[issue41837] Upgrade installers to OpenSSL 1.1.1h

[Ned Deily]

New submission from Ned Deily <nad at python.org>:

"22-Sep-2020  OpenSSL 1.1.1h is now available, including bug fixes"

Christian, any changes need in _ssl or any other reasons we should not upgrade?

Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
  
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]

----------
components: Build, Windows, macOS
messages: 377352
nosy: christian.heimes, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
priority: high
severity: normal
status: open
title: Upgrade installers to OpenSSL 1.1.1h
versions: Python 3.10, Python 3.8, Python 3.9

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41837>
_______________________________________