24 December 2021

Python 2.7 and TLSv1.3

Python 2.7.18 is the last bugfix version of any python that officially support Windows XP. By default those trying to build it on Windows will need openssl 1.0.2 per preconfigured VS2010 project file, that mean TLS 1.2 at best for you. However as we know, the patch to support TLS 1.3 also landing on 2.7.x line all you need is to build hashlib and ssl module with openssl 1.1.1 or preferably 3.0.x header and import libs (so you can update the dll in the future). 

To do so, basically remove libeay and ssleay projects from the solution and remove them from being listed as dependency of _ssl and _hashlib project. 

Put openssl 3.0.x header directory "openssl" into [root]\externals\openssl-1.0.2t\include32 

Rename the import lib of openssl 3.0.x into libeay.lib and ssleay.lib respectively and place them at [root]\PCBuild.

Build haslib and ssl module as usual.

To see if your python has TLS 1.3 you can use ssl.HAS_TLSv1_3 boolean to make sure they are compiled properly, note that with openssl 3.0.x there are a lot of deprecated warnings but no error. Be sure to put libcrypto-3.dll and libssl-3.dll in either DLLs subdirectory and anywhere in %PATH% environment.

my build can be found here https://sourceforge.net/projects/xpitory/files/python/

Since openssl is dynamically loaded it's preferred to be compiled with MSVC 9 (as is python 2.7) though I rarely see issue of mixing msvcrt.

my personal build of openssl 3.0.1 https://sourceforge.net/projects/xpitory/files/shared-builds/openssl-3.0.1-fips-win32.7z/download

No comments:

Post a Comment