@@ -62,7 +62,13 @@ def requirements(self):
6262 else :
6363 self .requires ("mpdecimal/2.5.0" )
6464
65- self .requires ("openssl/1.1.1k" )
65+ # `openssl` v3.1.1 is no-go for macOS ARM: https://github.com/openssl/openssl/issues/20753
66+ # The fix will be in v3.1.2: https://github.com/openssl/openssl/pull/21261
67+ # Go with v3.0.8 until this is resolved.
68+ if self .pyversion >= scm .Version ("3.10.0" ):
69+ self .requires ("openssl/3.0.8" )
70+ else :
71+ self .requires ("openssl/1.1.1u" )
6672
6773 @property
6874 def pyversion (self ):
@@ -113,6 +119,24 @@ def generate(self):
113119 deps .environment .append (
114120 "LDFLAGS" , [r"-Wl,-rpath='\$\$ORIGIN/../lib'" , "-Wl,--disable-new-dtags" ]
115121 )
122+
123+ # Statically linking CPython with OpenSSL requires a bit of extra care. See the discussion
124+ # here: https://bugs.python.org/issue43466. This is marked as unofficially supported by the
125+ # CPython build system, but we do still want to allow it since static libraries are the
126+ # default for Conan, and recipe users will have the choice to accept the tradeoffs. When
127+ # using static OpenSSL, features like DSO engines or external OSSL providers don't work.
128+ #
129+ # On Linux, setting a single env variable is enough:
130+ # https://github.com/python/cpython/commit/bacefbf41461ab703b8d561f0e3d766427eab367
131+ # On macOS, the linker works differently so a heavy workaround isn't needed. But we
132+ # do need to ensure that the linker is aware of `libz`:
133+ # https://github.com/python/cpython/commit/5f87915d4af724f375b00dde2b948468d3e4ca97
134+ if not self .dependencies ["openssl" ].options .shared :
135+ if self .settings .os == "Linux" :
136+ deps .environment .define ("PY_UNSUPPORTED_OPENSSL_BUILD" , "static" )
137+ elif self .settings .os == "Macos" :
138+ deps .environment .append ("LDFLAGS" , ["-lz" ])
139+
116140 deps .generate ()
117141
118142 def build (self ):
0 commit comments