{ubuntu-trusty, debian-jessie, linuxmint-17, fedora-{26,27,28}}-standard: system openssl too old for python3

[mkoeppe]

Following [https://www.python.org/dev/peps/pep-0644/ PEP 644](https://www.python.org/dev/peps/pep-0644/ PEP 644), python requires OpenSSL 1.1.1 or newer. This was planned to be included in Python 3.10, but apparently Python 3.9.7 (the version of our spkg after #32443) has already broken compatibility with some older openssl releases. For example ubuntu-trusty uses 1.0.1f.
https://github.com/sagemath/sage/runs/3712854824?check_suite_focus=true

Also python's own configure script does not notice that this version of SSL does not work, but then building the _ssl extension fails:

building '_ssl' extension
gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wno-unused -O2 -g -march=native -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -I./Include/internal -I./Include -I/sage/local/include -I. -I/usr/local/include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src/Include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src -c /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c -o build/temp.linux-x86_64-3.9/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.o
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c: In function '_ssl__SSLContext_impl':
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: error: implicit declaration of function 'SSLv3_method'; did you mean 'SSLv23_method'? [-Werror=implicit-function-declaration]
         ctx = SSL_CTX_new(SSLv3_method());
                           ^~~~~~~~~~~~
                           SSLv23_method
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:59:0:
/usr/include/openssl/ssl.h:1341:17: note: expected 'const SSL_METHOD * {aka const struct ssl_method_st *}' but argument is of type 'int'
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
                 ^~~~~~~~~~~

We should update build/pkgs/openssl/spkg-configure.m4 to detect that we have a suitable version. Currently there is no version check whatsoever.

CC: @sagetrac-tmonteil @dimpase @orlitzky @jhpalmieri @kliem

Component: packages: standard

Author: Matthias Koeppe

Branch/Commit: 38c0d54

Reviewer: Jonathan Kliem

Issue created by migration from https://trac.sagemath.org/ticket/32580

[orlitzky]

comment:4

There aren't enough of us to support every package combination on every distro going back a decade. This is most thoroughly solved by setting --with-system-python3=force (or better yet, by deleting the SPKG) and documenting how to install a newer version of python3 with Nix, Conda, or unofficial deb/RPMs.

For Ubuntu, there's a PPA that provides them:

https://launchpad.net/~deadsnakes/+archive/ubuntu/ppa

[mkoeppe]

comment:5

We have ticket for this standard reaction, #32074. Let's please not repeat it on every ticket.

[mkoeppe]

Author: Matthias Koeppe

[mkoeppe]

Branch: u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3

[mkoeppe]

comment:9

Tested as follows:

• on homebrew, correctly accepts openssl
• tox -e docker-ubuntu-trusty-standard -- config.status ... correctly rejects openssl

---

New commits:

0926d39

build/pkgs/openssl/spkg-configure.m4: Reject openssl < 1.1.1

[mkoeppe]

Commit: 0926d39

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

82e08b5

build/pkgs/openssl/spkg-configure.m4: Do not require openssl if system python3 is used

[sagetrac-git]

Changed commit from 0926d39 to 82e08b5

[mkoeppe]

comment:11

tox -e docker-ubuntu-focal-standard -- config.status now notices that openssl is not required

[kliem]

Reviewer: Jonathan Kliem

[kliem]

comment:13

-            #if OPENSSL_VERSION_NUMBER < 0x10100010L
+            #if OPENSSL_VERSION_NUMBER < 0x10101000L

Once done, you can set it on positive review on my behalf.

[sagetrac-git]

Branch pushed to git repo; I updated commit sha1. New commits:

38c0d54

build/pkgs/openssl/spkg-configure.m4: Fix OPENSSL_VERSION_NUMBER format

[sagetrac-git]

Changed commit from 82e08b5 to 38c0d54

[mkoeppe]

comment:15

Thanks for catching this, you are right

[kliem]

comment:17

Well it did confuse me, when I was testing it. I have openssl 1.1.1 and raising the requirement to 1.1.2 did not do anything.

[vbraun]

Changed branch from u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3 to 38c0d54