0

I'm running CentOS 7 and the following version of Python ...

[rails@server Python-3.7.0]$ python3 --version
Python 3.7.0

I recently upgraded my version of openssl ...

 [rails@server Python-3.7.0]$ openssl version -a
OpenSSL 1.1.1g  21 Apr 2020
built on: Thu May  7 19:18:59 2020 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/openssl"
ENGINESDIR: "/usr/local/openssl/lib/engines-1.1"
Seeding source: os-specific

However, my Python installation is still picking up the old version ...

[rails@server html]$ python manage.py check_duplicates
DEPRECATION: The OpenSSL being used by this python install (OpenSSL 1.0.2k-fips  26 Jan 2017) does not meet the minimum supported version (>= OpenSSL 1.1.1) in order to support TLS 1.3 required by Cloudflare, You may encounter an unexpected reCaptcha or cloudflare 1020 blocks.

Is there anything I can do to get Python to recognize the new version or am I reduced to having to rebuild Python from tar balls?

Dave
  • 185
  • 1
  • 7
  • 20

1 Answers1

-1

Consider not rebuilding your software stack, but instead an upgrade to your OS distro to get upgrades to that and other software. Reduces extra ongoing work of maintaining your own security updates, to a one-time upgrade project.

For example, back in 2019, a blog post explained that RHEL 8 has tested TLS 1.3. Since then CentOS was killed and replaced with Stream, so your choice got a bit more complicated. But whether you end up on RHEL or a rebuild or something else, the idea is the same. Upgrade your distro and you can make use of the feature while getting security updates.

Or, for some appreciation for the work of maintaining your own builds, review the releases, both upstream and from the distro, of the software. In this case, openssl and (presumably) pyOpenSSL. Expect to make an evaluation about whether you need to take various security updates or fixes. From this maintain your rpm package, applying the newer TLS bindings to your older python.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • The OP is trying to avoid upgrading Python, and you are suggesting he upgrade his entire OS? This is not useful. – Robert Rapplean Jul 25 '23 at 22:07
  • If anyone wishes to make an answer explaining how to maintain a custom build of OpenSSL and Python and whatever other applications, and keep them patched with security updates, and to coexist with the rpm packaged versions, feel free. – John Mahowald Jul 30 '23 at 13:52
  • Then you might want to describe that level of effort first, then suggest upgrading might be a good idea. Except that all updates and releases for CentOS 8 ceased in 2021, and they're ending Centos 7 in 2024. – Robert Rapplean Jul 31 '23 at 05:52