gh-143960: Add support for OpenSSL 3.6, drop EOL 3.2

.github/workflows/build.yml

@@ -261,7 +261,7 @@ jobs:
         # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
         # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
         # supported by important vendors such as AWS-LC.
-        openssl_ver: [1.1.1w, 3.0.18, 3.2.6, 3.3.5, 3.4.3, 3.5.4]
+        openssl_ver: [1.1.1w, 3.0.18, 3.3.5, 3.4.3, 3.5.4, 3.6.0]
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}

Misc/NEWS.d/next/Build/2026-01-17-15-31-19.gh-issue-143960.Zi0EqR.rst

@@ -0,0 +1 @@
+Add support for OpenSSL 3.5, drop EOL 3.2. Patch by Hugo van Kemenade.

Modules/_ssl.c

@@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) {
 /* Include generated data (error codes) */
 /* See Tools/ssl/make_ssl_data.py for notes on adding a new version. */
 #if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
-#include "_ssl_data_35.h"
+#include "_ssl_data_36.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
 #include "_ssl_data_340.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)

Modules/_ssl_data_35.h → Modules/_ssl_data_36.h

@@ -1,6 +1,6 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-10-04T17:49:19.148321+00:00 */
-/* Generated from Git commit openssl-3.5.4-0-gc1eeb9406 */
+/* Generated on 2026-01-17T13:03:49.335767+00:00 */
+/* Generated from Git commit openssl-3.6.0-0-g7b371d80d9 */
 
 /* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
@@ -1863,6 +1863,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"NOT_KEK", 46, 123},
   #endif
+  #ifdef CMS_R_NOT_KEM
+    {"NOT_KEM", ERR_LIB_CMS, CMS_R_NOT_KEM},
+  #else
+    {"NOT_KEM", 46, 197},
+  #endif
   #ifdef CMS_R_NOT_KEY_AGREEMENT
     {"NOT_KEY_AGREEMENT", ERR_LIB_CMS, CMS_R_NOT_KEY_AGREEMENT},
   #else
@@ -2058,6 +2063,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNKNOWN_ID", 46, 150},
   #endif
+  #ifdef CMS_R_UNKNOWN_KDF_ALGORITHM
+    {"UNKNOWN_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNKNOWN_KDF_ALGORITHM},
+  #else
+    {"UNKNOWN_KDF_ALGORITHM", 46, 198},
+  #endif
   #ifdef CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM
     {"UNSUPPORTED_COMPRESSION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM},
   #else
@@ -2078,6 +2088,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNSUPPORTED_ENCRYPTION_TYPE", 46, 192},
   #endif
+  #ifdef CMS_R_UNSUPPORTED_KDF_ALGORITHM
+    {"UNSUPPORTED_KDF_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM},
+  #else
+    {"UNSUPPORTED_KDF_ALGORITHM", 46, 199},
+  #endif
   #ifdef CMS_R_UNSUPPORTED_KEK_ALGORITHM
     {"UNSUPPORTED_KEK_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_KEK_ALGORITHM},
   #else
@@ -5763,6 +5778,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"PSS_SALTLEN_TOO_SMALL", 57, 172},
   #endif
+  #ifdef PROV_R_REPEATED_PARAMETER
+    {"REPEATED_PARAMETER", ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER},
+  #else
+    {"REPEATED_PARAMETER", 57, 252},
+  #endif
   #ifdef PROV_R_REQUEST_TOO_LARGE_FOR_DRBG
     {"REQUEST_TOO_LARGE_FOR_DRBG", ERR_LIB_PROV, PROV_R_REQUEST_TOO_LARGE_FOR_DRBG},
   #else

Tools/ssl/make_ssl_data.py

@@ -17,8 +17,8 @@
     git tag --list 'openssl-*'
     git switch --detach openssl-3.4.1
 
-After generating the definitions, compare the result with newest pre-existing file.
-You can use a command like:
+After generating the definitions, compare the result with the newest
+pre-existing file. You can use a command like:
 
     git diff --no-index Modules/_ssl_data_340.h Modules/_ssl_data_341.h
 

Tools/ssl/multissltests.py

@@ -45,14 +45,15 @@
 OPENSSL_OLD_VERSIONS = [
     "1.1.1w",
     "3.1.8",
+    "3.2.6",
 ]
 
 OPENSSL_RECENT_VERSIONS = [
     "3.0.18",
-    "3.2.6",
     "3.3.5",
     "3.4.3",
     "3.5.4",
+    "3.6.0",
     # See make_ssl_data.py for notes on adding a new version.
 ]