Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1953446

Summary: python-cryptography: Port to OpenSSL 3.0
Product: Red Hat Enterprise Linux 9 Reporter: Christian Heimes <cheimes>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED CURRENTRELEASE QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: fweimer, ksiddiqu, mpolovka, myusuf, pvoborni, sahana, sumenon
Target Milestone: betaKeywords: Triaged
Target Release: 9.0 BetaFlags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-3.4.7-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:52:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1980994    
Bug Blocks: 1903209, 1958021    

Description Christian Heimes 2021-04-26 06:41:31 UTC
python-cryptography 3.4.7 is not fully compatible with OpenSSL 3.0. Upstream has landed three changes to address compatibility issues and more strict crypto policies. The fixes don't brak OpenSSL 1.1.1 support. They can be easily added on top of 3.4.7.

Backport PR to 3.4.7
https://github.com/pyca/cryptography/pull/6000

scratch build with patches and OpenSSL 1.1.1:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=36412085

Note to QE:
Sanity-only testing. The project is well covered by unit and integration tests. The tests are executed during package build and by gating tests.

Comment 11 Michal Polovka 2021-06-08 15:15:03 UTC
As the required package build is not available for RHEL9, moving this BZ back to MODIFIED state.

Comment 17 Florian Weimer 2021-08-06 19:32:06 UTC
OpenSSL 3.0 removed the ERR_GET_FUNC macro. This leads to compiler warnings:

build/temp.linux-x86_64-3.9/_openssl.c: In function ‘_cffi_d_ERR_GET_FUNC’:
build/temp.linux-x86_64-3.9/_openssl.c:18781:10: warning: implicit declaration of function ‘ERR_GET_FUNC’; did you mean ‘ERR_GET_LIB’? [-Wimplicit-function-declaration]
18781 |   return ERR_GET_FUNC(x0);
      |          ^~~~~~~~~~~~
      |          ERR_GET_LIB

And very much later to a dynamic linker error (at run time):

ImportError while loading conftest '/builddir/build/BUILD/cryptography-3.4.7/tests/conftest.py'.
tests/conftest.py:8: in <module>
    from cryptography.hazmat.backends.openssl import backend as openssl_backend
../../BUILDROOT/python-cryptography-3.4.7-3.el9.x86_64/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/__init__.py:6: in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
../../BUILDROOT/python-cryptography-3.4.7-3.el9.x86_64/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py:114: in <module>
    from cryptography.hazmat.bindings.openssl import binding
../../BUILDROOT/python-cryptography-3.4.7-3.el9.x86_64/usr/lib64/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py:14: in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
E   ImportError: /builddir/build/BUILDROOT/python-cryptography-3.4.7-3.el9.x86_64/usr/lib64/python3.9/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: undefined symbol: ERR_GET_FUNC

ERR_GET_FUNC probably needs to be removed from src/_cffi_src/openssl/err.py.

Comment 18 Christian Heimes 2021-08-08 16:21:56 UTC
I have backported two fixes from PyCA cryptography's main branch and created a new build.

   https://github.com/pyca/cryptography/pull/6148
   https://github.com/pyca/cryptography/pull/6150

Comment 23 Mohammad Rizwan 2021-08-20 08:49:58 UTC
python3-cryptography-3.4.7-5.el9.x86_64.rpm is part og nightly compose : http://download.hosts.prod.upshift.rdu2.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9.0/compose/AppStream/x86_64/os/Packages/
Hence marking the bug as verified.