Drop CI for OpenSSL 1.0.2 (#953)

* Drop CI for OpenSSL 1.0.2

* Delete code for coverage reasons

* Bump minimum cryptography version

.travis.yml

@@ -16,10 +16,6 @@ jobs:
     os: osx
     osx_image: xcode11.6
     env: TOXENV=py27
-  - python: "2.7"
-    env: TOXENV=py27
-    # we should still test against OpenSSL 1.0.2. Xenial gives us that for now.
-    dist: xenial
   - python: "3.5"
     env: TOXENV=py35
   - python: "3.6"
@@ -71,13 +67,9 @@ jobs:
   - python: "3.7"
     env: TOXENV=py37-randomorder
 
-  # Make sure we don't break Twisted or urllib3
+  # Make sure we don't break Twisted
   - python: "3.7"
     env: TOXENV=py37-twistedMaster
-  - python: "3.5"
-    env: TOXENV=py35-urllib3Master
-    # Somehow urllib3 has trouble with newer distributions
-    dist: xenial
 
 
   # Meta

CHANGELOG.rst

@@ -11,10 +11,11 @@ The third digit is only for regressions.
 Backward-incompatible changes:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+- The minimum ``cryptography`` version is now 3.2.
 - Remove deprecated ``OpenSSL.tsafe`` module.
 - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
 - Drop support for Python 3.4
-- Drop support for OpenSSL 1.0.1
+- Drop support for OpenSSL 1.0.1 and 1.0.2
 
 Deprecations:
 ^^^^^^^^^^^^^

setup.py

@@ -94,7 +94,7 @@ def find_meta(meta):
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=2.8",
+            "cryptography>=3.2",
             "six>=1.5.2",
         ],
         extras_require={

src/OpenSSL/SSL.py

@@ -28,7 +28,6 @@
     X509Name,
     X509,
     X509Store,
-    X509StoreContext,
 )
 
 __all__ = [
@@ -147,10 +146,7 @@ class _buffer(object):
 OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
 OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1
 OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2
-try:
-    OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
-except AttributeError:
-    pass
+OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
 
 MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS
 
@@ -202,14 +198,6 @@ class _buffer(object):
 SSL_ST_CONNECT = _lib.SSL_ST_CONNECT
 SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT
 SSL_ST_MASK = _lib.SSL_ST_MASK
-if _lib.Cryptography_HAS_SSL_ST:
-    SSL_ST_INIT = _lib.SSL_ST_INIT
-    SSL_ST_BEFORE = _lib.SSL_ST_BEFORE
-    SSL_ST_OK = _lib.SSL_ST_OK
-    SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE
-    __all__.extend(
-        ["SSL_ST_INIT", "SSL_ST_BEFORE", "SSL_ST_OK", "SSL_ST_RENEGOTIATE"]
-    )
 
 SSL_CB_LOOP = _lib.SSL_CB_LOOP
 SSL_CB_EXIT = _lib.SSL_CB_EXIT
@@ -972,11 +960,7 @@ def set_session_id(self, buf):
         """
         buf = _text_to_bytes_and_warn("buf", buf)
         _openssl_assert(
-            _lib.SSL_CTX_set_session_id_context(
-                self._context,
-                buf,
-                len(buf),
-            )
+            _lib.SSL_CTX_set_session_id_context(self._context, buf, len(buf))
             == 1
         )
 
@@ -2175,29 +2159,12 @@ def get_verified_chain(self):
 
         .. versionadded:: 20.0
         """
-        if hasattr(_lib, "SSL_get0_verified_chain"):
-            # OpenSSL 1.1+
-            cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
-            if cert_stack == _ffi.NULL:
-                return None
-
-            return self._cert_stack_to_list(cert_stack)
-
-        pycert = self.get_peer_certificate()
-        if pycert is None:
-            return None
-
-        # Should never be NULL because the peer presented a certificate.
-        cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)
-        _openssl_assert(cert_stack != _ffi.NULL)
-
-        pystore = self._context.get_cert_store()
-        if pystore is None:
+        # OpenSSL 1.1+
+        cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
+        if cert_stack == _ffi.NULL:
             return None
 
-        pystorectx = X509StoreContext(pystore, pycert)
-        pystorectx._chain = cert_stack
-        return pystorectx.get_verified_chain()
+        return self._cert_stack_to_list(cert_stack)
 
     def want_read(self):
         """

src/OpenSSL/crypto.py

@@ -1603,16 +1603,8 @@ def add_cert(self, cert):
         if not isinstance(cert, X509):
             raise TypeError()
 
-        # As of OpenSSL 1.1.0i adding the same cert to the store more than
-        # once doesn't cause an error. Accordingly, this code now silences
-        # the error for OpenSSL < 1.1.0i as well.
-        if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
-            code = _lib.ERR_peek_error()
-            err_reason = _lib.ERR_GET_REASON(code)
-            _openssl_assert(
-                err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
-            )
-            _lib.ERR_clear_error()
+        res = _lib.X509_STORE_add_cert(self._store, cert._x509)
+        _openssl_assert(res == 1)
 
     def add_crl(self, crl):
         """

tests/test_ssl.py

@@ -2621,17 +2621,8 @@ def test_set_session_wrong_method(self):
         with a context using a different SSL method than the `Connection`
         is using, a `OpenSSL.SSL.Error` is raised.
         """
-        # Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2
-        # and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT
-        # is a way to check for 1.1.0)
-        if SSL_ST_INIT is None:
-            v1 = TLSv1_2_METHOD
-            v2 = TLSv1_METHOD
-        elif hasattr(_lib, "SSLv3_method"):
-            v1 = TLSv1_METHOD
-            v2 = SSLv3_METHOD
-        else:
-            pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")
+        v1 = TLSv1_2_METHOD
+        v2 = TLSv1_METHOD
 
         key = load_privatekey(FILETYPE_PEM, server_key_pem)
         cert = load_certificate(FILETYPE_PEM, server_cert_pem)

tox.ini

@@ -10,7 +10,7 @@ extras =
 deps =
     coverage>=4.2
     cryptographyMaster: git+https://github.com/pyca/cryptography.git
-    cryptographyMinimum: cryptography==2.8
+    cryptographyMinimum: cryptography==3.2
     randomorder: pytest-randomly
 setenv =
     # Do not allow the executing environment to pollute the test environment
@@ -32,21 +32,6 @@ commands =
     python -c "import cryptography; print(cryptography.__version__)"
     python -m twisted.trial --reporter=text twisted
 
-[testenv:py35-urllib3Master]
-basepython=python3.5
-deps =
-    pyasn1
-    ndg-httpsclient
-passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM TRAVIS_INFRA
-whitelist_externals =
-    rm
-commands =
-    python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"
-    python -c "import cryptography; print(cryptography.__version__)"
-    {toxinidir}/.travis/install_urllib3.sh
-    pytest urllib3/test
-    rm -rf ./urllib3
-
 [testenv:flake8]
 basepython = python3
 deps =