Skip to content

Add OpenSSL 3.5 #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add OpenSSL 3.5 #782

wants to merge 6 commits into from

Conversation

Edward-Knight
Copy link
Contributor

@Edward-Knight Edward-Knight commented Sep 1, 2025
edited
Loading

Fixes #775

@Edward-Knight
Add OpenSSL 3.5, build with instead of 3.0
c8659d9 
This means all supported Unix platforms (CPython 3.9+),
and Windows from CPython 3.11+.

This initial attempt copies what we did for OpenSSL 3.0.
@Edward-Knight
Copy link
Contributor Author

I'm pleasantly surprised that my naïve attempt worked for so many platforms. Tested one of the macOS builds locally and all seems to be in order:

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 3.5.2 5 Aug 2025'
>>> hex(ssl.OPENSSL_VERSION_NUMBER)
'0x30500020'
>>> ssl.OPENSSL_VERSION_INFO
(3, 5, 0, 2, 0)
>>> import socket
... import ssl
...
... hostname = 'www.python.org'
... context = ssl.create_default_context()
...
... with socket.create_connection((hostname, 443)) as sock:
...     with context.wrap_socket(sock, server_hostname=hostname) as ssock:
...         print(ssock.version())
...
TLSv1.3

Failing jobs are:

  • Linux riscv64
  • Linux s390x
  • Windows x86-64

(also one AArch64 Windows job timed out, but I'm ignoring that for now)

Looking at some logs from the failed jobs:

Linux riscv64

2025-09-01T13:30:18.3743802Z openssl-3.5> /usr/bin/riscv64-linux-gnu-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSLDIR="\"/etc/ssl\"" -DENGINESDIR="\"/tools/deps/lib/engines-3\"" -DMODULESDIR="\"/tools/deps/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG  -c -o crypto/libcrypto-lib-riscv64cpuid.o crypto/riscv64cpuid.s
2025-09-01T13:30:18.3778888Z openssl-3.5> crypto/riscv64cpuid.s:
2025-09-01T13:30:18.3781048Z openssl-3.5> Assembler messages:
2025-09-01T13:30:18.3784299Z openssl-3.5> crypto/riscv64cpuid.s:67: Error: unknown CSR `vlenb'
2025-09-01T13:30:18.3789702Z openssl-3.5> make[1]: *** [Makefile:9196: crypto/libcrypto-lib-riscv64cpuid.o] Error 1
2025-09-01T13:30:18.3791482Z openssl-3.5> make[1]: *** Waiting for unfinished jobs....
2025-09-01T13:30:18.4085534Z openssl-3.5> make[1]: Leaving directory '/build/openssl-3.5.2'
2025-09-01T13:30:18.4117841Z openssl-3.5> make: *** [Makefile:2468: build_sw] Error 2

Linux s390x

2025-09-01T13:32:22.6536571Z openssl-3.5> /usr/bin/s390x-linux-gnu-gcc  -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include  -DAES_ASM -DAES_CTR_ASM -DAES_XTS_ASM -DGHASH_ASM -DKECCAK1600_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_CPUID_OBJ -DOPENSSL_HMAC_S390X -DPOLY1305_ASM -DRC4_ASM -DS390X_EC_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DB_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/etc/ssl\"" -DENGINESDIR="\"/tools/deps/lib/engines-3\"" -DMODULESDIR="\"/tools/deps/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DNDEBUG  -c -o crypto/sha/libcrypto-lib-keccak1600-s390x.o crypto/sha/keccak1600-s390x.S
2025-09-01T13:32:22.6629454Z openssl-3.5> crypto/sha/keccak1600-s390x.S:
2025-09-01T13:32:22.6635001Z openssl-3.5> Assembler messages:
2025-09-01T13:32:22.6635594Z openssl-3.5> crypto/sha/keccak1600-s390x.S:399: Error: Unrecognized opcode: `cijne'
2025-09-01T13:32:22.6643011Z openssl-3.5> Makefile:10314: recipe for target 'crypto/sha/libcrypto-lib-keccak1600-s390x.o' failed
2025-09-01T13:32:22.6644123Z openssl-3.5> make[1]: *** [crypto/sha/libcrypto-lib-keccak1600-s390x.o] Error 1
2025-09-01T13:32:22.6644683Z openssl-3.5> make[1]: *** Waiting for unfinished jobs....
2025-09-01T13:32:22.6699303Z openssl-3.5> make[1]: Leaving directory '/build/openssl-3.5.2'
2025-09-01T13:32:22.6703057Z openssl-3.5> Makefile:2448: recipe for target 'build_sw' failed
2025-09-01T13:32:22.6704030Z openssl-3.5> make: *** [build_sw] Error 2

Windows x86-64

2025-09-01T13:34:06.3723917Z openssl> 	"cl"  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /FS -I"crypto" -I"." -I"include" -I"providers\common\include" -I"providers\implementations\include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"\\64\\lib\\engines-3\"" -D"MODULESDIR=\"\\64\\lib\\ossl-modules\"" -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"   -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_USE_APPLINK -DPOLY1305_ASM -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -c /Focrypto\libcrypto-shlib-cversion.obj "crypto\cversion.c"
2025-09-01T13:34:06.3730278Z openssl> 	"cl"  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /FS -I"crypto" -I"." -I"include" -I"providers\common\include" -I"providers\implementations\include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"\\64\\lib\\engines-3\"" -D"MODULESDIR=\"\\64\\lib\\ossl-modules\"" -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"   -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_USE_APPLINK -DPOLY1305_ASM -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -c /Focrypto\libcrypto-shlib-info.obj "crypto\info.c"
2025-09-01T13:34:06.3744915Z openssl> Microsoft (R) C/C++ Optimizing Compiler Version 19.44.35214 for x64
2025-09-01T13:34:06.3745673Z openssl> Copyright (C) Microsoft Corporation.  All rights reserved.
2025-09-01T13:34:06.3750975Z openssl> 
2025-09-01T13:34:06.3797748Z openssl> Microsoft (R) C/C++ Optimizing Compiler Version 19.44.35214 for x64
2025-09-01T13:34:06.3798962Z openssl> Copyright (C) Microsoft Corporation.  All rights reserved.
2025-09-01T13:34:06.3799686Z openssl> 
2025-09-01T13:34:06.3800156Z openssl> cversion.c
2025-09-01T13:34:06.3800648Z openssl> info.c
2025-09-01T13:34:06.3825546Z openssl> crypto\ec\ecp_nistz256-x86_64.asm:5: error: Win32 cannot align sections to better than 64-byte boundaries
2025-09-01T13:34:06.3826818Z openssl> crypto\ec\ecp_nistz256-x86_64.asm:2384: error: Win32 cannot align sections to better than 64-byte boundaries
2025-09-01T13:34:06.3827628Z openssl> jom: C:\Users\ADMINI~1\AppData\Local\Temp\openssl-build-kqts73c6\x64\openssl-3.5.2\Makefile [crypto\ec\libcrypto-shlib-ecp_nistz256-x86_64.obj] Error 1
2025-09-01T13:34:06.4082224Z openssl> crypto\ec\ecp_nistz256-x86_64.asm:5: error: Win32 cannot align sections to better than 64-byte boundaries
2025-09-01T13:34:06.4083430Z openssl> crypto\ec\ecp_nistz256-x86_64.asm:2384: error: Win32 cannot align sections to better than 64-byte boundaries
2025-09-01T13:34:06.4085687Z openssl> jom: C:\Users\ADMINI~1\AppData\Local\Temp\openssl-build-kqts73c6\x64\openssl-3.5.2\Makefile [crypto\ec\libcrypto-lib-ecp_nistz256-x86_64.obj] Error 1
2025-09-01T13:34:06.5520018Z openssl> 	cmd /C ""cl" /Zs /showIncludes  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /FS -I"crypto" -I"." -I"include" -I"providers\common\include" -I"providers\implementations\include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"\\64\\lib\\engines-3\"" -D"MODULESDIR=\"\\64\\lib\\ossl-modules\"" -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"   -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_USE_APPLINK -DPOLY1305_ASM -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM "crypto\cversion.c" > crypto\libcrypto-shlib-cversion.d 2>&1"
2025-09-01T13:34:06.5772802Z openssl> 	cmd /C ""cl" /Zs /showIncludes  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /FS -I"crypto" -I"." -I"include" -I"providers\common\include" -I"providers\implementations\include" -D"L_ENDIAN" -D"OPENSSL_PIC" -D"OPENSSLDIR=\"C:\\Program Files\\Common Files\\SSL\"" -D"ENGINESDIR=\"\\64\\lib\\engines-3\"" -D"MODULESDIR=\"\\64\\lib\\ossl-modules\"" -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"   -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_USE_APPLINK -DPOLY1305_ASM -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM "crypto\info.c" > crypto\libcrypto-shlib-info.d 2>&1"
2025-09-01T13:34:06.5911347Z openssl> jom: C:\Users\ADMINI~1\AppData\Local\Temp\openssl-build-kqts73c6\x64\openssl-3.5.2\Makefile [build_sw] Error 2
2025-09-01T13:34:06.7830957Z openssl> process exited 2
2025-09-01T13:34:08.8485985Z ##[error]Process completed with exit code 2.

@Edward-Knight
Copy link
Contributor Author

Linux riscv64

Some options:

  • Stay on an older OpenSSL version on Linux riscv64
  • Patch crypto/riscv64cpuid.pl as suggested in the above issue
  • Compile OpenSSL on riscv64 without vector assembly stuff
  • Fix with toolchain updates?

Example patch:

@@ -94,8 +94,8 @@
 .globl riscv_vlen_asm
 .type riscv_vlen_asm,\@function
 riscv_vlen_asm:
-    csrr $ret, vlenb
-    slli $ret, $ret, 3
+    csrr a0, 0xc22
+    slli a0, a0, 3
     ret
 .size riscv_vlen_asm,.-riscv_vlen_asm

@Edward-Knight
Copy link
Contributor Author

Linux s390x

Since you did not specify any arch-level, it defaults to the oldest that is still supported by GCC. This is Z900 which is out of service since end of year 2014. We could reimplement that particular code with a two instruction sequence. But I really doubt it is worth it. Might be time to set a minimum required arch-level for s390x on openssl...

Not openssl s390x specific, but more general: That cross compiler produces really bad code since a lot of useful instructions are missing. I recommend to set the arch-level to at least z10 (default for clang) or even z196 (default for the kernel). Both are already out of service, but still compile fine with openssl. Nevertheless, vector instructions came with z13. So you might want to use that level...

Options:

  • Looks like bumping our "arch-level" for s390x would help
  • Otherwise as always we can stick on an older OpenSSL version and kick the can down the road

@Edward-Knight
Copy link
Contributor Author

Edward-Knight commented Sep 1, 2025
edited
Loading

Windows x86-64

Options:

  • Update nasm
  • Kick can down road

Looks like we source a nasm binary from python/cpython-bin-deps and we're using the latest (only) version available: https://github.com/python/cpython-bin-deps/tree/nasm-2.11.06

@Edward-Knight
Bump minimum supported s390x arch-level to z10
0aacfc0 
This has been done to support OpenSSL 3.5 that uses the `cijne` opcode.

This is still a very conservative arch-level.
Gentoo also made this change when updating to OpenSSL 3.5, and to quote
the news item from Andreas K. Hüttel:
> The z10 Enterprise Class (2097 series) was introduced in February 2008,
> which essentially means everyone except hardware archaeologists should be fine.
@Edward-Knight
Bump NASM version to 2.16.03
cc6f971 
This is to support building OpenSSL 3.5.
Version 2.16.03 is the latest stable version at the time of writing.
@Edward-Knight
Copy link
Contributor Author

Edward-Knight commented Sep 2, 2025
edited
Loading

Looks like I messed up my patching copypasta:

2025-09-02T10:00:06.2142191Z openssl-3.5> + pushd openssl-3.5.2
2025-09-02T10:00:06.2147597Z openssl-3.5> ~/openssl-3.5.2 ~
2025-09-02T10:00:06.2151192Z openssl-3.5> + [[ riscv64-unknown-linux-gnu = \r\i\s\c\v\6\4\-\u\n\k\n\o\w\n\-\l\i\n\u\x\-\g\n\u ]]
2025-09-02T10:00:06.2162305Z openssl-3.5> + patch -p1 -i /build/patch-openssl-3.5-riscv-vlenb-register.patch
2025-09-02T10:00:06.2181238Z openssl-3.5> patch: **** Can't open patch file /build/patch-openssl-3.5-riscv-vlenb-register.patch : No such file or directory

Ah, when building cpython we explicitly copy patches in:

for f in sorted(os.listdir(SUPPORT)):
    if f.endswith(".patch"):
        build_env.copy_file(SUPPORT / f)

@Edward-Knight
Copy link
Contributor Author

Edward-Knight commented Sep 2, 2025
edited
Loading

s390x builds are failing still, but with building bdb of all things:

2025-09-02T09:59:29.5207430Z bdb> checking how to run the C++ preprocessor...
2025-09-02T09:59:29.5589761Z bdb> /lib/cpp
2025-09-02T09:59:29.5701812Z bdb> configure: error: in `/build/db-6.0.19/build_unix':
2025-09-02T09:59:29.5709563Z bdb> configure: error: C++ preprocessor "/lib/cpp" fails sanity check
2025-09-02T09:59:29.5710294Z bdb> See `config.log' for more details

I don't know if it's an issue with GitHub, but I can't download the log archive, so I'm going to try cat-ing the config.log

@Edward-Knight
Patch OpenSSL 3.5 to hardcode the vlenb CSR address on RISC-V
9bd86fa 
Our GCC version doesn't know it, so replace the `vlenb` variable with
`0xc22`. See openssl/openssl#23011.
@Edward-Knight
Copy link
Contributor Author

Edward-Knight commented Sep 2, 2025
edited
Loading

s390x bdb configure issue with -march=z10

configure:14478: /lib/cpp -march=z10 -fPIC -D_GNU_SOURCE -D_REENTRANT conftest.cpp
conftest.cpp:1:0: error: bad value (z10) for -march= switch

It looks like we attempt to run /lib/cpp with -march=z10 which fails due to not knowing the z10 value for -march=.

Looking at the variables in the log, we have these CC-like values:

ac_cv_env_CCC_set=
ac_cv_env_CCC_value=
ac_cv_env_CC_set=set
ac_cv_env_CC_value=/usr/bin/s390x-linux-gnu-gcc
ac_cv_env_CFLAGS_set=set
ac_cv_env_CFLAGS_value='-march=z10 -fPIC'
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value='-march=z10 -fPIC'
ac_cv_env_CPP_set=
ac_cv_env_CPP_value=
ac_cv_env_CXXCPP_set=
ac_cv_env_CXXCPP_value=
ac_cv_env_CXXFLAGS_set=
ac_cv_env_CXXFLAGS_value=
ac_cv_env_CXX_set=set
ac_cv_env_CXX_value=/usr/bin/s390x-linux-gnu-g++

resulting in:

CC='/usr/bin/s390x-linux-gnu-gcc'
CCC='/usr/bin/s390x-linux-gnu-g++'
CFLAGS='-march=z10 -fPIC '
CPP='/usr/bin/s390x-linux-gnu-gcc -E'
CPPFLAGS='-march=z10 -fPIC -D_GNU_SOURCE -D_REENTRANT'
CXX='/usr/bin/s390x-linux-gnu-g++'
CXXCPP='/lib/cpp'
CXXFLAGS='-march=z10 -fPIC '

Looking in the autoconf manual I read:

Macro: AC_PROG_CXXCPP
Set output variable CXXCPP to a command that runs the C++ preprocessor. If ‘$CXX -E’ doesn't work, /lib/cpp is used. It is portable to run CXXCPP only on files with a .c, .C, .cc, or .cpp extension.

This seems to explain what's happening - we attempt to run the C++ pre-processor (of which /lib/cpp is used), which doesn't understand the -march=z10 flag.

config.log

@Edward-Knight
Copy link
Contributor Author

It seems to try and run the CXX and fails:

configure:14478: /usr/bin/s390x-linux-gnu-g++ -E -march=z10 -fPIC -D_GNU_SOURCE -D_REENTRANT conftest.cpp
../dist/configure: line 1797: /usr/bin/s390x-linux-gnu-g++: No such file or directory

@Edward-Knight
Copy link
Contributor Author

Edward-Knight commented Sep 2, 2025
edited
Loading

There is a /usr/bin/s390x-linux-gnu-cpp in the image, but no /usr/bin/s390x-linux-gnu-g++ - it feels like the C++ compiler shouldn't be missing. The Dockerfile installs the gcc-s390x-linux-gnu package, but not the g++-s390x-linux-gnu package

Current options I'm thinking of:

  • Make sure G++ is included in the cross Dockerfile
  • Set the environment variable for the C pre-processor

@geofft
Copy link
Collaborator

geofft commented Sep 2, 2025

Nice, thank you for the PR and the detailed investigations!

The workarounds you have so far seem generally fine. Let me try to find some context on why we currently get nasm from cpython-bin-deps. Also FYI I'm hoping to figure out how to use a newer OS baseline for compiling (without affecting our target OS for runtime) which may help with the problem of older toolchains in general, so patches to work around older toolchains seem perfectly fine in the meantime. We may also have the option of using our recent Clang version instead of the OS GCC version.

@namrata-ibm and @jonathan-albrecht-ibm, since you've both raised issues about s390x support in the past - do you have any thoughts on whether it's okay to increase the arch baseline to -march=z10 or whether that will be a problem for any users? Or something even newer as suggested above (#782 (comment))?

@Edward-Knight
Copy link
Contributor Author

It seems like we've been here before! The issue I'm having seems to be the same as #512 (comment)

I get

libffi> configure: error: C++ preprocessor "/lib/cpp" fails sanity check

Does that sound right to you?

The fix for #512 was always setting the CXX environment variable (d0ed97f). However, since we don't actually install the C++ compiler in the cross image, autoconf is still unhappy in the same way.

I don't know which of these is true (and why it's otherwise been working...):

  • bdb configure script unnecessarily checks for a C++ compiler
  • bdb has some C++ parts that we don't end up actually compiling, but we check for at configure-time
  • bdb has some C++ parts that we've been incorreclty compiling with the host C++ compiler, but for whatever reason these are never used

I'm going to attempt to fix this by installing the C++ compilers into the Docker images. This should prevent autoconf from falling back to /lib/cpp (as $CXX -E should work), and in the case where we're actually using the C++ compiler we're doing the right thing

@Edward-Knight
Add C++ to cross-compiling Docker images
6284af1 
This is a follow-on from astral-sh#512 / d0ed97f where we started always setting
the CXX environment variable to ensure we don't accidentally try and use
the host (non-cross-compiling) C++ compiler.

In attempting to upgrade to a more modern s509x minimum arch-level
(z10), we found that the configure script for bdb fails. It tries to
check the C++ compiler is working (respecting the CXX environment
variable that is set), but fails to run the pre-processor with
`$CXX -E` (as the C++ compiler isn't actually installed). It then falls
back to `/lib/cpp`, which up until now has been working fine. Now that
we're specifying `-march=z10` this fails as `/lib/cpp` doesn't know
about `z10`.

I don't know if we actually need to use the C++ compiler, but I'm adding
it in to at least satisfy the configure script, and do the correct thing
should we need it (rather than the incorrect thing of falling back to
the host compiler).
@Edward-Knight
Copy link
Contributor Author

I either don't have permission to or just don't know how to retry the failing jobs in the latest pipeline but I believe they will pass if given another go 👍

The changes are otherwise ready for review @geofft. Some notes:

  • I've left in all the build configuration for OpenSSL 3.0, but this now isn't used anywhere. Would you like to see this removed entirely in favour of 3.5?
  • I'm unsure if the patch I've made to OpenSSL for RISC-V is entirely sound (e.g. if this code path is run on an older CPU without that CSR, what happens?). We can probably work-around this another way, but I'm unsure of the trade-offs.
  • Would you like to see the NASM binaries contributed to python/cpython-bin-deps? Presumably they'll need it at some point

@Edward-Knight Edward-Knight marked this pull request as ready for review September 2, 2025 17:09
@Edward-Knight Edward-Knight mentioned this pull request Sep 2, 2025
Open
@geofft
Copy link
Collaborator

geofft commented Sep 2, 2025

Triggered a re-run.

I've left in all the build configuration for OpenSSL 3.0, but this now isn't used anywhere. Would you like to see this removed entirely in favour of 3.5?

If it's unused, yes (and it will make your diff slightly nicer :) )

I'm unsure if the patch I've made to OpenSSL for RISC-V is entirely sound (e.g. if this code path is run on an older CPU without that CSR, what happens?). We can probably work-around this another way, but I'm unsure of the trade-offs.

We might be able to test this in qemu or something? In theory, this sort of question should be particularly easy to answer for RISC-V specifically without finding the right hardware....

@Edward-Knight
Remove OpenSSL 3.0
1db0b75 
Now we're building with OpenSSL 3.5 instead of 3.0, we no longer need
the build configuration around.
@Edward-Knight
Copy link
Contributor Author

I've removed OpenSSL 3.0 (and CI is failing due to issues grabbing cygwin again). It looks like OpenSSL is going to accept this PR which is very similar to the patch we're applying, so I think we're good on that front: openssl/openssl#28422

@geofft are there any other changes you'd like?

@jonathan-albrecht-ibm
Copy link
Contributor

@namrata-ibm and @jonathan-albrecht-ibm, since you've both raised issues about s390x support in the past - do you have any thoughts on whether it's okay to increase the arch baseline to -march=z10 or whether that will be a problem for any users? Or something even newer as suggested above (#782 (comment))?

@geofft Sorry for the delay. We discussed this with some colleagues and even though -march=z13 is unlikely to cause problems at this point in the hardware life cycle, we would recommend -march=z10 which should not cause problems for anyone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Build with OpenSSL 3.5
3 participants
@Edward-Knight @geofft @jonathan-albrecht-ibm