Port cpython 104135#307
Open
dwoz wants to merge 3 commits into
Open
Conversation
Python 3.10 and 3.11 stdlib's ssl._load_windows_store_certs concatenates every Windows root-store certificate and feeds the lot to OpenSSL's load_verify_locations as one cadata blob. OpenSSL 3.5.x (shipped since relenv 0.22.13) rejects the entire blob on a single ASN.1-malformed cert with "[ASN1: NOT_ENOUGH_DATA]", killing every TLS connection inside the onedir — pip-over-HTTPS, salt-call to a master, anything. Upstream merged an iterate-and-skip rewrite onto the 3.12 branch but never backported it; see python/cpython#104135. Append the same iterate-and-skip replacement to the bundled Lib/ssl.py during the Windows build (relenv/build/windows.py). The patch self-disables on Python 3.12+ and on non-Windows, so calling it unconditionally from the Windows builder is safe. Idempotent via a marker comment, and the marker matches the one in Salt's cicd/windows-ssl-104135-patch.py so an ssl.py patched by either side is left alone by the other during the transition window. Once Salt picks up a relenv release carrying this, they drop the patch script, the three workflow steps in build-deps-ci-action.yml / test-action.yml / test-packages-action.yml, the salt/__init__.py monkey-patch, and the salt/ext/tornado/netutil.py certifi pin. Bumps __version__ to 0.22.15 and adds a CHANGELOG.md entry.
Covers: - append + marker present on a clean Lib/ssl.py - idempotency: applying twice leaves exactly one marker block - missing Lib/ssl.py logs a warning and returns without raising - appended block compiles cleanly as Python (with SSLError / SSLContext stubs to match what ssl.py provides at module scope) Behaviour of the patched _load_windows_store_certs itself is exercised end-to-end by Salt's onedir CI on real Windows runners; these unit tests guard the file plumbing relenv owns.
dwoz
force-pushed
the
port-cpython-104135
branch
from
7bfb988 to
0f826df
Compare
Pre-commit ruff-format wanted two blank lines between the new function and the EnvMapping type alias; CI surfaced this after GitHub's rebase.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Patch bundled Lib/ssl.py on Windows Python 3.10 / 3.11 to work around cpython#104135.
The pre-fix _load_windows_store_certs concatenated every Windows root-store certificate and handed the blob to OpenSSL, which (3.5.x) rejects the lot on a single ASN.1-malformed cert with [ASN1: NOT_ENOUGH_DATA] — breaking pip-over-HTTPS and any other TLS use inside an onedir.
Upstream merged an iterate-and-skip rewrite for Python 3.12+ but never backported it; relenv now applies the same rewrite at build time. Self-disables on Python 3.12+ and on non-Windows.