diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index 6302b547982..fb4a2218ddd 100644
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -57,7 +57,7 @@ jobs:
variables:
testRunTitle: '$(build.sourceBranchName)-linux'
testRunPlatform: linux
- openssl_version: 1.1.1t
+ openssl_version: 1.1.1u
steps:
- template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
- openssl_version: 1.1.1t
+ openssl_version: 1.1.1u
steps:
- template: ./posix-steps.yml
diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
index 5f7218768c1..b822d58806b 100644
--- a/.azure-pipelines/pr.yml
+++ b/.azure-pipelines/pr.yml
@@ -57,7 +57,7 @@ jobs:
variables:
testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
testRunPlatform: linux
- openssl_version: 1.1.1t
+ openssl_version: 1.1.1u
steps:
- template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
- openssl_version: 1.1.1t
+ openssl_version: 1.1.1u
steps:
- template: ./posix-steps.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2abbca468ef..c2293cb4de3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -250,7 +250,7 @@ jobs:
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
- OPENSSL_VER: 1.1.1t
+ OPENSSL_VER: 1.1.1u
PYTHONSTRICTEXTENSIONBUILD: 1
steps:
- uses: actions/checkout@v3
@@ -319,7 +319,7 @@ jobs:
strategy:
fail-fast: false
matrix:
- openssl_ver: [1.1.1t, 3.0.8, 3.1.0-beta1]
+ openssl_ver: [1.1.1u, 3.0.9, 3.1.1]
env:
OPENSSL_VER: ${{ matrix.openssl_ver }}
MULTISSL_DIR: ${{ github.workspace }}/multissl
@@ -371,7 +371,7 @@ jobs:
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
- OPENSSL_VER: 1.1.1t
+ OPENSSL_VER: 1.1.1u
PYTHONSTRICTEXTENSIONBUILD: 1
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
steps:
diff --git a/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst b/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst
new file mode 100644
index 00000000000..7e0836879e4
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst
@@ -0,0 +1,2 @@
+The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
+to address several CVEs.
diff --git a/Modules/_ssl_data_111.h b/Modules/_ssl_data_111.h
index 85a2f7ec156..093c786e6a2 100644
--- a/Modules/_ssl_data_111.h
+++ b/Modules/_ssl_data_111.h
@@ -1,4 +1,4 @@
-/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T02:58:04.081473 */
static struct py_ssl_library_code library_codes[] = {
#ifdef ERR_LIB_ASN1
{"ASN1", ERR_LIB_ASN1},
@@ -1375,6 +1375,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
#endif
+ #ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
+ {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
+ #else
+ {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
+ #endif
#ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
{"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
#else
@@ -4860,6 +4865,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_PARAMETERS", 20, 290},
#endif
+ #ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
+ {"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
+ #else
+ {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
+ #endif
#ifdef SSL_R_MISSING_RSA_CERTIFICATE
{"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
#else
@@ -5065,6 +5075,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NULL_SSL_METHOD_PASSED", 20, 196},
#endif
+ #ifdef SSL_R_OCSP_CALLBACK_FAILURE
+ {"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
+ #else
+ {"OCSP_CALLBACK_FAILURE", 20, 294},
+ #endif
#ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
{"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
#else
diff --git a/Modules/_ssl_data_300.h b/Modules/_ssl_data_300.h
index 6be8b24ee1a..dc66731f6b6 100644
--- a/Modules/_ssl_data_300.h
+++ b/Modules/_ssl_data_300.h
@@ -1,4 +1,4 @@
-/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:44:43.288448 */
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T03:03:52.163218 */
static struct py_ssl_library_code library_codes[] = {
#ifdef ERR_LIB_ASN1
{"ASN1", ERR_LIB_ASN1},
@@ -1035,6 +1035,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NO_INVERSE", 3, 108},
#endif
+ #ifdef BN_R_NO_PRIME_CANDIDATE
+ {"NO_PRIME_CANDIDATE", ERR_LIB_BN, BN_R_NO_PRIME_CANDIDATE},
+ #else
+ {"NO_PRIME_CANDIDATE", 3, 121},
+ #endif
#ifdef BN_R_NO_SOLUTION
{"NO_SOLUTION", ERR_LIB_BN, BN_R_NO_SOLUTION},
#else
@@ -1255,6 +1260,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_OPTION", 58, 174},
#endif
+ #ifdef CMP_R_MISSING_CERTID
+ {"MISSING_CERTID", ERR_LIB_CMP, CMP_R_MISSING_CERTID},
+ #else
+ {"MISSING_CERTID", 58, 165},
+ #endif
#ifdef CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION
{"MISSING_KEY_INPUT_FOR_CREATING_PROTECTION", ERR_LIB_CMP, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION},
#else
@@ -1280,21 +1290,41 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_PRIVATE_KEY", 58, 131},
#endif
+ #ifdef CMP_R_MISSING_PRIVATE_KEY_FOR_POPO
+ {"MISSING_PRIVATE_KEY_FOR_POPO", ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO},
+ #else
+ {"MISSING_PRIVATE_KEY_FOR_POPO", 58, 190},
+ #endif
#ifdef CMP_R_MISSING_PROTECTION
{"MISSING_PROTECTION", ERR_LIB_CMP, CMP_R_MISSING_PROTECTION},
#else
{"MISSING_PROTECTION", 58, 143},
#endif
+ #ifdef CMP_R_MISSING_PUBLIC_KEY
+ {"MISSING_PUBLIC_KEY", ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY},
+ #else
+ {"MISSING_PUBLIC_KEY", 58, 183},
+ #endif
#ifdef CMP_R_MISSING_REFERENCE_CERT
{"MISSING_REFERENCE_CERT", ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT},
#else
{"MISSING_REFERENCE_CERT", 58, 168},
#endif
+ #ifdef CMP_R_MISSING_SECRET
+ {"MISSING_SECRET", ERR_LIB_CMP, CMP_R_MISSING_SECRET},
+ #else
+ {"MISSING_SECRET", 58, 178},
+ #endif
#ifdef CMP_R_MISSING_SENDER_IDENTIFICATION
{"MISSING_SENDER_IDENTIFICATION", ERR_LIB_CMP, CMP_R_MISSING_SENDER_IDENTIFICATION},
#else
{"MISSING_SENDER_IDENTIFICATION", 58, 111},
#endif
+ #ifdef CMP_R_MISSING_TRUST_ANCHOR
+ {"MISSING_TRUST_ANCHOR", ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR},
+ #else
+ {"MISSING_TRUST_ANCHOR", 58, 179},
+ #endif
#ifdef CMP_R_MISSING_TRUST_STORE
{"MISSING_TRUST_STORE", ERR_LIB_CMP, CMP_R_MISSING_TRUST_STORE},
#else
@@ -1455,6 +1485,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"WRONG_ALGORITHM_OID", 58, 138},
#endif
+ #ifdef CMP_R_WRONG_CERTID
+ {"WRONG_CERTID", ERR_LIB_CMP, CMP_R_WRONG_CERTID},
+ #else
+ {"WRONG_CERTID", 58, 189},
+ #endif
#ifdef CMP_R_WRONG_CERTID_IN_RP
{"WRONG_CERTID_IN_RP", ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP},
#else
@@ -1885,6 +1920,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
#endif
+ #ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
+ {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
+ #else
+ {"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
+ #endif
#ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
{"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
#else
@@ -2045,6 +2085,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"RECURSIVE_DIRECTORY_INCLUDE", 14, 111},
#endif
+ #ifdef CONF_R_RELATIVE_PATH
+ {"RELATIVE_PATH", ERR_LIB_CONF, CONF_R_RELATIVE_PATH},
+ #else
+ {"RELATIVE_PATH", 14, 125},
+ #endif
#ifdef CONF_R_SSL_COMMAND_SECTION_EMPTY
{"SSL_COMMAND_SECTION_EMPTY", ERR_LIB_CONF, CONF_R_SSL_COMMAND_SECTION_EMPTY},
#else
@@ -2235,6 +2280,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INSUFFICIENT_SECURE_DATA_SPACE", 15, 108},
#endif
+ #ifdef CRYPTO_R_INVALID_NEGATIVE_VALUE
+ {"INVALID_NEGATIVE_VALUE", ERR_LIB_CRYPTO, CRYPTO_R_INVALID_NEGATIVE_VALUE},
+ #else
+ {"INVALID_NEGATIVE_VALUE", 15, 122},
+ #endif
#ifdef CRYPTO_R_INVALID_NULL_ARGUMENT
{"INVALID_NULL_ARGUMENT", ERR_LIB_CRYPTO, CRYPTO_R_INVALID_NULL_ARGUMENT},
#else
@@ -2605,6 +2655,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"SEED_LEN_SMALL", 10, 110},
#endif
+ #ifdef DSA_R_TOO_MANY_RETRIES
+ {"TOO_MANY_RETRIES", ERR_LIB_DSA, DSA_R_TOO_MANY_RETRIES},
+ #else
+ {"TOO_MANY_RETRIES", 10, 116},
+ #endif
#ifdef DSO_R_CTRL_FAILED
{"CTRL_FAILED", ERR_LIB_DSO, DSO_R_CTRL_FAILED},
#else
@@ -2745,6 +2800,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"EC_GROUP_NEW_BY_NAME_FAILURE", 16, 119},
#endif
+ #ifdef EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED
+ {"EXPLICIT_PARAMS_NOT_SUPPORTED", ERR_LIB_EC, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED},
+ #else
+ {"EXPLICIT_PARAMS_NOT_SUPPORTED", 16, 127},
+ #endif
#ifdef EC_R_FAILED_MAKING_PUBLIC_KEY
{"FAILED_MAKING_PUBLIC_KEY", ERR_LIB_EC, EC_R_FAILED_MAKING_PUBLIC_KEY},
#else
@@ -2850,6 +2910,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_KEY", 16, 116},
#endif
+ #ifdef EC_R_INVALID_LENGTH
+ {"INVALID_LENGTH", ERR_LIB_EC, EC_R_INVALID_LENGTH},
+ #else
+ {"INVALID_LENGTH", 16, 117},
+ #endif
#ifdef EC_R_INVALID_NAMED_GROUP_CONVERSION
{"INVALID_NAMED_GROUP_CONVERSION", ERR_LIB_EC, EC_R_INVALID_NAMED_GROUP_CONVERSION},
#else
@@ -3010,6 +3075,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"SLOT_FULL", 16, 108},
#endif
+ #ifdef EC_R_TOO_MANY_RETRIES
+ {"TOO_MANY_RETRIES", ERR_LIB_EC, EC_R_TOO_MANY_RETRIES},
+ #else
+ {"TOO_MANY_RETRIES", 16, 176},
+ #endif
#ifdef EC_R_UNDEFINED_GENERATOR
{"UNDEFINED_GENERATOR", ERR_LIB_EC, EC_R_UNDEFINED_GENERATOR},
#else
@@ -3690,6 +3760,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"PUBLIC_KEY_NOT_RSA", 6, 106},
#endif
+ #ifdef EVP_R_SETTING_XOF_FAILED
+ {"SETTING_XOF_FAILED", ERR_LIB_EVP, EVP_R_SETTING_XOF_FAILED},
+ #else
+ {"SETTING_XOF_FAILED", 6, 227},
+ #endif
#ifdef EVP_R_SET_DEFAULT_PROPERTY_FAILURE
{"SET_DEFAULT_PROPERTY_FAILURE", ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE},
#else
@@ -3865,6 +3940,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"FAILED_READING_DATA", 61, 128},
#endif
+ #ifdef HTTP_R_HEADER_PARSE_ERROR
+ {"HEADER_PARSE_ERROR", ERR_LIB_HTTP, HTTP_R_HEADER_PARSE_ERROR},
+ #else
+ {"HEADER_PARSE_ERROR", 61, 126},
+ #endif
#ifdef HTTP_R_INCONSISTENT_CONTENT_LENGTH
{"INCONSISTENT_CONTENT_LENGTH", ERR_LIB_HTTP, HTTP_R_INCONSISTENT_CONTENT_LENGTH},
#else
@@ -3935,6 +4015,16 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"RESPONSE_PARSE_ERROR", 61, 104},
#endif
+ #ifdef HTTP_R_RETRY_TIMEOUT
+ {"RETRY_TIMEOUT", ERR_LIB_HTTP, HTTP_R_RETRY_TIMEOUT},
+ #else
+ {"RETRY_TIMEOUT", 61, 129},
+ #endif
+ #ifdef HTTP_R_SERVER_CANCELED_CONNECTION
+ {"SERVER_CANCELED_CONNECTION", ERR_LIB_HTTP, HTTP_R_SERVER_CANCELED_CONNECTION},
+ #else
+ {"SERVER_CANCELED_CONNECTION", 61, 127},
+ #endif
#ifdef HTTP_R_SOCK_NOT_SUPPORTED
{"SOCK_NOT_SUPPORTED", ERR_LIB_HTTP, HTTP_R_SOCK_NOT_SUPPORTED},
#else
@@ -4100,6 +4190,16 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"UNSUPPORTED_REQUESTORNAME_TYPE", 39, 129},
#endif
+ #ifdef OSSL_DECODER_R_COULD_NOT_DECODE_OBJECT
+ {"COULD_NOT_DECODE_OBJECT", ERR_LIB_OSSL_DECODER, OSSL_DECODER_R_COULD_NOT_DECODE_OBJECT},
+ #else
+ {"COULD_NOT_DECODE_OBJECT", 60, 101},
+ #endif
+ #ifdef OSSL_DECODER_R_DECODER_NOT_FOUND
+ {"DECODER_NOT_FOUND", ERR_LIB_OSSL_DECODER, OSSL_DECODER_R_DECODER_NOT_FOUND},
+ #else
+ {"DECODER_NOT_FOUND", 60, 102},
+ #endif
#ifdef OSSL_DECODER_R_MISSING_GET_PARAMS
{"MISSING_GET_PARAMS", ERR_LIB_OSSL_DECODER, OSSL_DECODER_R_MISSING_GET_PARAMS},
#else
@@ -4190,6 +4290,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NOT_PARAMETERS", 44, 104},
#endif
+ #ifdef OSSL_STORE_R_NO_LOADERS_FOUND
+ {"NO_LOADERS_FOUND", ERR_LIB_OSSL_STORE, OSSL_STORE_R_NO_LOADERS_FOUND},
+ #else
+ {"NO_LOADERS_FOUND", 44, 123},
+ #endif
#ifdef OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR
{"PASSPHRASE_CALLBACK_ERROR", ERR_LIB_OSSL_STORE, OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR},
#else
@@ -4935,6 +5040,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_DIGEST_SIZE", 57, 218},
#endif
+ #ifdef PROV_R_INVALID_INPUT_LENGTH
+ {"INVALID_INPUT_LENGTH", ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH},
+ #else
+ {"INVALID_INPUT_LENGTH", 57, 230},
+ #endif
#ifdef PROV_R_INVALID_ITERATION_COUNT
{"INVALID_ITERATION_COUNT", ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT},
#else
@@ -4970,6 +5080,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_MODE", 57, 125},
#endif
+ #ifdef PROV_R_INVALID_OUTPUT_LENGTH
+ {"INVALID_OUTPUT_LENGTH", ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH},
+ #else
+ {"INVALID_OUTPUT_LENGTH", 57, 217},
+ #endif
#ifdef PROV_R_INVALID_PADDING_MODE
{"INVALID_PADDING_MODE", ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE},
#else
@@ -5035,6 +5150,16 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"KEY_SIZE_TOO_SMALL", 57, 171},
#endif
+ #ifdef PROV_R_LENGTH_TOO_LARGE
+ {"LENGTH_TOO_LARGE", ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE},
+ #else
+ {"LENGTH_TOO_LARGE", 57, 202},
+ #endif
+ #ifdef PROV_R_MISMATCHING_DOMAIN_PARAMETERS
+ {"MISMATCHING_DOMAIN_PARAMETERS", ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS},
+ #else
+ {"MISMATCHING_DOMAIN_PARAMETERS", 57, 203},
+ #endif
#ifdef PROV_R_MISSING_CEK_ALG
{"MISSING_CEK_ALG", ERR_LIB_PROV, PROV_R_MISSING_CEK_ALG},
#else
@@ -5695,6 +5820,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_LABEL", 4, 160},
#endif
+ #ifdef RSA_R_INVALID_LENGTH
+ {"INVALID_LENGTH", ERR_LIB_RSA, RSA_R_INVALID_LENGTH},
+ #else
+ {"INVALID_LENGTH", 4, 181},
+ #endif
#ifdef RSA_R_INVALID_MESSAGE_LENGTH
{"INVALID_MESSAGE_LENGTH", ERR_LIB_RSA, RSA_R_INVALID_MESSAGE_LENGTH},
#else
@@ -5880,6 +6010,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"Q_NOT_PRIME", 4, 129},
#endif
+ #ifdef RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT
+ {"RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT", ERR_LIB_RSA, RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT},
+ #else
+ {"RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT", 4, 180},
+ #endif
#ifdef RSA_R_RSA_OPERATIONS_NOT_SUPPORTED
{"RSA_OPERATIONS_NOT_SUPPORTED", ERR_LIB_RSA, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED},
#else
@@ -6680,6 +6815,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"INVALID_TICKET_KEYS_LENGTH", 20, 325},
#endif
+ #ifdef SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED
+ {"LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED", ERR_LIB_SSL, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED},
+ #else
+ {"LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED", 20, 333},
+ #endif
#ifdef SSL_R_LENGTH_MISMATCH
{"LENGTH_MISMATCH", ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH},
#else
@@ -6725,6 +6865,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"MISSING_PARAMETERS", 20, 290},
#endif
+ #ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
+ {"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
+ #else
+ {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
+ #endif
#ifdef SSL_R_MISSING_RSA_CERTIFICATE
{"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
#else
@@ -6940,6 +7085,11 @@ static struct py_ssl_error_code error_codes[] = {
#else
{"NULL_SSL_METHOD_PASSED", 20, 196},
#endif
+ #ifdef SSL_R_OCSP_CALLBACK_FAILURE
+ {"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
+ #else
+ {"OCSP_CALLBACK_FAILURE", 20, 305},
+ #endif
#ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
{"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
#else
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index cda58f1c449..4fc37efd4e3 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -53,7 +53,7 @@ echo.Fetching external libraries...
set libraries=
set libraries=%libraries% bzip2-1.0.8
if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1t
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1u
set libraries=%libraries% sqlite-3.42.0.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.12.1
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.12.1
@@ -77,7 +77,7 @@ echo.Fetching external binaries...
set binaries=
if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.4
-if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1t
+if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1u
if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.12.1
if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06
diff --git a/PCbuild/python.props b/PCbuild/python.props
index 1d959699f3c..68052ef668a 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -74,8 +74,8 @@
$(ExternalsDir)libffi-3.4.4\
$(libffiDir)$(ArchName)\
$(libffiOutDir)include
- $(ExternalsDir)openssl-1.1.1t\
- $(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\
+ $(ExternalsDir)openssl-1.1.1u\
+ $(ExternalsDir)openssl-bin-1.1.1u\$(ArchName)\
$(opensslOutDir)include
$(ExternalsDir)\nasm-2.11.06\
$(ExternalsDir)\zlib-1.2.13\
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index f9742426e7c..d48f7e18eb3 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -168,7 +168,7 @@ _lzma
Homepage:
https://tukaani.org/xz/
_ssl
- Python wrapper for version 1.1.1t of the OpenSSL secure sockets
+ Python wrapper for version 1.1.1u of the OpenSSL secure sockets
library, which is downloaded from our binaries repository at
https://github.com/python/cpython-bin-deps.
diff --git a/Tools/c-analyzer/cpython/_parser.py b/Tools/c-analyzer/cpython/_parser.py
index eaad7278ed7..36d2a7c37df 100644
--- a/Tools/c-analyzer/cpython/_parser.py
+++ b/Tools/c-analyzer/cpython/_parser.py
@@ -75,6 +75,7 @@ def clean_lines(text):
# only huge constants (safe but parsing is slow)
Modules/_blake2/impl/blake2-kat.h
Modules/_ssl_data.h
+Modules/_ssl_data_31.h
Modules/_ssl_data_300.h
Modules/_ssl_data_111.h
Modules/cjkcodecs/mappings_*.h
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 94d6b19a099..a9c6e89a157 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -47,8 +47,9 @@
]
OPENSSL_RECENT_VERSIONS = [
- "1.1.1t",
- "3.0.8"
+ "1.1.1u",
+ "3.0.9",
+ "3.1.1",
]
LIBRESSL_OLD_VERSIONS = [