3.14.0-5: Support building against OpenSSL 4

plugins/python-build/bin/python-build

@@ -1667,7 +1667,6 @@ use_macports_ncurses() {
 }
 
 prefer_openssl11() {
-  # Allow overriding the preference of OpenSSL version per definition basis (#1302, #1325, #1326)
   PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA="${PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA:-openssl@1.1 openssl}"
   export PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA
 
@@ -1677,15 +1676,21 @@ prefer_openssl11() {
 }
 
 prefer_openssl3() {
-  # Allow overriding the preference of OpenSSL version per definition basis (#1302, #1325, #1326)
   PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA="${PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA:-openssl@3 openssl@1.1 openssl}"
   export PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA
   
-  # Set MacPorts OpenSSL formula names for MacPorts environment
   PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA="${PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA:-openssl3 openssl openssl11}"
   export PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA
 }
 
+prefer_openssl3_to_4() {
+  PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA="${PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA:-openssl@3 openssl@4 openssl@1.1 openssl}"
+  export PYTHON_BUILD_HOMEBREW_OPENSSL_FORMULA
+  
+  PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA="${PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA:-openssl3 openssl4 openssl openssl11}"
+  export PYTHON_BUILD_MACPORTS_OPENSSL_FORMULA
+}
+
 build_package_mac_readline() {
   # Install to a subdirectory since we don't want shims for bin/readline.
   READLINE_PREFIX_PATH="${PREFIX_PATH}/readline"

plugins/python-build/share/python-build/3.14.0

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/3.14.1

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/3.14.2

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/3.14.3

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/3.14.4

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/3.14.5

@@ -1,4 +1,4 @@
-prefer_openssl3
+prefer_openssl3_to_4
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL_RPATH=1
 export PYTHON_BUILD_TCLTK_USE_PKGCONFIG=1

plugins/python-build/share/python-build/patches/3.14.0/Python-3.14.0/0001-3.14-gh-141801-Use-accessors-for-ASN1_STRING-fields-.patch

@@ -0,0 +1,86 @@
+From b1925a29fb0e8d4a71479a3583afcd95aa2b9235 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sat, 22 Nov 2025 19:53:06 +0100
+Subject: [PATCH 1/2] [3.14] gh-141801: Use accessors for ASN1_STRING fields in
+ libssl (GH-141802) (#141847)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+gh-141801: Use accessors for ASN1_STRING fields in libssl (GH-141802)
+
+* gh-141801: Use accessors for ASN1_STRING fields
+
+While ASN1_STRING is currently exposed, it is better to use the
+accessors. See https://github.com/openssl/openssl/issues/29117 where, if
+the type were opaque, OpenSSL's X509 objects could be much more
+memory-efficient.
+
+* Update Modules/_ssl.c
+
+
+
+* Update Modules/_ssl.c
+
+
+
+---------
+(cherry picked from commit c41fce08a5d7aae8fd9e3fa25e0ba521600e097c)
+
+Co-authored-by: David Benjamin <davidben@davidben.net>
+Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
+---
+ Modules/_ssl.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 21c399123aa..aa7d5d14dfa 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -1406,14 +1406,14 @@ _get_peer_alt_names (_sslmodulestate *state, X509 *certificate) {
+                 }
+                 PyTuple_SET_ITEM(t, 0, v);
+ 
+-                if (name->d.ip->length == 4) {
+-                    unsigned char *p = name->d.ip->data;
++                if (ASN1_STRING_length(name->d.ip) == 4) {
++                    const unsigned char *p = ASN1_STRING_get0_data(name->d.ip);
+                     v = PyUnicode_FromFormat(
+                         "%d.%d.%d.%d",
+                         p[0], p[1], p[2], p[3]
+                     );
+-                } else if (name->d.ip->length == 16) {
+-                    unsigned char *p = name->d.ip->data;
++                } else if (ASN1_STRING_length(name->d.ip) == 16) {
++                    const unsigned char *p = ASN1_STRING_get0_data(name->d.ip);
+                     v = PyUnicode_FromFormat(
+                         "%X:%X:%X:%X:%X:%X:%X:%X",
+                         p[0] << 8 | p[1],
+@@ -1544,8 +1544,9 @@ _get_aia_uri(X509 *certificate, int nid) {
+             continue;
+         }
+         uri = ad->location->d.uniformResourceIdentifier;
+-        ostr = PyUnicode_FromStringAndSize((char *)uri->data,
+-                                           uri->length);
++        ostr = PyUnicode_FromStringAndSize(
++                   (const char *)ASN1_STRING_get0_data(uri),
++                   ASN1_STRING_length(uri));
+         if (ostr == NULL) {
+             goto fail;
+         }
+@@ -1611,8 +1612,9 @@ _get_crl_dp(X509 *certificate) {
+                 continue;
+             }
+             uri = gn->d.uniformResourceIdentifier;
+-            ouri = PyUnicode_FromStringAndSize((char *)uri->data,
+-                                               uri->length);
++            ouri = PyUnicode_FromStringAndSize(
++                       (const char *)ASN1_STRING_get0_data(uri),
++                       ASN1_STRING_length(uri));
+             if (ouri == NULL)
+                 goto done;
+ 
+-- 
+2.46.2.windows.1
+

plugins/python-build/share/python-build/patches/3.14.0t

@@ -0,0 +1 @@
+3.14.0

plugins/python-build/share/python-build/patches/3.14.1t

@@ -0,0 +1 @@
+3.14.1

plugins/python-build/share/python-build/patches/3.14.2t

@@ -0,0 +1 @@
+3.14.2

plugins/python-build/share/python-build/patches/3.14.3t

@@ -0,0 +1 @@
+3.14.3

plugins/python-build/share/python-build/patches/3.14.4t

@@ -0,0 +1 @@
+3.14.4

plugins/python-build/share/python-build/patches/3.14.5t

@@ -0,0 +1 @@
+3.14.5