Drop OpenSSL 1.1.0

.github/workflows/ci.yml

@@ -32,7 +32,6 @@ jobs:
           - {VERSION: "pypy-3.7", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
           - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}

CHANGELOG.rst

@@ -8,6 +8,8 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Support for OpenSSL 1.1.0 has been removed. Users on older version of
+  OpenSSL will need to upgrade.
 
 .. _v38-0-0:
 

docs/faq.rst

@@ -111,14 +111,14 @@ earlier the default compiler is extremely old. Use ``pkg_add`` to install a
 newer ``gcc`` and then install ``cryptography`` using
 ``CC=/path/to/newer/gcc pip install cryptography``.
 
-Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2 fails
----------------------------------------------------------------------
-
-The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, and 1.0.2
-release series. Since they are no longer receiving security patches from
-upstream, ``cryptography`` is also dropping support for them. To fix this issue
-you should upgrade to a newer version of OpenSSL (1.1.0 or later). This may
-require you to upgrade to a newer operating system.
+Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 fails
+----------------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, 1.0.2,
+and 1.1.0 release series. Since they are no longer receiving security patches
+from upstream, ``cryptography`` is also dropping support for them. To fix this
+issue you should upgrade to a newer version of OpenSSL (1.1.1 or later). This
+may require you to upgrade to a newer operating system.
 
 Installing ``cryptography`` fails with ``error: Can not find Rust compiler``
 ----------------------------------------------------------------------------

docs/installation.rst

@@ -31,17 +31,12 @@ operating systems.
 We test compiling with ``clang`` as well as ``gcc`` and use the following
 OpenSSL releases:
 
-* ``OpenSSL 1.1.0-latest``
 * ``OpenSSL 1.1.1-latest``
 * ``OpenSSL 3.0-latest``
 
 In addition we test against several versions of LibreSSL and the latest commit
 in BoringSSL.
 
-.. warning::
-
-    Cryptography 37.0.0 has deprecated support for OpenSSL 1.1.0.
-
 
 Building cryptography on Windows
 --------------------------------

src/_cffi_src/openssl/cryptography.py

@@ -55,17 +55,15 @@
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0)
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-    #error "pyca/cryptography MUST be linked with Openssl 1.1.0 or later"
+#if OPENSSL_VERSION_NUMBER < 0x10101000
+    #error "pyca/cryptography MUST be linked with Openssl 1.1.1 or later"
 #endif
 
 #define CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10101040 && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
 
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
-    (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
     (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
@@ -84,7 +82,6 @@
 static const int CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
 
-static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
 static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;

src/_cffi_src/openssl/evp.py

@@ -203,8 +203,7 @@
                                       size_t) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340
 static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
 int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
                       const unsigned char *tbs, size_t) = NULL;
@@ -214,7 +213,7 @@
 static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
 #endif
 
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+#if CRYPTOGRAPHY_IS_LIBRESSL
 static const long Cryptography_HAS_RAW_KEY = 0;
 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
 int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;

src/_cffi_src/openssl/ssl.py

@@ -25,7 +25,6 @@
 static const long Cryptography_HAS_PSK_TLSv1_3;
 static const long Cryptography_HAS_VERIFIED_CHAIN;
 static const long Cryptography_HAS_KEYLOG;
-static const long Cryptography_HAS_GET_PROTO_VERSION;
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
 static const long Cryptography_HAS_SSL_COOKIE;
 
@@ -566,8 +565,7 @@
 static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || \
-    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350
 static const long Cryptography_HAS_KEYLOG = 0;
 void (*SSL_CTX_set_keylog_callback)(SSL_CTX *,
                                     void (*) (const SSL *, const char *)
@@ -653,7 +651,7 @@
 long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_DTLS_GET_DATA_MTU = 0;
 size_t (*DTLS_get_data_mtu)(SSL *) = NULL;
 #else
@@ -747,18 +745,15 @@
 SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340
 static const long Cryptography_HAS_TLSv1_3 = 0;
 static const long TLS1_3_VERSION = 0;
 static const long SSL_OP_NO_TLSv1_3 = 0;
 #else
 static const long Cryptography_HAS_TLSv1_3 = 1;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) || \
-    CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 0;
 
 static const long SSL_VERIFY_POST_HANDSHAKE = 0;
@@ -774,17 +769,6 @@
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 1;
 #endif
 
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL
-static const long Cryptography_HAS_GET_PROTO_VERSION = 0;
-
-long (*SSL_CTX_get_min_proto_version)(SSL_CTX *) = NULL;
-long (*SSL_CTX_get_max_proto_version)(SSL_CTX *) = NULL;
-long (*SSL_get_min_proto_version)(SSL *) = NULL;
-long (*SSL_get_max_proto_version)(SSL *) = NULL;
-#else
-static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
-#endif
-
 #if CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_SSL_COOKIE = 0;
 
@@ -805,8 +789,7 @@
 #else
 static const long Cryptography_HAS_SSL_COOKIE = 1;
 #endif
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 || \
-    CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_PSK_TLSv1_3 = 0;
 void (*SSL_CTX_set_psk_find_session_callback)(SSL_CTX *,
                                            int (*)(

src/cryptography/hazmat/backends/openssl/backend.py

@@ -1980,7 +1980,7 @@ def x448_supported(self) -> bool:
         if self._fips_enabled:
             return False
         return (
-            not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+            not self._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
         )
 

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -230,15 +230,6 @@ def cryptography_has_srtp() -> typing.List[str]:
     ]
 
 
-def cryptography_has_get_proto_version() -> typing.List[str]:
-    return [
-        "SSL_CTX_get_min_proto_version",
-        "SSL_CTX_get_max_proto_version",
-        "SSL_get_min_proto_version",
-        "SSL_get_max_proto_version",
-    ]
-
-
 def cryptography_has_providers() -> typing.List[str]:
     return [
         "OSSL_PROVIDER_load",
@@ -366,7 +357,6 @@ def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]:
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,
-    "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
     "Cryptography_HAS_PROVIDERS": cryptography_has_providers,
     "Cryptography_HAS_OP_NO_RENEGOTIATION": (
         cryptography_has_op_no_renegotiation

src/cryptography/hazmat/bindings/openssl/binding.py

@@ -6,10 +6,8 @@
 import threading
 import types
 import typing
-import warnings
 
 import cryptography
-from cryptography import utils
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings._openssl import ffi, lib
 from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
@@ -188,20 +186,6 @@ def init_static_locks(cls):
         cls._ensure_ffi_initialized()
 
 
-def _verify_openssl_version(lib):
-    if (
-        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-        and not lib.CRYPTOGRAPHY_IS_LIBRESSL
-        and not lib.CRYPTOGRAPHY_IS_BORINGSSL
-    ):
-        warnings.warn(
-            "OpenSSL version 1.1.0 is no longer supported by the OpenSSL "
-            "project, please upgrade. The next release of cryptography will "
-            "drop support for OpenSSL 1.1.0.",
-            utils.DeprecatedIn37,
-        )
-
-
 def _verify_package_version(version):
     # Occasionally we run into situations where the version of the Python
     # package does not match the version of the shared object that is loaded.
@@ -226,5 +210,3 @@ def _verify_package_version(version):
 _verify_package_version(cryptography.__version__)
 
 Binding.init_static_locks()
-
-_verify_openssl_version(Binding.lib)