A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

I have made the requested changes; please review again

Thanks for making the requested changes!

@tiran: please review the changes made to this pull request.

This PR is stale because it has been open for 30 days with no activity.

For a lack of better wording, we passively removed compatibility with forks that don't provide OpenSSL 1.1.1 API. I still like to keep some code so we can re-add LibreSSL support later.

Some time has passed, and I guess this patch sort of reflects the state of Python v3.10 with LibreSSL v3.5.
It looks like the next version will support SSL_CTX_get_security_level too.
What's left then are those four hash functions, which probably won't be added anytime soon.

Does that change anything for Python w.r.t. LibreSSL support?

Of course I stumble upon this just after posting.
That sounds like it can solve the issue about the missing hashing functions?

It is unlikely that we will officially support LibreSSL. Even if LibreSSL would become feature compatible with OpenSSL, we just don't have to resources to test and verify that Python works correctly with LibreSSL.

Is LibreSSL still relevant? AFAIK only OpenBSD uses it. All Linux distros have dropped support for LibreSSL, even Gentoo. FreeBSD uses OpenSSL and NetBSD seems to prefer OpenSSL as well (they have OpenSSL 1.1.1n and LibreSSL 2.7.4 from 2018).

OpenBSD and to some extend OpenWrt. The patch I linked to is that user maintained Gentoo LibreSSL overlay, which was mentioned in that news item you linked to. Seems used but nothing official.

The usage in OpenWrt in somewhat special. A host python is compiled with LibreSSL, which is then used to cross compile the target python and target python packages, but that's all using OpenSSL then. So the host python with LibreSSL isn't something critical that gets shipped.

And that got us to the question of how painful it is to maintain the python+libressl patch or if OpenWrt should switch the host part to OpenSSL.

For the record: Python 3.10.7 builds with LibreSSL 3.7.0 without any further patches.

If no deliberate removal of LibreSSL calls is planned, should we keep this PR and its parent issue open?

All Linux distros have dropped support for LibreSSL, even Gentoo.

It is still possible to use it on Gentoo with the overlay. https://github.com/gentoo/libressl