229640 – Can't import ssl in lang/python37 on FreeBSD 10.4

Bug 229640 - Can't import ssl in lang/python37 on FreeBSD 10.4

Summary: Can't import ssl in lang/python37 on FreeBSD 10.4

Status:	Closed Not A Bug

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Martin Wilke

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-09 12:20 UTC by Grzegorz Blach
Modified:	2018-07-09 15:12 UTC (History)
CC List:	4 users (show)

See Also:	229633

Attachments
python37-fix-ssl-with-10.4.patch (741 bytes, patch) 2018-07-09 14:37 UTC, Kai Knoblich	kai: maintainer-approval? (python)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Grzegorz Blach freebsd_committer

2018-07-09 12:20:37 UTC

I can't import ssl in Python 3.7 on FreeBSD 10.4.

# python3.7
Python 3.7.0 (default, Jul  9 2018, 14:13:47) 
[Clang 3.4.1 (tags/RELEASE_34/dot1-final 208032)] on freebsd10
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/ssl.py", line 98, in <module>
    import _ssl             # if we can't import it, let the error propagate
ModuleNotFoundError: No module named '_ssl'


Python 3.6 on FreeBSD 10.4 and Python 3.7 on FreeBSD 11.2 works correctly.

Comment 1 Kai Knoblich freebsd_committer

2018-07-09 12:46:56 UTC

SSL works with Python 3.7 in 10.4 if one compiles Python 3.7 with openssl from the ports tree.

The base OpenSSL in 10.4 lacks the X509_VERIFY_PARAM_set1_host feature which can be verified in the Python 3.7 build log:

> [...]
> checking whether compiling and linking against OpenSSL works... yes
> checking for X509_VERIFY_PARAM_set1_host in libssl... no
> checking for --with-ssl-default-suites... openssl
> [...]

Please note: The NO_SSL check in the Makefile and the macro %%NO_SSL%% in the pkg-plist must be removed to make it work.

Comment 2 Pascal Christen 2018-07-09 13:08:47 UTC

(In reply to Kai from comment #1)
I just extended the NO_SSL if condition in the Makefile with checking what openssl version it uses and now it works. Thank you

Comment 3 Kai Knoblich freebsd_committer

2018-07-09 14:37:47 UTC

Created attachment 194994 [details]
python37-fix-ssl-with-10.4.patch

Ok, that bug has been closed as 'not a bug', which makes sense by the technical background.

Maybe it makes sense to implement Pascal's suggestion (extend the SSL check) together with a warning to avoid confusion and future PRs until autumn 2018 when 10.4 will be EOL?

Attached is a patch for it. This has been tested with:

- 10.4-RELEASE amd64 with openssl from ports, libressl -> OK (no warning)
- 10.4-RELEASE amd64 with base openssl -> OK (with warning)
- 11.2-RELEASE amd64 with base openssl -> OK (no warning)

Comment 4 commit-hook freebsd_committer

2018-07-09 15:12:16 UTC

A commit references this bug:

Author: miwi
Date: Mon Jul  9 15:11:42 UTC 2018
New revision: 474267
URL: https://svnweb.freebsd.org/changeset/ports/474267

Log:
  - Added a warning for FBSD10

  PR:		229640
  Sponsored by:	iXsystems Inc.

Changes:
  head/lang/python37/Makefile