python
diff --git a/‎Lib/test/audit-tests.py
Copy file name to clipboardExpand all lines: Lib/test/audit-tests.py
+9-1Lines changed: 9 additions & 1 deletion b/‎Lib/test/audit-tests.py
Copy file name to clipboardExpand all lines: Lib/test/audit-tests.py
+9-1Lines changed: 9 additions & 1 deletion
diff --git a/‎Lib/test/test_audit.py
Copy file name to clipboardExpand all lines: Lib/test/test_audit.py
+1Lines changed: 1 addition & 0 deletions b/‎Lib/test/test_audit.py
Copy file name to clipboardExpand all lines: Lib/test/test_audit.py
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎Lib/test/test_ssl.py
Copy file name to clipboardExpand all lines: Lib/test/test_ssl.py
+39-13Lines changed: 39 additions & 13 deletions b/‎Lib/test/test_ssl.py
Copy file name to clipboardExpand all lines: Lib/test/test_ssl.py
+39-13Lines changed: 39 additions & 13 deletions
diff --git a/‎Misc/NEWS.d/next/Windows/2025-03-28-13-22-55.gh-issue-131423.vI-LqV.rst
Copy file name to clipboard
+3Lines changed: 3 additions & 0 deletions b/‎Misc/NEWS.d/next/Windows/2025-03-28-13-22-55.gh-issue-131423.vI-LqV.rst
Copy file name to clipboard
+3Lines changed: 3 additions & 0 deletions
diff --git a/‎Misc/externals.spdx.json
Copy file name to clipboardExpand all lines: Misc/externals.spdx.json
+4-4Lines changed: 4 additions & 4 deletions b/‎Misc/externals.spdx.json
Copy file name to clipboardExpand all lines: Misc/externals.spdx.json
+4-4Lines changed: 4 additions & 4 deletions
diff --git a/‎Modules/_ssl.c
Copy file name to clipboardExpand all lines: Modules/_ssl.c
+6Lines changed: 6 additions & 0 deletions b/‎Modules/_ssl.c
Copy file name to clipboardExpand all lines: Modules/_ssl.c
+6Lines changed: 6 additions & 0 deletions
diff --git a/‎Modules/_ssl/debughelpers.c
Copy file name to clipboardExpand all lines: Modules/_ssl/debughelpers.c
+7Lines changed: 7 additions & 0 deletions b/‎Modules/_ssl/debughelpers.c
Copy file name to clipboardExpand all lines: Modules/_ssl/debughelpers.c
+7Lines changed: 7 additions & 0 deletions
diff --git a/‎PCbuild/_ssl.vcxproj
Copy file name to clipboardExpand all lines: PCbuild/_ssl.vcxproj
-3Lines changed: 0 additions & 3 deletions b/‎PCbuild/_ssl.vcxproj
Copy file name to clipboardExpand all lines: PCbuild/_ssl.vcxproj
-3Lines changed: 0 additions & 3 deletions
diff --git a/‎PCbuild/_ssl.vcxproj.filters
Copy file name to clipboardExpand all lines: PCbuild/_ssl.vcxproj.filters
-3Lines changed: 0 additions & 3 deletions b/‎PCbuild/_ssl.vcxproj.filters
Copy file name to clipboardExpand all lines: PCbuild/_ssl.vcxproj.filters
-3Lines changed: 0 additions & 3 deletions
diff --git a/‎PCbuild/get_externals.bat
Copy file name to clipboardExpand all lines: PCbuild/get_externals.bat
+2-2Lines changed: 2 additions & 2 deletions b/‎PCbuild/get_externals.bat
Copy file name to clipboardExpand all lines: PCbuild/get_externals.bat
+2-2Lines changed: 2 additions & 2 deletions
diff --git a/‎PCbuild/openssl.vcxproj
Copy file name to clipboardExpand all lines: PCbuild/openssl.vcxproj
+1-25Lines changed: 1 addition & 25 deletions b/‎PCbuild/openssl.vcxproj
Copy file name to clipboardExpand all lines: PCbuild/openssl.vcxproj
+1-25Lines changed: 1 addition & 25 deletions
diff --git a/‎PCbuild/python.props
Copy file name to clipboardExpand all lines: PCbuild/python.props
+2-2Lines changed: 2 additions & 2 deletions b/‎PCbuild/python.props
Copy file name to clipboardExpand all lines: PCbuild/python.props
+2-2Lines changed: 2 additions & 2 deletions
@@ -208,7 +208,15 @@ def test_open(testfn):
             if not fn:
                 continue
             with assertRaises(RuntimeError):
-                fn(*args)
+                try:
+                    fn(*args)
+                except NotImplementedError:
+                    if fn == load_dh_params:
+                        # Not callable in some builds
+                        load_dh_params = None
+                        raise RuntimeError
+                    else:
+                        raise
 
     actual_mode = [(a[0], a[1]) for e, a in hook.seen if e == "open" and a[1]]
     actual_flag = [(a[0], a[2]) for e, a in hook.seen if e == "open" and not a[1]]
 
@@ -23,6 +23,7 @@ def run_test_in_subprocess(self, *args):
         with subprocess.Popen(
             [sys.executable, "-X utf8", AUDIT_TESTS_PY, *args],
             encoding="utf-8",
+            errors="backslashreplace",
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
         ) as p:
 
@@ -1348,10 +1348,14 @@ def test_load_verify_cadata(self):
         with self.assertRaises(ssl.SSLError):
             ctx.load_verify_locations(cadata=cacert_der + b"A")
 
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_load_dh_params(self):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-        ctx.load_dh_params(DHFILE)
+        try:
+            ctx.load_dh_params(DHFILE)
+        except RuntimeError:
+            if Py_DEBUG_WIN32:
+                self.skipTest("not supported on Win32 debug build")
+            raise
         if os.name != 'nt':
             ctx.load_dh_params(BYTES_DHFILE)
         self.assertRaises(TypeError, ctx.load_dh_params)
@@ -1676,12 +1680,17 @@ def test_str(self):
         self.assertEqual(str(e), "foo")
         self.assertEqual(e.errno, 1)
 
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_lib_reason(self):
         # Test the library and reason attributes
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-        with self.assertRaises(ssl.SSLError) as cm:
-            ctx.load_dh_params(CERTFILE)
+        try:
+            with self.assertRaises(ssl.SSLError) as cm:
+                ctx.load_dh_params(CERTFILE)
+        except RuntimeError:
+            if Py_DEBUG_WIN32:
+                self.skipTest("not supported on Win32 debug build")
+            raise
+
         self.assertEqual(cm.exception.library, 'PEM')
         regex = "(NO_START_LINE|UNSUPPORTED_PUBLIC_KEY_TYPE)"
         self.assertRegex(cm.exception.reason, regex)
@@ -4060,13 +4069,17 @@ def test_no_legacy_server_connect(self):
                                    chatty=True, connectionchatty=True,
                                    sni_name=hostname)
 
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_dh_params(self):
         # Check we can get a connection with ephemeral Diffie-Hellman
         client_context, server_context, hostname = testing_context()
         # test scenario needs TLS <= 1.2
         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
-        server_context.load_dh_params(DHFILE)
+        try:
+            server_context.load_dh_params(DHFILE)
+        except RuntimeError:
+            if Py_DEBUG_WIN32:
+                self.skipTest("not supported on Win32 debug build")
+            raise
         server_context.set_ciphers("kEDH")
         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
         stats = server_params_test(client_context, server_context,
@@ -4846,14 +4859,18 @@ def keylog_lines(self, fname=os_helper.TESTFN):
             return len(list(f))
 
     @requires_keylog
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_keylog_defaults(self):
         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         self.assertEqual(ctx.keylog_filename, None)
 
         self.assertFalse(os.path.isfile(os_helper.TESTFN))
-        ctx.keylog_filename = os_helper.TESTFN
+        try:
+            ctx.keylog_filename = os_helper.TESTFN
+        except RuntimeError:
+            if Py_DEBUG_WIN32:
+                self.skipTest("not supported on Win32 debug build")
+            raise
         self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
         self.assertTrue(os.path.isfile(os_helper.TESTFN))
         self.assertEqual(self.keylog_lines(), 1)
@@ -4870,12 +4887,17 @@ def test_keylog_defaults(self):
             ctx.keylog_filename = 1
 
     @requires_keylog
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_keylog_filename(self):
         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
         client_context, server_context, hostname = testing_context()
 
-        client_context.keylog_filename = os_helper.TESTFN
+        try:
+            client_context.keylog_filename = os_helper.TESTFN
+        except RuntimeError:
+            if Py_DEBUG_WIN32:
+                self.skipTest("not supported on Win32 debug build")
+            raise
+
         server = ThreadedEchoServer(context=server_context, chatty=False)
         with server:
             with client_context.wrap_socket(socket.socket(),
@@ -4908,7 +4930,6 @@ def test_keylog_filename(self):
     @requires_keylog
     @unittest.skipIf(sys.flags.ignore_environment,
                      "test is not compatible with ignore_environment")
-    @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
     def test_keylog_env(self):
         self.addCleanup(os_helper.unlink, os_helper.TESTFN)
         with unittest.mock.patch.dict(os.environ):
@@ -4918,7 +4939,12 @@ def test_keylog_env(self):
             ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
             self.assertEqual(ctx.keylog_filename, None)
 
-            ctx = ssl.create_default_context()
+            try:
+                ctx = ssl.create_default_context()
+            except RuntimeError:
+                if Py_DEBUG_WIN32:
+                    self.skipTest("not supported on Win32 debug build")
+                raise
             self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
 
             ctx = ssl._create_stdlib_context()
 
@@ -0,0 +1,3 @@
+Update bundled version of OpenSSL to 3.0.16. The new build also disables
+uplink support, which may be relevant to embedders but has no impact on
+normal use.
@@ -70,21 +70,21 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "1550c87996a0858474a9dd179deab2c55eb73726b9a140b32865b02fd3d8a86b"
+          "checksumValue": "6bb739ecddbd2cfb6d255eb5898437a9b5739277dee931338d3275bac5d96ba2"
         }
       ],
-      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.15.tar.gz",
+      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.16.tar.gz",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.15:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.16:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         }
       ],
       "licenseConcluded": "NOASSERTION",
       "name": "openssl",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "3.0.15"
+      "versionInfo": "3.0.16"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-sqlite",
 
@@ -4370,6 +4370,12 @@ _ssl__SSLContext_load_dh_params_impl(PySSLContext *self, PyObject *filepath)
     FILE *f;
     DH *dh;
 
+#if defined(MS_WINDOWS) && defined(_DEBUG)
+    PyErr_SetString(PyExc_NotImplementedError,
+                    "load_dh_params: unavailable on Windows debug build");
+    return NULL;
+#endif
+
     f = _Py_fopen_obj(filepath, "rb");
     if (f == NULL)
         return NULL;
 
@@ -164,6 +164,13 @@ _PySSLContext_get_keylog_filename(PySSLContext *self, void *c) {
 static int
 _PySSLContext_set_keylog_filename(PySSLContext *self, PyObject *arg, void *c) {
     FILE *fp;
+
+#if defined(MS_WINDOWS) && defined(_DEBUG)
+    PyErr_SetString(PyExc_NotImplementedError,
+                    "set_keylog_filename: unavailable on Windows debug build");
+    return -1;
+#endif
+
     /* Reset variables and callback first */
     SSL_CTX_set_keylog_callback(self->ctx, NULL);
     Py_CLEAR(self->keylog_filename);
 
@@ -99,9 +99,6 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\Modules\_ssl.c" />
-    <ClCompile Include="$(opensslIncludeDir)\applink.c">
-      <PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;$(PreprocessorDefinitions)</PreprocessorDefinitions>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\PC\python_nt.rc" />
 
@@ -12,9 +12,6 @@
     <ClCompile Include="..\Modules\_ssl.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="$(opensslIncludeDir)\applink.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\PC\python_nt.rc">
 
@@ -53,7 +53,7 @@ echo.Fetching external libraries...
 set libraries=
 set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.4.4
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-3.0.15
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-3.0.16
 set libraries=%libraries%                                       mpdecimal-4.0.0
 set libraries=%libraries%                                       sqlite-3.45.3.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
@@ -77,7 +77,7 @@ echo.Fetching external binaries...
 
 set binaries=
 if NOT "%IncludeLibffi%"=="false"  set binaries=%binaries% libffi-3.4.4
-if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-3.0.15
+if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-3.0.16.1
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.15.0
 if NOT "%IncludeSSLSrc%"=="false"  set binaries=%binaries% nasm-2.11.06
 
 
@@ -67,47 +67,23 @@
 set VCINSTALLDIR=$(VCInstallDir)
 if not exist "$(IntDir.TrimEnd('\'))" mkdir "$(IntDir.TrimEnd('\'))"
 cd /D "$(IntDir.TrimEnd('\'))"
-$(Perl) "$(opensslDir)\configure" $(OpenSSLPlatform) no-asm
+$(Perl) "$(opensslDir)\configure" $(OpenSSLPlatform) no-asm no-uplink
 nmake
 </NMakeBuildCommandLine>
   </PropertyGroup>
 
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
 
-  <Target Name="_PatchUplink" BeforeTargets="Build">
-    <PropertyGroup>
-      <Uplink>$(opensslDir)\ms\uplink.c</Uplink>
-      <BeforePatch>((h = GetModuleHandle(NULL)) == NULL)</BeforePatch>
-      <AfterPatch>((h = GetModuleHandleA("_ssl.pyd")) == NULL) if ((h = GetModuleHandleA("_ssl_d.pyd")) == NULL) if ((h = GetModuleHandle(NULL)) == NULL /*patched*/)</AfterPatch>
-    </PropertyGroup>
-    <Error Text="Cannot find $(Uplink)" Condition="!Exists($(Uplink))" />
-    <PropertyGroup>
-      <_Original>$([System.IO.File]::ReadAllText($(Uplink)))</_Original>
-      <_Patched>$(_Original.Replace($(BeforePatch), $(AfterPatch)))</_Patched>
-      <IsPatched>false</IsPatched>
-      <IsPatched Condition="$(_Patched) == $(_Original)">true</IsPatched>
-    </PropertyGroup>
-    <Message Text="$(Uplink) is already patched" Importance="normal" Condition="$(IsPatched)" />
-    <Message Text="Patching $(Uplink)" Importance="high" Condition="!$(IsPatched)" />
-    <WriteLinesToFile File="$(Uplink)"
-                      Lines="$(_Patched)"
-                      Overwrite="true"
-                      Encoding="ASCII"
-                      Condition="!$(IsPatched)" />
-  </Target>
-
   <Target Name="_CopyToOutput" AfterTargets="Build">
     <ItemGroup>
       <_Built Include="$(opensslDir)\LICENSE" />
       <_Built Include="$(IntDir)\libcrypto.lib;$(IntDir)\libcrypto-*.dll;$(IntDir)\libcrypto-*.pdb" />
       <_Built Include="$(IntDir)\libssl.lib;$(IntDir)\libssl-*.dll;$(IntDir)\libssl-*.pdb" />
-      <_AppLink Include="$(opensslDir)\ms\applink.c" />
       <_Include Include="$(opensslDir)\Include\openssl\*.h" />
       <_Include Include="$(IntDir)\include\openssl\*.h" />
     </ItemGroup>
     <MakeDir Directories="$(opensslOutDir)\include\openssl" />
     <Copy SourceFiles="@(_Built)" DestinationFolder="$(opensslOutDir)" />
-    <Copy SourceFiles="@(_AppLink)" DestinationFolder="$(opensslOutDir)\include" />
     <Copy SourceFiles="@(_Include)" DestinationFolder="$(opensslOutDir)\include\openssl" />
   </Target>
 
 
@@ -75,8 +75,8 @@
     <libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir>
     <libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir>
     <mpdecimalDir Condition="$(mpdecimalDir) == ''">$(ExternalsDir)\mpdecimal-4.0.0\</mpdecimalDir>
-    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-3.0.15\</opensslDir>
-    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-3.0.15\$(ArchName)\</opensslOutDir>
+    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-3.0.16\</opensslDir>
+    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-3.0.16.1\$(ArchName)\</opensslOutDir>
     <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
     <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
     <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.3.1\</zlibDir>
Original file line number	Diff line number	Diff line change
`@@ -70,21 +70,21 @@`
`70`	`70`	`"checksums": [`
`71`	`71`	`{`
`72`	`72`	`"algorithm": "SHA256",`
`73`		`- "checksumValue": "1550c87996a0858474a9dd179deab2c55eb73726b9a140b32865b02fd3d8a86b"`
	`73`	`+ "checksumValue": "6bb739ecddbd2cfb6d255eb5898437a9b5739277dee931338d3275bac5d96ba2"`
`74`	`74`	`}`
`75`	`75`	`],`
`76`		`- "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.15.tar.gz",`
	`76`	`+ "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/openssl-3.0.16.tar.gz",`
`77`	`77`	`"externalRefs": [`
`78`	`78`	`{`
`79`	`79`	`"referenceCategory": "SECURITY",`
`80`		`- "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.15:::::::*",`
	`80`	`+ "referenceLocator": "cpe:2.3:a:openssl:openssl:3.0.16:::::::*",`
`81`	`81`	`"referenceType": "cpe23Type"`
`82`	`82`	`}`
`83`	`83`	`],`
`84`	`84`	`"licenseConcluded": "NOASSERTION",`
`85`	`85`	`"name": "openssl",`
`86`	`86`	`"primaryPackagePurpose": "SOURCE",`
`87`		`- "versionInfo": "3.0.15"`
	`87`	`+ "versionInfo": "3.0.16"`
`88`	`88`	`},`
`89`	`89`	`{`
`90`	`90`	`"SPDXID": "SPDXRef-PACKAGE-sqlite",`