a different version of
the CRT, which we would not have a license to include (as the
CRT redistribution license only applies to the version of the CRT
that Python was built with)

There was also the desire to use the same compiler for all code
distributed, to use the same optimizations on all of it. In addition,
for OpenSSL, there is compile time configuration wrt. to the algorithms
built into the binaries where Python's build deviates from the default.

Having a separate project to build a DLL within pcbuild.sln was never
implemented. Doing so possibly increases the risk of DLL hell, if Python
picks up the wrong version of OpenSSL (e.g. if Python gets embedded
into some other application).

Regards,
Martin