Drop CI for OpenSSL 1.0.2 (#953)
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
diff --git a/.travis.yml b/.travis.yml
index d6d566c..911ccef 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,10 +16,6 @@
os: osx
osx_image: xcode11.6
env: TOXENV=py27
- - python: "2.7"
- env: TOXENV=py27
- # we should still test against OpenSSL 1.0.2. Xenial gives us that for now.
- dist: xenial
- python: "3.5"
env: TOXENV=py35
- python: "3.6"
@@ -71,13 +67,9 @@
- python: "3.7"
env: TOXENV=py37-randomorder
- # Make sure we don't break Twisted or urllib3
+ # Make sure we don't break Twisted
- python: "3.7"
env: TOXENV=py37-twistedMaster
- - python: "3.5"
- env: TOXENV=py35-urllib3Master
- # Somehow urllib3 has trouble with newer distributions
- dist: xenial
# Meta
diff --git a/.travis/install_urllib3.sh b/.travis/install_urllib3.sh
deleted file mode 100755
index 1324ded..0000000
--- a/.travis/install_urllib3.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-
-git clone --depth 1 https://github.com/shazow/urllib3.git
-pip install -r ./urllib3/dev-requirements.txt
-pip install ./urllib3[socks]
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5df0a05..9f58d78 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -11,10 +11,11 @@
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- The minimum ``cryptography`` version is now 3.2.
- Remove deprecated ``OpenSSL.tsafe`` module.
- Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
- Drop support for Python 3.4
-- Drop support for OpenSSL 1.0.1
+- Drop support for OpenSSL 1.0.1 and 1.0.2
Deprecations:
^^^^^^^^^^^^^
diff --git a/setup.py b/setup.py
index 6f3afd7..08769d2 100755
--- a/setup.py
+++ b/setup.py
@@ -94,7 +94,7 @@
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=2.8",
+ "cryptography>=3.2",
"six>=1.5.2",
],
extras_require={
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index bbb721c..9b9f638 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -28,7 +28,6 @@
X509Name,
X509,
X509Store,
- X509StoreContext,
)
__all__ = [
@@ -147,10 +146,7 @@
OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1
OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2
-try:
- OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
-except AttributeError:
- pass
+OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS
@@ -202,14 +198,6 @@
SSL_ST_CONNECT = _lib.SSL_ST_CONNECT
SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT
SSL_ST_MASK = _lib.SSL_ST_MASK
-if _lib.Cryptography_HAS_SSL_ST:
- SSL_ST_INIT = _lib.SSL_ST_INIT
- SSL_ST_BEFORE = _lib.SSL_ST_BEFORE
- SSL_ST_OK = _lib.SSL_ST_OK
- SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE
- __all__.extend(
- ["SSL_ST_INIT", "SSL_ST_BEFORE", "SSL_ST_OK", "SSL_ST_RENEGOTIATE"]
- )
SSL_CB_LOOP = _lib.SSL_CB_LOOP
SSL_CB_EXIT = _lib.SSL_CB_EXIT
@@ -972,11 +960,7 @@
"""
buf = _text_to_bytes_and_warn("buf", buf)
_openssl_assert(
- _lib.SSL_CTX_set_session_id_context(
- self._context,
- buf,
- len(buf),
- )
+ _lib.SSL_CTX_set_session_id_context(self._context, buf, len(buf))
== 1
)
@@ -2175,29 +2159,12 @@
.. versionadded:: 20.0
"""
- if hasattr(_lib, "SSL_get0_verified_chain"):
- # OpenSSL 1.1+
- cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
- if cert_stack == _ffi.NULL:
- return None
-
- return self._cert_stack_to_list(cert_stack)
-
- pycert = self.get_peer_certificate()
- if pycert is None:
+ # OpenSSL 1.1+
+ cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
+ if cert_stack == _ffi.NULL:
return None
- # Should never be NULL because the peer presented a certificate.
- cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)
- _openssl_assert(cert_stack != _ffi.NULL)
-
- pystore = self._context.get_cert_store()
- if pystore is None:
- return None
-
- pystorectx = X509StoreContext(pystore, pycert)
- pystorectx._chain = cert_stack
- return pystorectx.get_verified_chain()
+ return self._cert_stack_to_list(cert_stack)
def want_read(self):
"""
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 11be813..84f92b1 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1603,16 +1603,8 @@
if not isinstance(cert, X509):
raise TypeError()
- # As of OpenSSL 1.1.0i adding the same cert to the store more than
- # once doesn't cause an error. Accordingly, this code now silences
- # the error for OpenSSL < 1.1.0i as well.
- if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
- code = _lib.ERR_peek_error()
- err_reason = _lib.ERR_GET_REASON(code)
- _openssl_assert(
- err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
- )
- _lib.ERR_clear_error()
+ res = _lib.X509_STORE_add_cert(self._store, cert._x509)
+ _openssl_assert(res == 1)
def add_crl(self, crl):
"""
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index e405b1a..aed2367 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -2621,17 +2621,8 @@
with a context using a different SSL method than the `Connection`
is using, a `OpenSSL.SSL.Error` is raised.
"""
- # Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2
- # and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT
- # is a way to check for 1.1.0)
- if SSL_ST_INIT is None:
- v1 = TLSv1_2_METHOD
- v2 = TLSv1_METHOD
- elif hasattr(_lib, "SSLv3_method"):
- v1 = TLSv1_METHOD
- v2 = SSLv3_METHOD
- else:
- pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")
+ v1 = TLSv1_2_METHOD
+ v2 = TLSv1_METHOD
key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
diff --git a/tox.ini b/tox.ini
index 4217abb..a338c94 100644
--- a/tox.ini
+++ b/tox.ini
@@ -10,7 +10,7 @@
deps =
coverage>=4.2
cryptographyMaster: git+https://github.com/pyca/cryptography.git
- cryptographyMinimum: cryptography==2.8
+ cryptographyMinimum: cryptography==3.2
randomorder: pytest-randomly
setenv =
# Do not allow the executing environment to pollute the test environment
@@ -32,21 +32,6 @@
python -c "import cryptography; print(cryptography.__version__)"
python -m twisted.trial --reporter=text twisted
-[testenv:py35-urllib3Master]
-basepython=python3.5
-deps =
- pyasn1
- ndg-httpsclient
-passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM TRAVIS_INFRA
-whitelist_externals =
- rm
-commands =
- python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"
- python -c "import cryptography; print(cryptography.__version__)"
- {toxinidir}/.travis/install_urllib3.sh
- pytest urllib3/test
- rm -rf ./urllib3
-
[testenv:flake8]
basepython = python3
deps =
