Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 32eba61ea431c76f15a910c0a4eded7f5f8b9b34^! / . / Doc
commit32eba61ea431c76f15a910c0a4eded7f5f8b9b34[log] [tgz]
authorChristian Heimes <christian@python.org>Fri Mar 19 10:29:25 2021 +0100
committerGitHub <noreply@github.com>Fri Mar 19 10:29:25 2021 +0100
tree4e927023cfd797501d0dc8cf160068acfb4f61b9
parentff8c77fe96c1e0e1822f3b821e9c6dcfbec22a56 [diff]
bpo-43466: Add --with-openssl-rpath configure option (GH-24820)


diff --git a/Doc/using/unix.rst b/Doc/using/unix.rst
index c0a5643..d5f073c 100644
--- a/Doc/using/unix.rst
+++ b/Doc/using/unix.rst

@@ -134,3 +134,53 @@
 ``/usr/bin/python3`` as the interpreter path.
 
 To use shell commands in your Python scripts, look at the :mod:`subprocess` module.
+
+
+Custom OpenSSL
+==============
+
+1. To use your vendor's OpenSSL configuration and system trust store, locate
+   the directory with ``openssl.cnf`` file or symlink in ``/etc``. On most
+   distribution the file is either in ``/etc/ssl`` or ``/etc/pki/tls``. The
+   directory should also contain a ``cert.pem`` file and/or a ``certs``
+   directory.
+
+   .. code-block:: shell-session
+
+      $ find /etc/ -name openssl.cnf -printf "%h\n"
+      /etc/ssl
+
+2. Download, build, and install OpenSSL. Make sure you use ``install_sw`` and
+   not ``install``. The ``install_sw`` target does not override
+   ``openssl.cnf``.
+
+   .. code-block:: shell-session
+
+      $ curl -O https://www.openssl.org/source/openssl-VERSION.tar.gz
+         $ tar xzf openssl-VERSION
+         $ pushd openssl-VERSION
+         $ ./config \
+              --prefix=/usr/local/custom-openssl \
+              --openssldir=/etc/ssl
+         $ make -j1 depend
+         $ make -j8
+         $ make install_sw
+         $ popd
+
+3. Build Python with custom OpenSSL
+
+   .. code-block:: shell-session
+
+      $ pushd python-3.x.x
+      $ ./configure -C \
+          --with-openssl=/usr/local/custom-openssl \
+          --with-openssl-rpath=auto \
+          --prefix=/usr/local/python-3.x.x
+      $ make -j8
+      $ make altinstall
+
+.. note::
+
+   Patch releases of OpenSSL have a backwards compatible ABI. You don't need
+   to recompile Python to update OpenSSL. It's sufficient to replace the
+   custom OpenSSL installation with a newer version.

diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst
index 25f71c4..362ce8f 100644
--- a/Doc/whatsnew/3.10.rst
+++ b/Doc/whatsnew/3.10.rst

@@ -1181,6 +1181,12 @@
   and ``--with-tcltk-libs`` configuration options.
   (Contributed by Manolis Stamatogiannakis in :issue:`42603`.)
 
+* Add ``--with-openssl-rpath`` option to ``configure`` script. The option
+  simplifies building Python with a custom OpenSSL installation, e.g.
+  ``./configure --with-openssl=/path/to/openssl --with-openssl-rpath=auto``.
+  (Contributed by Christian Heimes in :issue:`43466`.)
+
+
 
 C API Changes
 =============