How to install openssl 1.1.1 for python 2.7?

Question

I installed python 2.7.17 on a windows 10 machine. I then wanted to test its openssl version by running the following inside python:

import ssl
print ssl.OPENSSL_VERSION_INFO

I am getting (1, 0, 2, 20, 15) I wanted to upgrade to version 1.1.1. Doing pip freeze I get:

cffi==1.14.0
cryptography==2.8
enum34==1.1.6
ipaddress==1.0.23
pycparser==2.19
pyOpenSSL==19.1.0
six==1.14.0

These seem to be the latest in pip for pyOpenSSL and cryptography.

The openssl I have installed (as part of git bash) is 1.1.1, however, this is not the same version used inside python.

How do I upgrade the version of openssl included in python to 1.1.1 or greater?

EDIT: In response to the comments, following is a result of python -m OpenSSL.debug:

C:\Users\assaf>python -m OpenSSL.debug
pyOpenSSL: 19.1.0
cryptography: 2.8
cffi: 1.14.0
cryptography's compiled against OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
cryptography's linked OpenSSL: OpenSSL 1.1.1d  10 Sep 2019
Pythons's OpenSSL: OpenSSL 1.0.2t  10 Sep 2019
Python executable: C:\Python27\python.exe
Python version: 2.7.17 (v2.7.17:c2f86d86e6, Oct 19 2019, 21:01:17) [MSC v.1500 64 bit (AMD64)]
Platform: win32
sys.path: ['', 'C:\\WINDOWS\\SYSTEM32\\python27.zip', 'C:\\Python27\\DLLs', 'C:\\Python27\\lib', 'C:\\Python27\\lib\\plat-win', 'C:\\Python27\\lib\\lib-tk', 'C:\\Python27', 'C:\\Python27\\lib\\site-packages']

As stated above, cryptography and pyOpenSSL are the latest in pip.

Answer 1

The only way to get Python 2.7 to use the current OpenSSL 1.1.1d version for its ssl module is to rebuild it with that version of OpenSSL. For *nix platforms, this is not too hard; it only involves adjusting some initial configuration files. A quick test on macOS showed that the Python 2.7 source code was actually compatible with the OpenSSL 1.1.1d API so that looked promising.

For Windows however, rebuilding Python 2.7 with OpenSSL 1.1.1d is harder. This is because the build system, which relies on Microsoft's msbuild, is not as easy to adjust as the make-based build system on *nix. You can see the associated Visual Studio solution, projects and property files in Python's PCbuild subdirectory.

Additionally, the differences between the OpenSSL 1.0.2 and 1.1.1 versions is slightly larger on Windows, because library names have changed as well, whereas they have stayed the same for the *nix version.

The required modifications to Python's build system for Windows are not too extensive though. It looks like I was able to achieve what you are looking for, after making the change explained at the bottom of this answer. The actual build can be done with the following command run from Python's PCbuild subdirectory:

> build --no-tkinter --no-bsddb -e "/p:PlatformToolset=v141"

for a 32-bits build, or

> build --no-tkinter --no-bsddb -e -p x64 "/p:PlatformToolset=v141"

for a 64-bits build. The --no- options are used to speed up the process and focus on the OpenSSL aspect. v141 stands for Visual Studio 2017, you need to be in a Visual Studio shell for this to work. After that, the following reproduced your test showing the use of OpenSSL 1.1.1d with Python 2.7.17:

> win32\python.exe
Python 2.7.17 (tags/v2.7.17-dirty:c2f86d86e6, Feb 20 2020, 01:04:36) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> print ssl.OPENSSL_VERSION
OpenSSL 1.1.1d  10 Sep 2019

I did not do any testing beyond this.

---

In summary, the changes to achieve this include

• Removed the libeay project from the solution. This was used to build OpenSSL 1.0.2 from source but it is not compatible with OpenSSL 1.1.1. Instead, the solution now relies on the prebuilt OpenSSL 1.1.1d binaries as provided by the Python repo in cpython-bin-deps. Rebuilding OpenSSL yourself as part of the build process is possible but requires more modifications.
• Modified the get_externals.bat batch script to download the OpenSSL 1.1.1d prebuilt libraries from the aforementioned cpython-bin-deps repository.
• Modified the openssl.props property file that configures several of the _ssl and _hashlib project settings, and made some changes to those projects themselves as well. The adjustments mostly taken from the v3.8.1 release of Python, to link with the new OpenSSL libraries and set the include paths correctly. With this modification, OpenSSL is no longer statically linked as it used to be in 2.7.17, but dynamically linked.
• Applied patches to the files Modules/posixmodule.c and Modules/timemodule.c similar to this patch, to allow for building with Visual Studio 2017 -- the same version the prebuilt OpenSSL binaries are created with.

By the way, more stuff than needed gets downloaded in the current build process, including the OpenSSL and nasm source code. This is only to allow for as few modifications to the original build scripts as possible.

If you are interested in the details, you can check out the associated commit in this fork of the cpython repo which I did just for the purpose of clarifying my answer. It is based on the original tag v2.7.17. You should be able to reproduce the build by checking out that branch v2.7.17_ossl_1.1.1 and running the build command in PCbuild as mentioned above. If enough people are interested, I may clean it up and keep it around.