Merged, thank you! I replaced "Fix" with "Enhance" in the commit message: "Enhance ssl thread safety" :-)

Remaining question: should we backport thisenhancement (bugfix?) to Python 3.13?

Remaining question: should we backport thisenhancement (bugfix?) to Python 3.13?

Yeah, I had the same thought. I'll leave that decision to@Yhg1s

Backport this to 3.13? Uuhm...

No.

Without this change, thessl module is not usable on a Free Threaded build (it does easily crash). The change only affects the Free Threaded build: adding@critical_section does nothing in the regular build, and the added test is ignored on regular Python (only run on Free Threading). I would be fine with no backporting it, since Free Threading remains experimental.

I think that fixing the SSL module crash in the 3.13 free threading build is important -- lots of basic tasks around HTTP requests are likely to crash without it.

I don't think "lines of code changed" is a good measure of the complexity here -- theModules/_ssl.c changes are mostly mechanical, and the only behavioral changes is additional locking in the free threading build.

If backporting this PR is a nonstarter than we should consider a smaller, more targeted change that only adds@critical_section toSSLContext methods (without changing getters and setters). That seems less ideal to me, but should fix the common SSL crash and be a pretty small code change.

Also, thank you@ZeroIntensity for fixing this bug and@vstinner,@corona10, and everyone else that reviewed the PR.

Thanks@ZeroIntensity for the PR, and@vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

Sorry,@ZeroIntensity and@vstinner, I could not cleanly backport this to3.13 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker 4c53b2577531c77193430cdcd66ad6385fcda81f 3.13

@ZeroIntensity: Automated backport failed. Would you mind to backport the change manually?

With a backport, it might be easier to take a decision on fixing 3.13 or not.

Yeah, I can do it later today.

GH-125780 is a backport of this pull request to the3.13 branch.

@Yhg1s: Are you still against the backport to 3.13 after@colesbury's comment?

I'm okay with a backport of just the @critical_section changes (since those expand to nothing in the normal build, and the free-threaded build is experimental anyway). It's the larger refactorings that worry me.

It's the larger refactorings that worry me.

Other changes are tests and changes to use the code declared with@critical_section.

There isn't any other refactoring going on here, I just had to switch the getters and setters over to AC for the critical section. Another issue is that not backporting this to 3.13 will also hurt any automatic backports forssl in the future.