cryptography 3.4.8 tests fails with openssl 3.0

[ncopa]

I am working on upgrade openssl to 3.0 for Alpine Linux and bumped into this issue, which currently blocks the openssl upgrade:

writing top-level names to cryptography_vectors.egg-info/top_level.txt
reading manifest file 'cryptography_vectors.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'cryptography_vectors.egg-info/SOURCES.txt'
ncopa-edge-x86_64:~/aports/community/py3-cryptography (openssl3)$ abuild check
ImportError while loading conftest '/home/ncopa/aports/community/py3-cryptography/src/cryptography-3.4.8/tests/conftest.py'.
tests/conftest.py:8: in <module>
    from cryptography.hazmat.backends.openssl import backend as openssl_backend
build/lib.linux-x86_64-3.10/cryptography/hazmat/backends/openssl/__init__.py:6: in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
build/lib.linux-x86_64-3.10/cryptography/hazmat/backends/openssl/backend.py:113: in <module>
    from cryptography.hazmat.bindings.openssl import binding
build/lib.linux-x86_64-3.10/cryptography/hazmat/bindings/openssl/binding.py:14: in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
E   ImportError: Error relocating /home/ncopa/aports/community/py3-cryptography/src/cryptography-3.4.8/build/lib.linux-x86_64-3.10/cryptography/hazmat/bindings/_openssl.abi3.so: FIPS_mode_set: symbol not found

[alex]

This is expected, 35.0.0 was the first version to support OpenSSL 3.0: https://cryptography.io/en/latest/changelog/#v35-0-0

[ncopa]

Understand. Is there some workaround for 3.4.8 or anything I can backport? Cannot upgrade to versions that require rust yet due to we have not yet been able to port it to all our architectures.

[alex]

There was a series of patches we landed to support OpenSSL 3.0. I'm sure they could be backported, but it won't be easy and I don't have a better suggestion for how to find the patches then to grep the git logs for 3.0 unfortunately.

[tiran]

#6000 contains some fixes for OpenSSL 3.0.0. It's good enough unless you need FIPS support.

[ncopa]

#6000 contains some fixes for OpenSSL 3.0.0. It's good enough unless you need FIPS support.

This was incredible helpful! thank you!

Unfortunately, 17 tests fails:

========================================= 17 failed, 2712 passed, 5775 skipped in 125.82s (0:02:05) =========================================

Seems like we will have to postpone openssl 3 upgrade. (and potentially reduce alpine v3.16 support time to openssl 1.1 support time)

[alex]

Unfortunately it's a bit hard for us to way what the cause of those failures is, as we're no longer maintaining 3.4.x.

[reaperhulk]

@ncopa if you can supply a container image with those failures then I can take a quick look at them. We won't be doing a new version of 3.4.x ourselves of course, but I would like to help Alpine out while they're working on getting Rust packaged up on all platforms for the next release 😄

[reaperhulk]

Going to close this since there's no bug here, but still happy to help if you need it!