Update OpenSSL versions for CI and Windows

[picnixz]

OpenSSL v3.4.1 is out and contains some security patches (see https://github.com/openssl/openssl/releases/tag/openssl-3.4.1). There is one high vulnerabilty (CVE-2024-12797) that was fixed.

However, what I'm interested in, are the fixes that allow me to continue working on #128391 (see openssl/openssl#26388). Note that this high vulnerability does not affect the Windows build as the latter is still using OpenSSL 3.0.15 which is only affected by the following low vulnerabilities:

• CVE-2024-13176
• CVE-2024-9143

Those low vulnerabilities affect OpenSSL 1.1.1+ and 3.x versions that we currently use and were fixed in the February 2025 release.

Note: I don't think Python is directly affected by the low vulnerabilies and I just want the fixes that were included in those releases for my own work. Since the high vulnerability only affects 3.2+, Windows builds should not be affected.

cc @gpshead

Plan:

• Update https://github.com/python/cpython-source-deps to pull OpenSSL 3.0.16 (cc @zooba)
• Update macOS and Windows builds to use OpenSSL 3.0.16.
• Update CI workflows to test against [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
• Update OpenSSL data headers

[zooba]

Any reason we shouldn't move the Windows release forward to a newer version than 3.0 (for 3.14, that is - prior releases presumably stay where they are)?

[picnixz]

Any reason we shouldn't move the Windows release forward to a newer version than 3.0 (for 3.14, that is - prior releases presumably stay where they are)?

I don't know. I guess we don't need the features added in 3.1. However, from a performance perspective, OpenSSL 3.0 seems to be way much slower compared to OpenSSL 3.1 on Windows builds: https://openssl-library.org/performance.html. However, OpenSSL 3.0 is the "LTS" version of OpenSSL so for Windows it may be better (see https://openssl-library.org/policies/releasestrat/index.html).

Now, in 2026, 3.0 would no more be LTS, so we might jump to the next LTS at that moment. WDYT? Otherwise, if there's no more LTS for OpenSSL, we might need to update Python much more frequently once a version becomes out-of-date (non-LTS releases are supported for 2 years, so I don't know how you want to proceed)

[zooba]

Hmm... yeah... let's stick to their LTS releases then. Presumably they'll have to nominate another LTS release before the current one expires, though it's a bit unfortunate we can't count on any to be supported for the same time as our own release.

[zooba]

The openssl-bin-3.0.16 tag is now available for integrating into the Windows build.

[picnixz]

The openssl-bin-3.0.16 tag is now available for integrating into the Windows build.

Thanks! I'm sorry but I won't be able to update this until Sunday as I'm going offline for a few days.