Drop OpenSSL 1.0.1 (#908)
diff --git a/.travis.yml b/.travis.yml
index cddbaa8..5cc9418 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,10 +15,7 @@
- language: generic
os: osx
osx_image: xcode10.1
- env: TOXENV=py27 OPENSSL=1.1.1
- - python: "2.7" # these are just to make travis's UI a bit prettier
env: TOXENV=py27
- dist: trusty # For OpenSSL 1.0.1 coverage
- python: "2.7"
env: TOXENV=py27
- python: "3.5"
@@ -108,11 +105,7 @@
- |
if [[ "$(uname -s)" == 'Darwin' ]]; then
brew update
- if [[ "${OPENSSL}" == "1.1.1" ]]; then
- brew upgrade openssl@1.1
- else
- brew upgrade openssl
- fi
+ brew upgrade openssl@1.1
curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py --user
python -m pip install --user virtualenv
@@ -126,15 +119,9 @@
- |
if [[ "$(uname -s)" == 'Darwin' ]]; then
# set our flags to use homebrew openssl
- if [[ "${OPENSSL}" == "1.1.1" ]]; then
- export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
- export CFLAGS="-I/usr/local/opt/openssl@1.1/include"
- export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"
- else
- export LDFLAGS="-L/usr/local/opt/openssl/lib"
- export CFLAGS="-I/usr/local/opt/openssl/include"
- export PATH="/usr/local/opt/openssl/bin:$PATH"
- fi
+ export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
+ export CFLAGS="-I/usr/local/opt/openssl@1.1/include"
+ export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"
fi
openssl version
~/.venv/bin/tox -v
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c971970..f72d0a6 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,7 @@
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Drop support for Python 3.4
+- Drop support for OpenSSL 1.0.1
Deprecations:
^^^^^^^^^^^^^
diff --git a/INSTALL.rst b/INSTALL.rst
index 8c9c8dc..75540d5 100644
--- a/INSTALL.rst
+++ b/INSTALL.rst
@@ -25,7 +25,6 @@
pyOpenSSL supports the same platforms and releases as the upstream cryptography project `does <https://cryptography.io/en/latest/installation/#supported-platforms>`_.
Currently that means:
-- 1.0.1
- 1.0.2
- 1.1.0
- 1.1.1
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 03f1455..25308f1 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -727,14 +727,11 @@
_openssl_assert(context != _ffi.NULL)
context = _ffi.gc(context, _lib.SSL_CTX_free)
- # If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve
- # will be auto-selected. This function was added in 1.0.2 and made a
- # noop in 1.1.0+ (where it is set automatically).
- try:
- res = _lib.SSL_CTX_set_ecdh_auto(context, 1)
- _openssl_assert(res == 1)
- except AttributeError:
- pass
+ # Set SSL_CTX_set_ecdh_auto so that the ECDH curve will be
+ # auto-selected. This function was added in 1.0.2 and made a noop in
+ # 1.1.0+ (where it is set automatically).
+ res = _lib.SSL_CTX_set_ecdh_auto(context, 1)
+ _openssl_assert(res == 1)
self._context = context
self._passphrase_helper = None
@@ -2309,8 +2306,7 @@
raise TypeError("session must be a Session instance")
result = _lib.SSL_set_session(self._ssl, session._session)
- if not result:
- _raise_current_error()
+ _openssl_assert(result == 1)
def _get_finished_message(self, function):
"""
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 9a3f294..50e2026 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -1846,277 +1846,256 @@
"""
Tests for ALPN in PyOpenSSL.
"""
- # Skip tests on versions that don't support ALPN.
- if _lib.Cryptography_HAS_ALPN:
+ def test_alpn_success(self):
+ """
+ Clients and servers that agree on the negotiated ALPN protocol can
+ correct establish a connection, and the agreed protocol is reported
+ by the connections.
+ """
+ select_args = []
- def test_alpn_success(self):
- """
- Clients and servers that agree on the negotiated ALPN protocol can
- correct establish a connection, and the agreed protocol is reported
- by the connections.
- """
- select_args = []
+ def select(conn, options):
+ select_args.append((conn, options))
+ return b'spdy/2'
- def select(conn, options):
- select_args.append((conn, options))
- return b'spdy/2'
+ client_context = Context(TLSv1_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
- client_context = Context(TLSv1_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
+ server_context = Context(TLSv1_METHOD)
+ server_context.set_alpn_select_callback(select)
- server_context = Context(TLSv1_METHOD)
- server_context.set_alpn_select_callback(select)
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
+ client = Connection(client_context, None)
+ client.set_connect_state()
- client = Connection(client_context, None)
- client.set_connect_state()
+ interact_in_memory(server, client)
+ assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
+
+ assert server.get_alpn_proto_negotiated() == b'spdy/2'
+ assert client.get_alpn_proto_negotiated() == b'spdy/2'
+
+ def test_alpn_set_on_connection(self):
+ """
+ The same as test_alpn_success, but setting the ALPN protocols on
+ the connection rather than the context.
+ """
+ select_args = []
+
+ def select(conn, options):
+ select_args.append((conn, options))
+ return b'spdy/2'
+
+ # Setup the client context but don't set any ALPN protocols.
+ client_context = Context(TLSv1_METHOD)
+
+ server_context = Context(TLSv1_METHOD)
+ server_context.set_alpn_select_callback(select)
+
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
+
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
+
+ # Set the ALPN protocols on the client connection.
+ client = Connection(client_context, None)
+ client.set_alpn_protos([b'http/1.1', b'spdy/2'])
+ client.set_connect_state()
+
+ interact_in_memory(server, client)
+
+ assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
+
+ assert server.get_alpn_proto_negotiated() == b'spdy/2'
+ assert client.get_alpn_proto_negotiated() == b'spdy/2'
+
+ def test_alpn_server_fail(self):
+ """
+ When clients and servers cannot agree on what protocol to use next
+ the TLS connection does not get established.
+ """
+ select_args = []
+
+ def select(conn, options):
+ select_args.append((conn, options))
+ return b''
+
+ client_context = Context(TLSv1_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
+
+ server_context = Context(TLSv1_METHOD)
+ server_context.set_alpn_select_callback(select)
+
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
+
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
+
+ client = Connection(client_context, None)
+ client.set_connect_state()
+
+ # If the client doesn't return anything, the connection will fail.
+ with pytest.raises(Error):
interact_in_memory(server, client)
- assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
+ assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
- assert server.get_alpn_proto_negotiated() == b'spdy/2'
- assert client.get_alpn_proto_negotiated() == b'spdy/2'
+ def test_alpn_no_server_overlap(self):
+ """
+ A server can allow a TLS handshake to complete without
+ agreeing to an application protocol by returning
+ ``NO_OVERLAPPING_PROTOCOLS``.
+ """
+ refusal_args = []
- def test_alpn_set_on_connection(self):
- """
- The same as test_alpn_success, but setting the ALPN protocols on
- the connection rather than the context.
- """
- select_args = []
+ def refusal(conn, options):
+ refusal_args.append((conn, options))
+ return NO_OVERLAPPING_PROTOCOLS
- def select(conn, options):
- select_args.append((conn, options))
- return b'spdy/2'
+ client_context = Context(SSLv23_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
- # Setup the client context but don't set any ALPN protocols.
- client_context = Context(TLSv1_METHOD)
+ server_context = Context(SSLv23_METHOD)
+ server_context.set_alpn_select_callback(refusal)
- server_context = Context(TLSv1_METHOD)
- server_context.set_alpn_select_callback(select)
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
+ client = Connection(client_context, None)
+ client.set_connect_state()
- # Set the ALPN protocols on the client connection.
- client = Connection(client_context, None)
- client.set_alpn_protos([b'http/1.1', b'spdy/2'])
- client.set_connect_state()
+ # Do the dance.
+ interact_in_memory(server, client)
+ assert refusal_args == [(server, [b'http/1.1', b'spdy/2'])]
+
+ assert client.get_alpn_proto_negotiated() == b''
+
+ def test_alpn_select_cb_returns_invalid_value(self):
+ """
+ If the ALPN selection callback returns anything other than
+ a bytestring or ``NO_OVERLAPPING_PROTOCOLS``, a
+ :py:exc:`TypeError` is raised.
+ """
+ invalid_cb_args = []
+
+ def invalid_cb(conn, options):
+ invalid_cb_args.append((conn, options))
+ return u"can't return unicode"
+
+ client_context = Context(SSLv23_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
+
+ server_context = Context(SSLv23_METHOD)
+ server_context.set_alpn_select_callback(invalid_cb)
+
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
+
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
+
+ client = Connection(client_context, None)
+ client.set_connect_state()
+
+ # Do the dance.
+ with pytest.raises(TypeError):
interact_in_memory(server, client)
- assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
+ assert invalid_cb_args == [(server, [b'http/1.1', b'spdy/2'])]
- assert server.get_alpn_proto_negotiated() == b'spdy/2'
- assert client.get_alpn_proto_negotiated() == b'spdy/2'
+ assert client.get_alpn_proto_negotiated() == b''
- def test_alpn_server_fail(self):
- """
- When clients and servers cannot agree on what protocol to use next
- the TLS connection does not get established.
- """
- select_args = []
+ def test_alpn_no_server(self):
+ """
+ When clients and servers cannot agree on what protocol to use next
+ because the server doesn't offer ALPN, no protocol is negotiated.
+ """
+ client_context = Context(TLSv1_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
- def select(conn, options):
- select_args.append((conn, options))
- return b''
+ server_context = Context(TLSv1_METHOD)
- client_context = Context(TLSv1_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
- server_context = Context(TLSv1_METHOD)
- server_context.set_alpn_select_callback(select)
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
+ client = Connection(client_context, None)
+ client.set_connect_state()
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
+ # Do the dance.
+ interact_in_memory(server, client)
- client = Connection(client_context, None)
- client.set_connect_state()
+ assert client.get_alpn_proto_negotiated() == b''
- # If the client doesn't return anything, the connection will fail.
- with pytest.raises(Error):
- interact_in_memory(server, client)
+ def test_alpn_callback_exception(self):
+ """
+ We can handle exceptions in the ALPN select callback.
+ """
+ select_args = []
- assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
+ def select(conn, options):
+ select_args.append((conn, options))
+ raise TypeError()
- def test_alpn_no_server_overlap(self):
- """
- A server can allow a TLS handshake to complete without
- agreeing to an application protocol by returning
- ``NO_OVERLAPPING_PROTOCOLS``.
- """
- refusal_args = []
+ client_context = Context(TLSv1_METHOD)
+ client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
- def refusal(conn, options):
- refusal_args.append((conn, options))
- return NO_OVERLAPPING_PROTOCOLS
+ server_context = Context(TLSv1_METHOD)
+ server_context.set_alpn_select_callback(select)
- client_context = Context(SSLv23_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
+ # Necessary to actually accept the connection
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, server_key_pem))
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, server_cert_pem))
- server_context = Context(SSLv23_METHOD)
- server_context.set_alpn_select_callback(refusal)
+ # Do a little connection to trigger the logic
+ server = Connection(server_context, None)
+ server.set_accept_state()
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
+ client = Connection(client_context, None)
+ client.set_connect_state()
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
-
- client = Connection(client_context, None)
- client.set_connect_state()
-
- # Do the dance.
+ with pytest.raises(TypeError):
interact_in_memory(server, client)
-
- assert refusal_args == [(server, [b'http/1.1', b'spdy/2'])]
-
- assert client.get_alpn_proto_negotiated() == b''
-
- def test_alpn_select_cb_returns_invalid_value(self):
- """
- If the ALPN selection callback returns anything other than
- a bytestring or ``NO_OVERLAPPING_PROTOCOLS``, a
- :py:exc:`TypeError` is raised.
- """
- invalid_cb_args = []
-
- def invalid_cb(conn, options):
- invalid_cb_args.append((conn, options))
- return u"can't return unicode"
-
- client_context = Context(SSLv23_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
-
- server_context = Context(SSLv23_METHOD)
- server_context.set_alpn_select_callback(invalid_cb)
-
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
-
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
-
- client = Connection(client_context, None)
- client.set_connect_state()
-
- # Do the dance.
- with pytest.raises(TypeError):
- interact_in_memory(server, client)
-
- assert invalid_cb_args == [(server, [b'http/1.1', b'spdy/2'])]
-
- assert client.get_alpn_proto_negotiated() == b''
-
- def test_alpn_no_server(self):
- """
- When clients and servers cannot agree on what protocol to use next
- because the server doesn't offer ALPN, no protocol is negotiated.
- """
- client_context = Context(TLSv1_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
-
- server_context = Context(TLSv1_METHOD)
-
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
-
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
-
- client = Connection(client_context, None)
- client.set_connect_state()
-
- # Do the dance.
- interact_in_memory(server, client)
-
- assert client.get_alpn_proto_negotiated() == b''
-
- def test_alpn_callback_exception(self):
- """
- We can handle exceptions in the ALPN select callback.
- """
- select_args = []
-
- def select(conn, options):
- select_args.append((conn, options))
- raise TypeError()
-
- client_context = Context(TLSv1_METHOD)
- client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
-
- server_context = Context(TLSv1_METHOD)
- server_context.set_alpn_select_callback(select)
-
- # Necessary to actually accept the connection
- server_context.use_privatekey(
- load_privatekey(FILETYPE_PEM, server_key_pem))
- server_context.use_certificate(
- load_certificate(FILETYPE_PEM, server_cert_pem))
-
- # Do a little connection to trigger the logic
- server = Connection(server_context, None)
- server.set_accept_state()
-
- client = Connection(client_context, None)
- client.set_connect_state()
-
- with pytest.raises(TypeError):
- interact_in_memory(server, client)
- assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
-
- else:
- # No ALPN.
- def test_alpn_not_implemented(self):
- """
- If ALPN is not in OpenSSL, we should raise NotImplementedError.
- """
- # Test the context methods first.
- context = Context(TLSv1_METHOD)
- with pytest.raises(NotImplementedError):
- context.set_alpn_protos(None)
- with pytest.raises(NotImplementedError):
- context.set_alpn_select_callback(None)
-
- # Now test a connection.
- conn = Connection(context)
- with pytest.raises(NotImplementedError):
- conn.set_alpn_protos(None)
+ assert select_args == [(server, [b'http/1.1', b'spdy/2'])]
class TestSession(object):