bpo-43466: Add --with-openssl-rpath configure option (GH-24820)
diff --git a/Doc/using/unix.rst b/Doc/using/unix.rst
index c0a5643..d5f073c 100644
--- a/Doc/using/unix.rst
+++ b/Doc/using/unix.rst
@@ -134,3 +134,53 @@
``/usr/bin/python3`` as the interpreter path.
To use shell commands in your Python scripts, look at the :mod:`subprocess` module.
+
+
+Custom OpenSSL
+==============
+
+1. To use your vendor's OpenSSL configuration and system trust store, locate
+ the directory with ``openssl.cnf`` file or symlink in ``/etc``. On most
+ distribution the file is either in ``/etc/ssl`` or ``/etc/pki/tls``. The
+ directory should also contain a ``cert.pem`` file and/or a ``certs``
+ directory.
+
+ .. code-block:: shell-session
+
+ $ find /etc/ -name openssl.cnf -printf "%h\n"
+ /etc/ssl
+
+2. Download, build, and install OpenSSL. Make sure you use ``install_sw`` and
+ not ``install``. The ``install_sw`` target does not override
+ ``openssl.cnf``.
+
+ .. code-block:: shell-session
+
+ $ curl -O https://www.openssl.org/source/openssl-VERSION.tar.gz
+ $ tar xzf openssl-VERSION
+ $ pushd openssl-VERSION
+ $ ./config \
+ --prefix=/usr/local/custom-openssl \
+ --openssldir=/etc/ssl
+ $ make -j1 depend
+ $ make -j8
+ $ make install_sw
+ $ popd
+
+3. Build Python with custom OpenSSL
+
+ .. code-block:: shell-session
+
+ $ pushd python-3.x.x
+ $ ./configure -C \
+ --with-openssl=/usr/local/custom-openssl \
+ --with-openssl-rpath=auto \
+ --prefix=/usr/local/python-3.x.x
+ $ make -j8
+ $ make altinstall
+
+.. note::
+
+ Patch releases of OpenSSL have a backwards compatible ABI. You don't need
+ to recompile Python to update OpenSSL. It's sufficient to replace the
+ custom OpenSSL installation with a newer version.