bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)
- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check
- Update hashopenssl to require OpenSSL 1.1.1
- multissltests only OpenSSL > 1.1.0
- ALPN is always supported
- SNI is always supported
- Remove deprecated NPN code. Python wrappers are no-op.
- ECDH is always supported
- Remove OPENSSL_VERSION_1_1 macro
- Remove locking callbacks
- Drop PY_OPENSSL_1_1_API macro
- Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro
- SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now
- security level is always available now
- get_num_tickets is available with TLS 1.3
- X509_V_ERR MISMATCH is always available now
- Always set SSL_MODE_RELEASE_BUFFERS
- X509_V_FLAG_TRUSTED_FIRST is always available
- get_ciphers is always supported
- SSL_CTX_set_keylog_callback is always available
- Update Modules/Setup with static link example
- Mention PEP in whatsnew
- Drop 1.0.2 and 1.1.0 from GHA tests
diff --git a/Modules/Setup b/Modules/Setup
index a5fbaf6..cce7858 100644
--- a/Modules/Setup
+++ b/Modules/Setup
@@ -207,11 +207,23 @@
#_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other
-# socket line above, and possibly edit the SSL variable:
-#SSL=/usr/local/ssl
-#_ssl _ssl.c \
-# -DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
-# -L$(SSL)/lib -lssl -lcrypto
+# socket line above, and edit the OPENSSL variable:
+# OPENSSL=/path/to/openssl/directory
+# _ssl _ssl.c \
+# -I$(OPENSSL)/include -L$(OPENSSL)/lib \
+# -lssl -lcrypto
+#_hashlib _hashopenssl.c \
+# -I$(OPENSSL)/include -L$(OPENSSL)/lib \
+# -lcrypto
+
+# To statically link OpenSSL:
+# _ssl _ssl.c \
+# -I$(OPENSSL)/include -L$(OPENSSL)/lib \
+# -l:libssl.a -Wl,--exclude-libs,libssl.a \
+# -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
+#_hashlib _hashopenssl.c \
+# -I$(OPENSSL)/include -L$(OPENSSL)/lib \
+# -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
# The crypt module is now disabled by default because it breaks builds
# on many systems (where -lcrypt is needed), e.g. Linux (I believe).