python 3.11 test_ssl failure with OpenSSL 3.0 on Windows

[mzhao-dev]

Bug report

A clear and concise description of what the bug is.
when I ran test_ssl.py. It shows No OPENSSL_Applink runtime error and python crashed.

Include a minimal, reproducible example (https://stackoverflow.com/help/minimal-reproducible-example), if possible.

Your environment

• CPython versions tested on: 3.11.1
• Operating system and architecture: windows

I could build my local python through modify get_external.bat ssl.props python.props ect.
to make my _ssl.pyd call local OPENSSL 3.0 libraries libcrypto-3-x64.dll and libssl-3-x64.dll
But when I ran test_ssl.py. It shows No OPENSSL_Applink runtime error and python crashed.

test_ssl: testing with 'OpenSSL 3.0.7 1 Nov 2022' (3, 0, 0, 7, 0)
under Windows ('10', '10.0.22621', 'SP0', 'Multiprocessor Free')
HAS_SNI = True
OP_ALL = 0x-7fffffb0
OP_NO_TLSv1_1 = 0x10000000
...s...............
{'OCSP': ('http://ocsp.verisign.com/',),
'caIssuers': ('http://svrintl-g3-aia.verisign.com/SVRIntlG3.cer',),
'crlDistributionPoints': ('http://svrintl-g3-crl.verisign.com/SVRIntlG3.crl',),
'issuer': ((('countryName', 'US'),),
(('organizationName', 'VeriSign, Inc.'),),
(('organizationalUnitName', 'VeriSign Trust Network'),),
(('organizationalUnitName',
'Terms of use at https://www.verisign.com/rpa (c)10'),),
(('commonName', 'VeriSign Class 3 International Server CA - G3'),)),
'notAfter': 'Sep 20 23:59:59 2012 GMT',
'notBefore': 'Sep 21 00:00:00 2011 GMT',
'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A',
'subject': ((('countryName', 'FI'),),
(('stateOrProvinceName', 'Espoo'),),
(('localityName', 'Espoo'),),
(('organizationName', 'Nokia'),),
(('organizationalUnitName', 'BI'),),
(('commonName', 'projects.developer.nokia.com'),)),
'subjectAltName': (('DNS', 'projects.developer.nokia.com'),
('DNS', 'projects.forum.nokia.com')),
'version': 3}
.
{'issuer': ((('countryName', 'US'),),
(('stateOrProvinceName', 'Oregon'),),
(('localityName', 'Beaverton'),),
(('organizationName', 'Python Software Foundation'),),
(('organizationalUnitName', 'Python Core Development'),),
(('commonName', 'null.python.org\x00example.org'),),
(('emailAddress', '[email protected]'),)),
'notAfter': 'Aug 7 13:12:52 2013 GMT',
'notBefore': 'Aug 7 13:11:52 2013 GMT',
'serialNumber': '00',
'subject': ((('countryName', 'US'),),
(('stateOrProvinceName', 'Oregon'),),
(('localityName', 'Beaverton'),),
(('organizationName', 'Python Software Foundation'),),
(('organizationalUnitName', 'Python Core Development'),),
(('commonName', 'null.python.org\x00example.org'),),
(('emailAddress', '[email protected]'),)),
'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'),
('email', '[email protected][[email protected]](mailto:[email protected])'),
('URI', 'http://null.python.org\x00http://example.org'),
('IP Address', '192.0.2.1'),
('IP Address', '2001:DB8:0:0:0:0:0:1')),
'version': 3}
.
{'issuer': ((('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
'notAfter': 'Jun 14 18:00:58 2028 GMT',
'notBefore': 'Jun 18 18:00:58 2018 GMT',
'serialNumber': '02',
'subject': ((('countryName', 'UK'),),
(('commonName', 'codenomicon-vm-2.test.lal.cisco.com'),)),
'subjectAltName': (('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
'version': 3}
...
RAND_status is 1 (sufficient randomness)
. server: new connection from ('127.0.0.1', 65259)

server: bad connection attempt from ('127.0.0.1', 65259):
Traceback (most recent call last):
File "C:\Git_root\mv-pkg\Python-3.11.1\Lib\test\test_ssl.py", line 2436, in wrap_conn
self.sslconn = self.server.context.wrap_socket(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Git_root\mv-pkg\Python-3.11.1\Lib\ssl.py", line 517, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Git_root\mv-pkg\Python-3.11.1\Lib\ssl.py", line 1075, in _create
self.do_handshake()
File "C:\Git_root\mv-pkg\Python-3.11.1\Lib\ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ConnectionAbortedError: [WinError 10053] An established connection was aborted by the software in your host machine
.......................s.OPENSSL_Uplink(00007FFB16F545C0,08): no OPENSSL_Applink

Does any one can help?

[stevendaprano]

I read the title of this and my first thought was "Surely nobody is still using Windows 3.11 any more? I can't believe there is a Python that runs on it!" 😁

[mzhao-dev]

Hi Setvendaprano
Sorry for puzzled you, I mean on windows 10 platform I compiled python 3.11.1 with OPENSSL 3.0.7, when I run test_ssl.py, it shows no OPENSSL_Applink, error and crashed.
I confirmed that applink.c file was added and complied, so I have no idea about that issue. I think maybe need some other code change about that?

thank you so much

[zooba]

It's likely because we require a patch to OpenSSL to properly connect the applink.

This line in OpenSSL checks the current executable for the applink export, but we don't include it in python.exe - it goes in _ssl.pyd. So we patch our own builds to look in there (as well as the executable and _ssl_d.pyd to cover all our cases).

We likely need to upstream some kind of runtime option to OpenSSL to handle this without patching, or they need to provide an API we can use to pass in the applink table directly. As far as I know, we haven't asked them for that though.

[zware]

This doesn't reproduce in CI or on our buildbots using our build of OpenSSL 3.0.9, so I'm going to go ahead and close it. If I've missed something here and it can still be reproduced elsewhere, the issue can of course be reopened.