Skip to content

Commit

Permalink
Drop CI for OpenSSL 1.0.2 (#953)
Browse files Browse the repository at this point in the history
* Drop CI for OpenSSL 1.0.2

* Delete code for coverage reasons

* Bump minimum cryptography version
  • Loading branch information
alex authored Oct 27, 2020
1 parent 669dcc3 commit 124a013
Show file tree
Hide file tree
Showing 8 changed files with 15 additions and 95 deletions.
10 changes: 1 addition & 9 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@ jobs:
os: osx
osx_image: xcode11.6
env: TOXENV=py27
- python: "2.7"
env: TOXENV=py27
# we should still test against OpenSSL 1.0.2. Xenial gives us that for now.
dist: xenial
- python: "3.5"
env: TOXENV=py35
- python: "3.6"
Expand Down Expand Up @@ -71,13 +67,9 @@ jobs:
- python: "3.7"
env: TOXENV=py37-randomorder

# Make sure we don't break Twisted or urllib3
# Make sure we don't break Twisted
- python: "3.7"
env: TOXENV=py37-twistedMaster
- python: "3.5"
env: TOXENV=py35-urllib3Master
# Somehow urllib3 has trouble with newer distributions
dist: xenial


# Meta
Expand Down
8 changes: 0 additions & 8 deletions .travis/install_urllib3.sh

This file was deleted.

3 changes: 2 additions & 1 deletion CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,11 @@ The third digit is only for regressions.
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- The minimum ``cryptography`` version is now 3.2.
- Remove deprecated ``OpenSSL.tsafe`` module.
- Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
- Drop support for Python 3.4
- Drop support for OpenSSL 1.0.1
- Drop support for OpenSSL 1.0.1 and 1.0.2

Deprecations:
^^^^^^^^^^^^^
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def find_meta(meta):
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
"cryptography>=2.8",
"cryptography>=3.2",
"six>=1.5.2",
],
extras_require={
Expand Down
45 changes: 6 additions & 39 deletions src/OpenSSL/SSL.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@
X509Name,
X509,
X509Store,
X509StoreContext,
)

__all__ = [
Expand Down Expand Up @@ -147,10 +146,7 @@ class _buffer(object):
OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1
OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2
try:
OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
except AttributeError:
pass
OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3

MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS

Expand Down Expand Up @@ -202,14 +198,6 @@ class _buffer(object):
SSL_ST_CONNECT = _lib.SSL_ST_CONNECT
SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT
SSL_ST_MASK = _lib.SSL_ST_MASK
if _lib.Cryptography_HAS_SSL_ST:
SSL_ST_INIT = _lib.SSL_ST_INIT
SSL_ST_BEFORE = _lib.SSL_ST_BEFORE
SSL_ST_OK = _lib.SSL_ST_OK
SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE
__all__.extend(
["SSL_ST_INIT", "SSL_ST_BEFORE", "SSL_ST_OK", "SSL_ST_RENEGOTIATE"]
)

SSL_CB_LOOP = _lib.SSL_CB_LOOP
SSL_CB_EXIT = _lib.SSL_CB_EXIT
Expand Down Expand Up @@ -972,11 +960,7 @@ def set_session_id(self, buf):
"""
buf = _text_to_bytes_and_warn("buf", buf)
_openssl_assert(
_lib.SSL_CTX_set_session_id_context(
self._context,
buf,
len(buf),
)
_lib.SSL_CTX_set_session_id_context(self._context, buf, len(buf))
== 1
)

Expand Down Expand Up @@ -2175,29 +2159,12 @@ def get_verified_chain(self):
.. versionadded:: 20.0
"""
if hasattr(_lib, "SSL_get0_verified_chain"):
# OpenSSL 1.1+
cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
if cert_stack == _ffi.NULL:
return None

return self._cert_stack_to_list(cert_stack)

pycert = self.get_peer_certificate()
if pycert is None:
return None

# Should never be NULL because the peer presented a certificate.
cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)
_openssl_assert(cert_stack != _ffi.NULL)

pystore = self._context.get_cert_store()
if pystore is None:
# OpenSSL 1.1+
cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
if cert_stack == _ffi.NULL:
return None

pystorectx = X509StoreContext(pystore, pycert)
pystorectx._chain = cert_stack
return pystorectx.get_verified_chain()
return self._cert_stack_to_list(cert_stack)

def want_read(self):
"""
Expand Down
12 changes: 2 additions & 10 deletions src/OpenSSL/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -1603,16 +1603,8 @@ def add_cert(self, cert):
if not isinstance(cert, X509):
raise TypeError()

# As of OpenSSL 1.1.0i adding the same cert to the store more than
# once doesn't cause an error. Accordingly, this code now silences
# the error for OpenSSL < 1.1.0i as well.
if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
code = _lib.ERR_peek_error()
err_reason = _lib.ERR_GET_REASON(code)
_openssl_assert(
err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
)
_lib.ERR_clear_error()
res = _lib.X509_STORE_add_cert(self._store, cert._x509)
_openssl_assert(res == 1)

def add_crl(self, crl):
"""
Expand Down
13 changes: 2 additions & 11 deletions tests/test_ssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -2621,17 +2621,8 @@ def test_set_session_wrong_method(self):
with a context using a different SSL method than the `Connection`
is using, a `OpenSSL.SSL.Error` is raised.
"""
# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2
# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT
# is a way to check for 1.1.0)
if SSL_ST_INIT is None:
v1 = TLSv1_2_METHOD
v2 = TLSv1_METHOD
elif hasattr(_lib, "SSLv3_method"):
v1 = TLSv1_METHOD
v2 = SSLv3_METHOD
else:
pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")
v1 = TLSv1_2_METHOD
v2 = TLSv1_METHOD

key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
Expand Down
17 changes: 1 addition & 16 deletions tox.ini
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ extras =
deps =
coverage>=4.2
cryptographyMaster: git+https://github.com/pyca/cryptography.git
cryptographyMinimum: cryptography==2.8
cryptographyMinimum: cryptography==3.2
randomorder: pytest-randomly
setenv =
# Do not allow the executing environment to pollute the test environment
Expand All @@ -32,21 +32,6 @@ commands =
python -c "import cryptography; print(cryptography.__version__)"
python -m twisted.trial --reporter=text twisted

[testenv:py35-urllib3Master]
basepython=python3.5
deps =
pyasn1
ndg-httpsclient
passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM TRAVIS_INFRA
whitelist_externals =
rm
commands =
python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"
python -c "import cryptography; print(cryptography.__version__)"
{toxinidir}/.travis/install_urllib3.sh
pytest urllib3/test
rm -rf ./urllib3

[testenv:flake8]
basepython = python3
deps =
Expand Down

0 comments on commit 124a013

Please sign in to comment.