Drop support for OpenSSL 1.1.x

Author: alex

.github/workflows/ci.yml

@@ -157,9 +157,6 @@ jobs:
       fail-fast: false
       matrix:
         IMAGE:
-          - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
-          - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true}
-          - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
           - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
           - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
           - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}

CHANGELOG.rst

@@ -9,6 +9,9 @@ Changelog
 .. note:: This version is not yet released and is under active development.
 
 * **BACKWARDS INCOMPATIBLE:** Support for Python 3.7 has been removed.
+* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
+  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
+  continue to be supported.
 * Removed the deprecated ``get_attribute_for_oid`` method on
   :class:`~cryptography.x509.CertificateSigningRequest`. Users should use
   :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` instead.

docs/development/c-bindings.rst

@@ -189,9 +189,9 @@ Caveats
 Sometimes, a set of loosely related features are added in the same
 version, and it's impractical to create ``#ifdef`` statements for each
 one. In that case, it may make sense to either check for a particular
-version. For example, to check for OpenSSL 1.1.1 or newer::
+version. For example, to check for OpenSSL 3.2.0 or newer::
 
-    #if CRYPTOGRAPHY_OPENSSL_111_OR_GREATER
+    #if CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
 
 Sometimes, the version of a library on a particular platform will have
 features that you thought it wouldn't, based on its version.

docs/faq.rst

@@ -107,14 +107,14 @@ If you have no other libraries using OpenSSL in your process, or they do not
 appear to be at fault, it's possible that this is a bug in ``cryptography``.
 Please file an `issue`_ with instructions on how to reproduce it.
 
-Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 fails
-----------------------------------------------------------------------------
+Installing cryptography with OpenSSL older than 3.0.0 fails
+------------------------------------------------------------
 
 The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, 1.0.2,
-and 1.1.0 release series. Since they are no longer receiving security patches
+1.1.0, and 1.1.1 release series. Since they are no longer receiving security patches
 from upstream, ``cryptography`` is also dropping support for them. To fix this
-issue you should upgrade to a newer version of OpenSSL (1.1.1 or later). This
-may require you to upgrade to a newer operating system.
+issue you should upgrade to OpenSSL 3.0.0 or later. This may require you to 
+upgrade to a newer operating system.
 
 Installing ``cryptography`` fails with ``error: Can not find Rust compiler``
 ----------------------------------------------------------------------------

docs/installation.rst

@@ -24,15 +24,13 @@ Supported platforms
 Currently we test ``cryptography`` on Python 3.8+ and PyPy3 7.3.11+ on these
 operating systems.
 
-* x86-64 RHEL 8.x
 * x86-64 CentOS Stream 9, 10
 * x86-64 Fedora (latest)
 * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma
 * x86-64 Ubuntu 22.04, 24.04, rolling
 * ARM64 Ubuntu rolling
 * ARMv7l Ubuntu rolling
-* x86-64 Debian Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and
-  Sid (unstable)
+* x86-64 Debian Bookworm (12.x), Trixie (13.x), and Sid (unstable)
 * x86-64 and ARM64 Alpine (latest)
 * 32-bit and 64-bit Python on 64-bit Windows Server 2022
 
@@ -206,7 +204,7 @@ available from your system package manager.
 Then, paste the following into a shell script. You'll need to populate the
 ``OPENSSL_VERSION`` variable. To do that, visit `openssl.org`_ and find the
 latest non-FIPS release version number, then set the string appropriately. For
-example, for OpenSSL 1.1.1k, use ``OPENSSL_VERSION="1.1.1k"``.
+example, for OpenSSL 3.0.9, use ``OPENSSL_VERSION="3.0.9"``.
 
 When this shell script is complete, you'll find a collection of wheel files in
 a directory called ``wheelhouse``. These wheels can be installed by a

src/_cffi_src/openssl/cryptography.py

@@ -5,9 +5,9 @@
 from __future__ import annotations
 
 INCLUDES = r"""
-/* define our OpenSSL API compatibility level to 1.1.0. Any symbols older than
+/* define our OpenSSL API compatibility level to 3.0.0. Any symbols older than
    that will raise an error during compilation. */
-#define OPENSSL_API_COMPAT 0x10100000L
+#define OPENSSL_API_COMPAT 0x30000000L
 
 #if defined(_WIN32)
 #ifndef WIN32_LEAN_AND_MEAN
@@ -49,8 +49,11 @@
 #endif
 
 
-#if OPENSSL_VERSION_NUMBER < 0x10101050
-    #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later"
+#if !CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_IS_BORINGSSL && \
+    !CRYPTOGRAPHY_IS_AWSLC
+    #if OPENSSL_VERSION_NUMBER < 0x30000000
+        #error "pyca/cryptography MUST be linked with OpenSSL 3.0.0 or later"
+    #endif
 #endif
 """
 

src/_cffi_src/openssl/ssl.py

@@ -476,8 +476,8 @@
 static const long Cryptography_HAS_GET_EXTMS_SUPPORT = 1;
 #endif
 
-/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
-   removed */
+/* The SSL_ST values were renamed to TLS_ST in OpenSSL and several were
+   removed, but are still available in LibreSSL, BoringSSL, and AWS-LC */
 #if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \
     || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_SSL_ST = 1;

src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi

@@ -48,7 +48,6 @@ __all__ = [
 CRYPTOGRAPHY_IS_LIBRESSL: bool
 CRYPTOGRAPHY_IS_BORINGSSL: bool
 CRYPTOGRAPHY_IS_AWSLC: bool
-CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_330_OR_GREATER: bool

src/rust/Cargo.toml

@@ -38,4 +38,4 @@ name = "cryptography_rust"
 crate-type = ["cdylib"]
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] }

src/rust/build.rs

@@ -11,9 +11,6 @@ fn main() {
     if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") {
         let version = u64::from_str_radix(&version, 16).unwrap();
 
-        if version >= 0x3_00_00_00_0 {
-            println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER");
-        }
         if version >= 0x3_00_09_00_0 {
             println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_309_OR_GREATER");
         }