Add OpenSSL 3.5 support to CPython infrastructure

[scw]

On April 8th, 2025 OpenSSL 3.5 was released, the latest OpenSSL LTS: https://openssl-library.org/post/2025-04-08-openssl-35-final-release/

Here is a table of the OpenSSL release roadmap and deprecation schedule from¹:

Version	Release Type	Release Date	Supported Until
3.0	LTS	Sep 2021	Sep 2026
3.1	Non-LTS	Mar 2023	Mar 2025
3.2	Non-LTS	Nov 2023	Nov 2025
3.3	Non-LTS	Apr 2024	Apr 2026
3.4	Non-LTS	Oct 2024	Oct 2026
3.5	LTS	Apr 2025	Apr 2030
3.6	Non-LTS	Oct 2025	Nov 2026
4.0	Non-LTS	Apr 2026	May 2027

OpenSSL 3.5 is the only version with free public support beyond 2026, and lining up this with the Python release schedules, it looks like ideally 3.11—3.14 would all support OpenSSL 3.5 to overlap the OpenSSL window. I haven't assessed how complicated the internal changes, but wanted to start the process based on the discussion in #131423.

Footnotes

1. https://openssl-library.org/roadmap/ ↩

[scw]

For what it's worth, I was able to use the build installer script to build _hashlib.cpython-314-darwin.so and _ssl.cpython-314-darwin.so, but didn't engage in any comprehensive testing of their correctness.

[guymaidoc]

Another motivation to upgrade - openSSL fixed performance issues in windows in 3.4.1, which according to my tests, have high impact