bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)

2025-01-22 16:35:16 +08:00 · 2021-04-17 15:49:50 +02:00 · 2021-04-17 15:49:50 +02:00 · b8d0fa035d
commit b8d0fa035d
parent ea39f82b97
4 changed files with 12 additions and 175 deletions
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@ -280,8 +280,6 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
   factor and *maxmem* limits memory (OpenSSL 1.1.0 defaults to 32 MiB).
   *dklen* is the length of the derived key.

-   .. availability:: OpenSSL 1.1+.
-
   .. versionadded:: 3.6


--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -58,6 +58,11 @@ by SSL sockets created through the :meth:`SSLContext.wrap_socket` method.
   In the future the ssl module will require at least OpenSSL 1.0.2 or
   1.1.0.

+.. versionchanged:: 3.10
+
+   :pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1
+   or newer.
+

 Functions, Constants, and Exceptions
 ------------------------------------
@ -325,19 +330,6 @@ Random generation
   :func:`ssl.RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of
   the pseudo-random number generator.

-.. function:: RAND_egd(path)
-
-   If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
-   is the pathname of a socket connection open to it, this will read 256 bytes
-   of randomness from the socket, and add it to the SSL pseudo-random number
-   generator to increase the security of generated secret keys.  This is
-   typically only necessary on systems without better sources of randomness.
-
-   See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources
-   of entropy-gathering daemons.
-
-   .. availability:: not available with LibreSSL and OpenSSL > 1.1.0.
-
 .. function:: RAND_add(bytes, entropy)

   Mix the given *bytes* into the SSL pseudo-random number generator.  The
@ -879,8 +871,6 @@ Constants
   Disable compression on the SSL channel.  This is useful if the application
   protocol supports its own compression scheme.

-   This option is only available with OpenSSL 1.0.0 and later.
-
   .. versionadded:: 3.3

 .. class:: Options
@ -1593,25 +1583,7 @@ to speed up repeated connections from the same clients.

       >>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
       >>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
-       >>> ctx.get_ciphers()  # OpenSSL 1.0.x
-       [{'alg_bits': 256,
-         'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
-                        'Enc=AESGCM(256) Mac=AEAD',
-         'id': 50380848,
-         'name': 'ECDHE-RSA-AES256-GCM-SHA384',
-         'protocol': 'TLSv1/SSLv3',
-         'strength_bits': 256},
-        {'alg_bits': 128,
-         'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
-                        'Enc=AESGCM(128) Mac=AEAD',
-         'id': 50380847,
-         'name': 'ECDHE-RSA-AES128-GCM-SHA256',
-         'protocol': 'TLSv1/SSLv3',
-         'strength_bits': 128}]
-
-   On OpenSSL 1.1 and newer the cipher dict contains additional fields::
-
-       >>> ctx.get_ciphers()  # OpenSSL 1.1+
+       >>> ctx.get_ciphers()
       [{'aead': True,
         'alg_bits': 256,
         'auth': 'auth-rsa',
@ -1637,8 +1609,6 @@ to speed up repeated connections from the same clients.
         'strength_bits': 128,
         'symmetric': 'aes-128-gcm'}]

-   .. availability:: OpenSSL 1.0.2+.
-
   .. versionadded:: 3.6

 .. method:: SSLContext.set_default_verify_paths()
@ -1663,8 +1633,8 @@ to speed up repeated connections from the same clients.
      when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
      give the currently selected cipher.

-      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
-      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+      TLS 1.3 cipher suites cannot be disabled with
+      :meth:`~SSLContext.set_ciphers`.

 .. method:: SSLContext.set_alpn_protocols(protocols)

@ -1678,10 +1648,6 @@ to speed up repeated connections from the same clients.
   This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
   ``False``.

-   OpenSSL 1.1.0 to 1.1.0e will abort the handshake and raise :exc:`SSLError`
-   when both sides support ALPN but cannot agree on a protocol. 1.1.0f+
-   behaves like 1.0.2, :meth:`SSLSocket.selected_alpn_protocol` returns None.
-
   .. versionadded:: 3.5

 .. method:: SSLContext.set_npn_protocols(protocols)
@ -1883,7 +1849,7 @@ to speed up repeated connections from the same clients.
 .. method:: SSLContext.session_stats()

   Get statistics about the SSL sessions created or managed by this context.
-   A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_sess_number.html>`_ to their
+   A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.1/ssl/SSL_CTX_sess_number.html>`_ to their
   numeric values.  For example, here is the total number of hits and misses
   in the session cache since the context was created::

@ -1926,10 +1892,6 @@ to speed up repeated connections from the same clients.
      :attr:`~SSLContext.verify_mode` is :data:`CERT_NONE`. Previously
      the same operation would have failed with a :exc:`ValueError`.

-   .. note::
-
-     This features requires OpenSSL 0.9.8f or newer.
-
 .. attribute:: SSLContext.keylog_filename

   Write TLS keys to a keylog file, whenever key material is generated or
@ -1940,10 +1902,6 @@ to speed up repeated connections from the same clients.

   .. versionadded:: 3.8

-   .. note::
-
-     This features requires OpenSSL 1.1.1 or newer.
-
 .. attribute:: SSLContext.maximum_version

   A :class:`TLSVersion` enum member representing the highest supported
@ -1960,11 +1918,6 @@ to speed up repeated connections from the same clients.
   :attr:`~SSLContext.maximum_version` set to :attr:`TLSVersion.TLSv1_2`
   will not be able to establish a TLS 1.2 connection.

-   .. note::
-
-     This attribute is not available unless the ssl module is compiled
-     with OpenSSL 1.1.0g or newer.
-
   .. versionadded:: 3.7

 .. attribute:: SSLContext.minimum_version
@ -1972,11 +1925,6 @@ to speed up repeated connections from the same clients.
   Like :attr:`SSLContext.maximum_version` except it is the lowest
   supported version or :attr:`TLSVersion.MINIMUM_SUPPORTED`.

-   .. note::
-
-     This attribute is not available unless the ssl module is compiled
-     with OpenSSL 1.1.0g or newer.
-
   .. versionadded:: 3.7

 .. attribute:: SSLContext.num_tickets
@ -1985,11 +1933,6 @@ to speed up repeated connections from the same clients.
   :attr:`TLS_PROTOCOL_SERVER` context. The setting has no impact on TLS
   1.0 to 1.2 connections.

-   .. note::
-
-     This attribute is not available unless the ssl module is compiled
-     with OpenSSL 1.1.1 or newer.
-
   .. versionadded:: 3.8

 .. attribute:: SSLContext.options
@ -1998,11 +1941,6 @@ to speed up repeated connections from the same clients.
   The default value is :data:`OP_ALL`, but you can specify other options
   such as :data:`OP_NO_SSLv2` by ORing them together.

-   .. note::
-      With versions of OpenSSL older than 0.9.8m, it is only possible
-      to set options, not to clear them.  Attempting to clear an option
-      (by resetting the corresponding bits) will raise a :exc:`ValueError`.
-
   .. versionchanged:: 3.6
      :attr:`SSLContext.options` returns :class:`Options` flags:

@ -2025,10 +1963,6 @@ to speed up repeated connections from the same clients.
   :meth:`SSLSocket.verify_client_post_handshake` is called and some I/O is
   performed.

-   .. note::
-      Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3
-      support, the property value is None and can't be modified
-
   .. versionadded:: 3.8

 .. attribute:: SSLContext.protocol
@ -2042,9 +1976,6 @@ to speed up repeated connections from the same clients.
   subject common name in the absence of a subject alternative name
   extension (default: true).

-   .. note::
-      Only writeable with OpenSSL 1.1.0 or higher.
-
   .. versionadded:: 3.7

   .. versionchanged:: 3.10
@ -2058,8 +1989,6 @@ to speed up repeated connections from the same clients.
   <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_
   for the context. This attribute is read-only.

-   .. availability:: OpenSSL 1.1.0 or newer
-
   .. versionadded:: 3.10

 .. attribute:: SSLContext.verify_flags
@ -2067,7 +1996,6 @@ to speed up repeated connections from the same clients.
   The flags for certificate verification operations. You can set flags like
   :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
   does neither require nor verify certificate revocation lists (CRLs).
-   Available only with openssl version 0.9.8+.

   .. versionadded:: 3.4

@ -2733,9 +2661,8 @@ TLS 1.3

 .. versionadded:: 3.7

-Python has provisional and experimental support for TLS 1.3 with OpenSSL
-1.1.1.  The new protocol behaves slightly differently than previous version
-of TLS/SSL.  Some new TLS 1.3 features are not yet available.
+The TLS 1.3 protocol behaves slightly differently than previous version
+of TLS/SSL. Some new TLS 1.3 features are not yet available.

 - TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and
  ChaCha20 cipher suites are enabled by default.  The method
@ -2752,23 +2679,6 @@ of TLS/SSL.  Some new TLS 1.3 features are not yet available.
  signature algorithm configuration, and rekeying are not supported yet.


-.. _ssl-libressl:
-
-LibreSSL support
----------------
-
-LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
-LibreSSL. Some features are not available when the ssl module is compiled
-with LibreSSL.
-
-* LibreSSL >= 2.6.1 no longer supports NPN. The methods
-  :meth:`SSLContext.set_npn_protocols` and
-  :meth:`SSLSocket.selected_npn_protocol` are not available.
-* :meth:`SSLContext.set_default_verify_paths` ignores the env vars
-  :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although
-  :func:`get_default_verify_paths` still reports them.
-
-
 .. seealso::

   Class :class:`socket.socket`
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -4971,38 +4971,6 @@ _ssl_RAND_status_impl(PyObject *module)
    return PyLong_FromLong(RAND_status());
 }

-#ifndef OPENSSL_NO_EGD
-/* LCOV_EXCL_START */
-/*[clinic input]
-_ssl.RAND_egd
-    path: object(converter="PyUnicode_FSConverter")
-    /
-
-Queries the entropy gather daemon (EGD) on the socket named by 'path'.
-
-Returns number of bytes read.  Raises SSLError if connection to EGD
-fails or if it does not provide enough data to seed PRNG.
-[clinic start generated code]*/
-
-static PyObject *
-_ssl_RAND_egd_impl(PyObject *module, PyObject *path)
-/*[clinic end generated code: output=02a67c7c367f52fa input=1aeb7eb948312195]*/
-{
-    int bytes = RAND_egd(PyBytes_AsString(path));
-    Py_DECREF(path);
-    if (bytes == -1) {
-        PyErr_SetString(PySSLErrorObject,
-                        "EGD connection failed or EGD did not return "
-                        "enough data to seed the PRNG");
-        return NULL;
-    }
-    return PyLong_FromLong(bytes);
-}
-/* LCOV_EXCL_STOP */
-#endif /* OPENSSL_NO_EGD */
-
-
-
 /*[clinic input]
 _ssl.get_default_verify_paths

@ -5445,7 +5413,6 @@ static PyMethodDef PySSL_methods[] = {
    _SSL_RAND_ADD_METHODDEF
    _SSL_RAND_BYTES_METHODDEF
    _SSL_RAND_PSEUDO_BYTES_METHODDEF
-    _SSL_RAND_EGD_METHODDEF
    _SSL_RAND_STATUS_METHODDEF
    _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF
    _SSL_ENUM_CERTIFICATES_METHODDEF
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@ -1105,40 +1105,6 @@ _ssl_RAND_status(PyObject *module, PyObject *Py_UNUSED(ignored))
    return _ssl_RAND_status_impl(module);
 }

-#if !defined(OPENSSL_NO_EGD)
-
-PyDoc_STRVAR(_ssl_RAND_egd__doc__,
-"RAND_egd($module, path, /)\n"
-"--\n"
-"\n"
-"Queries the entropy gather daemon (EGD) on the socket named by \'path\'.\n"
-"\n"
-"Returns number of bytes read.  Raises SSLError if connection to EGD\n"
-"fails or if it does not provide enough data to seed PRNG.");
-
-#define _SSL_RAND_EGD_METHODDEF    \
-    {"RAND_egd", (PyCFunction)_ssl_RAND_egd, METH_O, _ssl_RAND_egd__doc__},
-
-static PyObject *
-_ssl_RAND_egd_impl(PyObject *module, PyObject *path);
-
-static PyObject *
-_ssl_RAND_egd(PyObject *module, PyObject *arg)
-{
-    PyObject *return_value = NULL;
-    PyObject *path;
-
-    if (!PyUnicode_FSConverter(arg, &path)) {
-        goto exit;
-    }
-    return_value = _ssl_RAND_egd_impl(module, path);
-
-exit:
-    return return_value;
-}
-
-#endif /* !defined(OPENSSL_NO_EGD) */
-
 PyDoc_STRVAR(_ssl_get_default_verify_paths__doc__,
 "get_default_verify_paths($module, /)\n"
 "--\n"
@ -1351,10 +1317,6 @@ exit:

 #endif /* defined(_MSC_VER) */

-#ifndef _SSL_RAND_EGD_METHODDEF
-    #define _SSL_RAND_EGD_METHODDEF
-#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
-
 #ifndef _SSL_ENUM_CERTIFICATES_METHODDEF
    #define _SSL_ENUM_CERTIFICATES_METHODDEF
 #endif /* !defined(_SSL_ENUM_CERTIFICATES_METHODDEF) */
@ -1362,4 +1324,4 @@ exit:
 #ifndef _SSL_ENUM_CRLS_METHODDEF
    #define _SSL_ENUM_CRLS_METHODDEF
 #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=9468e58904a565a2 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=ae3d1851daba6562 input=a9049054013a1b77]*/