有一个非常相似的问题，openssl不工作，并给出相同的错误与python 3.10在centos 7。下载openssl解压，然后转到该目录

./config --prefix=/usr/local/custom-openssl --openssldir=/etc/ssl
make -j1 depend
make -j8
make install_sw

然后转到python源代码，将其解压缩并在目录中运行

./configure -C --with-openssl=/usr/local/custom-openssl --with-openssl-rpath=auto --prefix=/usr/local/python-3.version
make -j8
make altinstall

另请参阅https://docs.python.org/3/using/unix.html上的自定义OpenSSL。

这是非常有帮助的，谢谢！让我想到这个问题的是无法在venv中运行/更新pip，所以除了弄清楚如何让OpenSSL工作之外，没有太多的替代方案。
截至本周（2021年12月21日），在我的环境（CentOS Linux release 7.9.2009 (Core)）中，我已经能够简化其中的一些部分。
从EPEL开始，安装openssl11，（是的，也安装openssl11-devel）;为了正确设置Python 3.10，我需要创建“OpenSSL目录”，我是这样做的：

mkdir /usr/local/openssl11

然后为（新安装的）需求设置符号链接：

cd /usr/local/openssl11
ln -s /usr/lib64/openssl11 lib
ln -s /usr/include/openssl11 include

最后，将此位置提供给configure脚本：

./configure --with-openssl=/usr/local/openssl11

谢谢你对如何以及为什么这一切都是必要的真正有帮助的解释。希望这对其他人有帮助...

如输出所示，您需要指向openssl 11，我发现最简单的方法是更改python 3.10源代码目录中的configure文件：

$ sed -i 's/PKG_CONFIG openssl /PKG_CONFIG openssl11 /g' configure
$ sudo ./configure --enable-optimizations
.
.
checking whether compiling and linking against OpenSSL works... yes
.

然后您可以按照@CristiFati的建议进行操作，以便在安装之前检查它是否配置正确：

$ ./python -c "import sys, ssl; print(\"{:s}\n{:s}\".format(sys.version, ssl.OPENSSL_VERSION))"
3.10.0 (default, Nov 29 2021, 17:48:34) [GCC 7.3.1 20180712 (Red Hat 7.3.1-13)]
OpenSSL 1.1.1g FIPS  21 Apr 2020

1.简介

一些参考资料可能（或多或少）有用：

• [SO]: How to enable FIPS mode for libcrypto and libssl packaged with Python? (@CristiFati's answer)
• [SO]: How to include OpenSSL in Visual Studio (@CristiFati's answer)（即使是针对 Win，它也有一些优点适用于 Nix）
• [SO]: OpenSSL FIPS_mode_set not working in Python cryptography library (@CristiFati's answer)
• [SO]: ./python: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory (@CristiFati's answer)

从Docker Hub处理 CentOS 7 映像（因为它最接近 RHEL 7（您正在使用的））

[root@cfati-5510-0:/work/q069539286]> uname -a
Linux cfati-5510-0 5.11.0-37-generic #41~20.04.2-Ubuntu SMP Fri Sep 24 09:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@cfati-5510-0:/work/q069539286]> cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
[root@cfati-5510-0:/work/q069539286]> 
[root@cfati-5510-0:/work/q069539286]> rpm -qa | grep openssl
openssl-libs-1.0.2k-22.el7_9.x86_64
openssl-1.0.2k-22.el7_9.x86_64
openssl-devel-1.0.2k-22.el7_9.x86_64
[root@cfati-5510-0:/work/q069539286]> 
[root@cfati-5510-0:/work/q069539286]> openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@cfati-5510-0:/work/q069539286]> which openssl
/usr/bin/openssl
[root@cfati-5510-0:/work/q069539286]> ldd /usr/bin/openssl
    linux-vdso.so.1 =>  (0x00007ffe101b7000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f9483b8a000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f948393d000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f9483654000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f9483450000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f948321d000)
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f9482dba000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f9482bb6000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f94829a0000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f94825d2000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f94823c2000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f94821be000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9481fa4000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9481d88000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f9483dfc000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f9481b61000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f94818ff000)

2. OpenSSL 注意事项

• 如前所述（也出现在前面的代码段中），CentOS 7（我认为 RHEL 7 也是如此）随附了 OpenSSL 1.0.2*。由于 OpenSSL 1.1.1是一个次要（但有点重要）版本，因此它们不***（API / ABI）兼容，因此不可互换
• v1.0.2是事实上的CentOS 7 的（主）版本（RHEL 7 太），一切都是建立在它的基础上，改变它会破坏一些东西。但是可以安装更新的版本（我使用了 EPEL（更多信息请参见[RedHat]: What's EPEL, and how do I use it?）repo（[Pkgs.CentOS]: EPEL x86_64），它提供*v1.1.1g***）。但是它们只能在主版本周围工作。例如，几乎每一个（重要的）文件名在这新的版本有一个后缀在这结束（这 .exe 被称为openssl 11*）为了这避免名字冲突与这主要版本
• 由于 v1.1.1g 与主版本（更改了名称）安装在（几乎）相同的位置，因此它不会被任何构建系统拾取（默认情况下），所以我不得不将 *rpm *（通过 * RPM 2Cpio *）解压到一个自定义的 dir 中
• 不确定您是如何获得 v1.1.1l的-可能是自己构建的（或在某处找到的），因此可能不需要执行某些后续步骤。

顺便说一句，我曾多次在各种 OSes / CPU 架构（包括 RHEL 7）上构建（内部修改的）OpenSSL 版本，但由于 rpm 可用，我就不再费心去做了

• 即使 * openssl 11 （及其依赖的 * openssl 11-libs）“已启动并正在运行”，Python 构建也需要openssl 11-devel

[root@cfati-5510-0:/work/q069539286]> mkdir -p openssl-1.1.1g && cd openssl-1.1.1g
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ls
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> for g in /var/cache/yum/x86_64/7/epel/packages/openssl11-libs-1.1.1g-3.el7.x86_64.rpm /var/cache/yum/x86_64/7/epel/packages/openssl11-1.1.1g-3.el7.x86_64.rpm /var/cache/yum/x86_64/7/epel/packages/openssl11-devel-1.1.1g-3.el7.x86_64.rpm; do rpm2cpio ${g} | cpio -idm; done
7292 blocks
2123 blocks
8352 blocks
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ls
etc  usr
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ll ./usr/bin/
total 637
-rwxrwxrwx 1 root root    610 Mar 29  2021 make-dummy-cert
-rwxrwxrwx 1 root root 644424 Mar 29  2021 openssl11
-rwxrwxrwx 1 root root    725 Mar 29  2021 renew-dummy-cert
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ./usr/bin/openssl11 
./usr/bin/openssl11: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ll ./usr/lib64/
total 3605
drwxrwxrwx 1 root root       0 Oct 21 23:55 engines-1.1
lrwxrwxrwx 1 root root      19 Oct 21 23:55 libcrypto.so.1.1 -> libcrypto.so.1.1.1g
-rwxrwxrwx 1 root root 3082216 Mar 29  2021 libcrypto.so.1.1.1g
lrwxrwxrwx 1 root root      16 Oct 21 23:55 libssl.so.1.1 -> libssl.so.1.1.1g
-rwxrwxrwx 1 root root  603568 Mar 29  2021 libssl.so.1.1.1g
drwxrwxrwx 1 root root       0 Oct 21 23:55 openssl11
drwxrwxrwx 1 root root       0 Oct 21 23:55 pkgconfig
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ldd ./usr/bin/openssl11 
    linux-vdso.so.1 =>  (0x00007ffca03f5000)
    libssl.so.1.1 => not found
    libcrypto.so.1.1 => not found
    libz.so.1 => /lib64/libz.so.1 (0x00007f3a61e56000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a61c52000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a61a36000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f3a61668000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f3a6206c000)
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> # Set LD_LIBRARY_PATH
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> LD_LIBRARY_PATH=./usr/lib64:${LD_LIBRARY_PATH} ldd ./usr/bin/openssl11
    linux-vdso.so.1 =>  (0x00007ffdf7fce000)
    libssl.so.1.1 => ./usr/lib64/libssl.so.1.1 (0x00007fe00f7a4000)
    libcrypto.so.1.1 => ./usr/lib64/libcrypto.so.1.1 (0x00007fe00f2c1000)
    libz.so.1 => /lib64/libz.so.1 (0x00007fe00f0ab000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fe00eea7000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe00ec8b000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fe00e8bd000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fe00fa34000)
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> LD_LIBRARY_PATH=./usr/lib64:${LD_LIBRARY_PATH} ./usr/bin/openssl11 version
OpenSSL 1.1.1g FIPS  21 Apr 2020
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> LD_LIBRARY_PATH=./usr/lib64:${LD_LIBRARY_PATH} ./usr/bin/openssl11 version -d
OPENSSLDIR: "/etc/pki/tls"

这是一个工作正常的 OpenSSL 1.1.1g FIPS 版本。
3. Python 构建

• OpenSSL* 的 PoV 很好，但需要一些“小”调整才能让 Python 构建版本使用它：
• include 和 lib**dir 必须具有相同的父项（它们位于 dir 树的较低位置，symlink 它们位于 OpenSSL 根目录 dir 中）
• 还必须存在带有11 后缀的库（来自前面的代码），以及 symlink 它们

[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> # OpenSSL working. Prepare for Python build.
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> # "include" and "lib" dirs must be at the same level - symlink them
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ln -s ./usr/include/openssl11 ./include
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ln -s ./usr/lib64/openssl11 ./lib
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ls . ./lib
.:
etc  include  lib  usr

./lib:
libcrypto.so  libssl.so
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> # "lib" dir must also contain $(LIBNAME).1.1 besides what's already in there ($(LIBNAME))
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ln -s libcrypto.so ./lib/libcrypto.so.1.1
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ln -s libssl.so ./lib/libssl.so.1.1
[root@cfati-5510-0:/work/q069539286/openssl-1.1.1g]> ls ./lib
libcrypto.so  libcrypto.so.1.1  libssl.so  libssl.so.1.1

• Python*（* 配置 * 和 * 生成 *）：

root@cfati-5510-0:/work/q069539286]> tar -zxf Python-3.10.0.tgz 
[root@cfati-5510-0:/work/q069539286]> cd Python-3.10.0
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> ./configure --with-openssl=$(pwd)/../openssl-1.1.1g --with-openssl-rpath=auto --prefix=$(pwd)/../python-3.10>../cfg.txt 2>&1
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> echo $?
0
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> LD_LIBRARY_PATH=$(pwd)/../openssl-1.1.1g/lib:${LD_LIBRARY_PATH} make -j8>../mk.txt 2>&1
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> echo $?
0

4.测试

构建成功。
快速测试（无make install）：

[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> # Quick test
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> # --------------------------------
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> ./python -c "import sys, ssl; print(\"{:s}\n{:s}\".format(sys.version, ssl.OPENSSL_VERSION))"
3.10.0 (default, Oct 22 2021, 01:12:00) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
OpenSSL 1.1.1g FIPS  21 Apr 2020
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> # --------------------------------
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> # As opposed to "regular" Python
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> python -c "import sys, ssl; print(\"{:s}\n{:s}\".format(sys.version, ssl.OPENSSL_VERSION))"
2.7.5 (default, Nov 16 2020, 22:23:17) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
OpenSSL 1.0.2k-fips  26 Jan 2017

[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> ./python -c "import ssl; print(ssl._ssl)"
<module '_ssl' from '/work/q069539286/Python-3.10.0/build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so'>
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> ldd /work/q069539286/Python-3.10.0/build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so
    linux-vdso.so.1 =>  (0x00007ffef6b7b000)
    libssl.so.1.1 => /work/q069539286/Python-3.10.0/../openssl-1.1.1g/lib/libssl.so.1.1 (0x00007f0ab9745000)
    libcrypto.so.1.1 => /work/q069539286/Python-3.10.0/../openssl-1.1.1g/lib/libcrypto.so.1.1 (0x00007f0ab9262000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0ab9046000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f0ab8c78000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f0ab8a62000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f0ab885e000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f0ab9c05000)
[root@cfati-5510-0:/work/q069539286/Python-3.10.0]> readelf -d /work/q069539286/Python-3.10.0/build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so | grep ssl
 0x0000000000000001 (NEEDED)             Shared library: [libssl.so.1.1]
 0x000000000000001d (RUNPATH)            Library runpath: [/work/q069539286/Python-3.10.0/../openssl-1.1.1g/lib]

Python将使用捆绑的ssl（有时候已经过时了）。为了使用OpenSSL，在运行./configure时添加OpenSSL的flag。详细信息，运行./configure --help以获得更多选项。

--with-openssl=DIR      root of the OpenSSL directory
  --with-openssl-rpath=[DIR|auto|no]
                          Set runtime library directory (rpath) for OpenSSL
                          libraries, no (default): don't set rpath, auto:
                          auto-detect rpath from --with-openssl and
                          pkg-config, DIR: set an explicit rpath
  --with-ssl-default-suites=[python|openssl|STRING]
                          override default cipher suites string, python: use
                          Python's preferred selection (default), openssl:
                          leave OpenSSL's defaults untouched, STRING: use a
                          custom string, python and STRING also set TLS 1.2 as
                          minimum TLS version