TIL how to build Python 3.7 with statically-linked libssl and libcrypto

I use a Virtual Private Server on DreamHost to run the Toastmasters District 101 website. For the most part, I’m happy with their service, and with a shell prompt, it’s usually easy to install whatever software I need.

Except Python 3.7. Python 3.7 requires a newer level of OpenSSL than DreamHost offers, and since I don’t have root access on a VPS, I can’t just replace OpenSSL. Compiling a current version and installing it in a directory ($HOME/usr/local) was easy enough:

./config --prefix=$HOME/usr/local --openssldir=$HOME/usr/local/openssl   
make   
make test   
make install   

Building Python 3.7 was also easy, but getting it to use my copy of OpenSSL was not.

At first, I tried adding my OpenSSL to LD_LIBRARY_PATH, which worked, but it made git complain: no version information available (required by ssh), and that seemed unfortunate (and made me worry that I might break other things).

After much searching, I found Python issue 21541, which had the hints I needed to statically-link my copy of OpenSSL into the Python executable.

First, run configure:

./configure --prefix=$HOME/opt/python-3.7.0 --with-openssl=$HOME/usr/local/

Then uncomment and change the section of Modules/Setup dealing with SSL to this:

# Socket module helper for SSL support; you must comment out the other
# socket line above, and possibly edit the SSL variable:
SSL=$HOME/usr/local
_ssl _ssl.c \
    DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
    L$(SSL)/lib -Wl,-Bsymbolic $(SSL)/lib/libssl.a $(SSL)/lib/libcrypto.a

After that, the usual make && make install worked.