gh-143960: Add support for OpenSSL 3.6, drop EOL 3.2 (#143961)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
2026-01-27 13:15:25 +00:00 · 2026-01-20 17:25:31 +02:00 · 2026-01-20 17:25:31 +02:00 · a126893fa8
commit a126893fa8
parent 795d5c5b44
6 changed files with 29 additions and 7 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -261,7 +261,7 @@ jobs:
        # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
        # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
        # supported by important vendors such as AWS-LC.
-        openssl_ver: [1.1.1w, 3.0.18, 3.2.6, 3.3.5, 3.4.3, 3.5.4]
+        openssl_ver: [1.1.1w, 3.0.18, 3.3.5, 3.4.3, 3.5.4, 3.6.0]
        # See Tools/ssl/make_ssl_data.py for notes on adding a new version
    env:
      OPENSSL_VER: ${{ matrix.openssl_ver }}
--- a/Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst
+++ b/Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst
@ -0,0 +1 @@
+Add support for OpenSSL 3.6, drop EOL 3.2. Patch by Hugo van Kemenade.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) {
 /* Include generated data (error codes) */
 /* See Tools/ssl/make_ssl_data.py for notes on adding a new version. */
 #if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
-#include "_ssl_data_35.h"
+#include "_ssl_data_36.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
 #include "_ssl_data_340.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
--- a/Modules/_ssl_data_36.h
+++ b/Modules/_ssl_data_36.h
@ -1,6 +1,6 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-10-04T17:49:19.148321+00:00 */
-/* Generated from Git commit openssl-3.5.4-0-gc1eeb9406 */
+/* Generated on 2026-01-17T13:03:49.335767+00:00 */
+/* Generated from Git commit openssl-3.6.0-0-g7b371d80d9 */

 /* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
@ -1863,6 +1863,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"NOT_KEK", 46, 123},
  #endif
+  #ifdef CMS_R_NOT_KEM
+    {"NOT_KEM", ERR_LIB_CMS, CMS_R_NOT_KEM},
+  #else
+    {"NOT_KEM", 46, 197},
+  #endif
  #ifdef CMS_R_NOT_KEY_AGREEMENT
    {"NOT_KEY_AGREEMENT", ERR_LIB_CMS, CMS_R_NOT_KEY_AGREEMENT},
  #else
@ -2058,6 +2063,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNKNOWN_ID", 46, 150},
  #endif
+  #ifdef CMS_R_UNKNOWN_KDF_ALGORITHM
+    {"UNKNOWN_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNKNOWN_KDF_ALGORITHM},
+  #else
+    {"UNKNOWN_KDF_ALGORITHM", 46, 198},
+  #endif
  #ifdef CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM
    {"UNSUPPORTED_COMPRESSION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM},
  #else
@ -2078,6 +2088,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNSUPPORTED_ENCRYPTION_TYPE", 46, 192},
  #endif
+  #ifdef CMS_R_UNSUPPORTED_KDF_ALGORITHM
+    {"UNSUPPORTED_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM},
+  #else
+    {"UNSUPPORTED_KDF_ALGORITHM", 46, 199},
+  #endif
  #ifdef CMS_R_UNSUPPORTED_KEK_ALGORITHM
    {"UNSUPPORTED_KEK_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KEK_ALGORITHM},
  #else
@ -5763,6 +5778,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"PSS_SALTLEN_TOO_SMALL", 57, 172},
  #endif
+  #ifdef PROV_R_REPEATED_PARAMETER
+    {"REPEATED_PARAMETER", ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER},
+  #else
+    {"REPEATED_PARAMETER", 57, 252},
+  #endif
  #ifdef PROV_R_REQUEST_TOO_LARGE_FOR_DRBG
    {"REQUEST_TOO_LARGE_FOR_DRBG", ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG},
  #else
--- a/Tools/ssl/make_ssl_data.py
+++ b/Tools/ssl/make_ssl_data.py
@ -17,8 +17,8 @@ The OpenSSL git checkout should be at a specific tag, using commands like:
    git tag --list 'openssl-*'
    git switch --detach openssl-3.4.1

-After generating the definitions, compare the result with newest pre-existing file.
-You can use a command like:
+After generating the definitions, compare the result with the newest
+pre-existing file. You can use a command like:

    git diff --no-index Modules/_ssl_data_340.h Modules/_ssl_data_341.h

--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@ -45,14 +45,15 @@ log = logging.getLogger("multissl")
 OPENSSL_OLD_VERSIONS = [
    "1.1.1w",
    "3.1.8",
+    "3.2.6",
 ]

 OPENSSL_RECENT_VERSIONS = [
    "3.0.18",
-    "3.2.6",
    "3.3.5",
    "3.4.3",
    "3.5.4",
+    "3.6.0",
    # See make_ssl_data.py for notes on adding a new version.
 ]
				`@ -0,0 +1 @@`
				`Add support for OpenSSL 3.6, drop EOL 3.2. Patch by Hugo van Kemenade.`