Update OpenSSL to 3.5.0 in manylinux

Jakuje · Jakuje · commit 2cbee1a47cdf · 2025-06-10T10:35:22.000+02:00
This also changes the way how the libssh finds the OpenSSL installation to use the `OPENSSL_ROOT_DIR` variable. Based partially on the changes in ansible#719. Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/build-scripts/manylinux-container-image/install_libssh.sh b/build-scripts/manylinux-container-image/install_libssh.sh
@@ -68,6 +68,8 @@ export LDFLAGS="-pthread -ldl"
 # See also "/tmp/libssh-0.9.4-manylinux-build.FJUercWAg9/libssh-0.9.4/build/CMakeFiles/CMakeError.log".
 export PYCA_OPENSSL_PATH=/opt/pyca/cryptography/openssl
 export PKG_CONFIG_PATH="${STATIC_DEPS_PREFIX}/lib64/pkgconfig:${STATIC_DEPS_PREFIX}/lib/pkgconfig:${PYCA_OPENSSL_PATH}/lib/pkgconfig"
+# Point libssh directly to the OpenSSL directory. It can find it there
+export OPENSSL_ROOT_DIR="${PYCA_OPENSSL_PATH}"
 
 >&2 echo
 >&2 echo
diff --git a/build-scripts/manylinux-container-image/install_openssl.sh b/build-scripts/manylinux-container-image/install_openssl.sh
@@ -8,13 +8,15 @@ MY_DIR=$(dirname "${BASH_SOURCE[0]}")
 
 # Get build utilities
 source $MY_DIR/build_utils.sh
+
+OPENSSL_URL="https://github.com/openssl/openssl/releases/download"
 source /root/openssl-version.sh
 
-fetch_source "openssl-${OPENSSL_VERSION}.tar.gz" "https://www.openssl.org/source/"
-check_sha256sum "openssl-${OPENSSL_VERSION}.tar.gz" ${OPENSSL_SHA256}
-tar zxf openssl-${OPENSSL_VERSION}.tar.gz
+curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}/${OPENSSL_VERSION}.tar.gz"
+check_sha256sum "${OPENSSL_VERSION}.tar.gz" ${OPENSSL_SHA256}
+tar zxf ${OPENSSL_VERSION}.tar.gz
 
-pushd openssl-${OPENSSL_VERSION}
+pushd ${OPENSSL_VERSION}
 if [[ "$1" =~ '^manylinux1_.*$' ]]; then
   PATH=/opt/perl/bin:$PATH
 fi
@@ -25,4 +27,4 @@ make -j4
 # https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
 make install_sw install_ssldirs
 popd
-rm -rf openssl-${OPENSSL_VERSION}
+rm -rf ${OPENSSL_VERSION}
diff --git a/build-scripts/manylinux-container-image/openssl-version.sh b/build-scripts/manylinux-container-image/openssl-version.sh
@@ -1,6 +1,6 @@
-export OPENSSL_VERSION="1.1.1k"
-export OPENSSL_SHA256="892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"
+export OPENSSL_VERSION="openssl-3.5.0"
+export OPENSSL_SHA256="344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0"
 # We need a base set of flags because on Windows using MSVC
 # enable-ec_nistp_64_gcc_128 doesn't work since there's no 128-bit type
-export OPENSSL_BUILD_FLAGS_WINDOWS="no-ssl3 no-ssl3-method no-zlib no-shared no-comp no-dynamic-engine"
+export OPENSSL_BUILD_FLAGS_WINDOWS="no-ssl3 no-ssl3-method no-zlib no-shared no-module no-comp no-dynamic-engine no-apps no-docs no-sm2-precomp no-atexit"
 export OPENSSL_BUILD_FLAGS="${OPENSSL_BUILD_FLAGS_WINDOWS} enable-ec_nistp_64_gcc_128"
diff --git a/docs/changelog-fragments/738.contrib.rst b/docs/changelog-fragments/738.contrib.rst
@@ -0,0 +1 @@
+Updated OpenSSL to latest version 3.5.0 in manylinux -- by :user:`Jakuje`.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Updated OpenSSL to latest version 3.5.0 in manylinux -- by :user:`Jakuje`.