Break users on OpenSSL 1.0.2 (#5438)

fixes #5432
pyca · Aug 28, 2020 · 8bc6920 · 8bc6920
1 parent 1fd7cac
commit 8bc6920
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 7 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -8,6 +8,9 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
+  will need to upgrade.
+
 .. _v3-1:
 
 3.1 - 2020-08-26

diff --git a/docs/faq.rst b/docs/faq.rst
@@ -109,6 +109,19 @@ Your ``pip`` and/or ``setuptools`` are outdated. Please upgrade to the latest
 versions with ``pip install -U pip setuptools`` (or on Windows
 ``python -m pip install -U pip setuptools``).
 
+Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.2
+--------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 1.0.2 release series. Since it
+is no longer receiving security patches from upstream, ``cryptography`` is also
+dropping support for it. To fix this issue you should upgrade to a newer
+version of OpenSSL (1.1.0 or later). This may require you to upgrade to a newer
+operating system.
+
+For the 3.2 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_102``
+environment variable. Please note that this is *temporary* and will be removed
+in ``cryptography`` 3.3.
+
 Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1 fails
 --------------------------------------------------------------
 

diff --git a/docs/installation.rst b/docs/installation.rst
@@ -33,7 +33,8 @@ OpenSSL releases:
 
 .. warning::
 
-    Cryptography 3.1 has deprecated support for OpenSSL 1.0.2.
+    Cryptography 3.2 has dropped support for OpenSSL 1.0.2, see the
+    :doc:`FAQ </faq>` for more details
 
 Building cryptography on Windows
 --------------------------------

diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,6 +5,7 @@
 from __future__ import absolute_import, division, print_function
 
 import collections
+import os
 import threading
 import types
 import warnings
@@ -170,12 +171,19 @@ def _verify_openssl_version(lib):
         lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
         and not lib.CRYPTOGRAPHY_IS_LIBRESSL
     ):
-        warnings.warn(
-            "OpenSSL version 1.0.2 is no longer supported by the OpenSSL "
-            "project, please upgrade. The next version of cryptography will "
-            "drop support for it.",
-            utils.CryptographyDeprecationWarning,
-        )
+        if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_102"):
+            warnings.warn(
+                "OpenSSL version 1.0.2 is no longer supported by the OpenSSL "
+                "project, please upgrade. The next version of cryptography "
+                "will completely remove support for it.",
+                utils.CryptographyDeprecationWarning,
+            )
+        else:
+            raise RuntimeError(
+                "You are linking against OpenSSL 1.0.2, which is no longer "
+                "supported by the OpenSSL project. You need to upgrade to a "
+                "newer version of OpenSSL."
+            )
 
 
 def _verify_package_version(version):

diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
@@ -4,13 +4,16 @@
 
 from __future__ import absolute_import, division, print_function
 
+import pretend
+
 import pytest
 
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings.openssl.binding import (
     Binding,
     _consume_errors,
     _openssl_assert,
+    _verify_openssl_version,
     _verify_package_version,
 )
 
@@ -125,3 +128,12 @@ def test_check_startup_errors_are_allowed(self):
     def test_version_mismatch(self):
         with pytest.raises(ImportError):
             _verify_package_version("nottherightversion")
+
+    def test_verify_openssl_version(self, monkeypatch):
+        monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_102", raising=False)
+        lib = pretend.stub(
+            CRYPTOGRAPHY_OPENSSL_LESS_THAN_110=True,
+            CRYPTOGRAPHY_IS_LIBRESSL=False,
+        )
+        with pytest.raises(RuntimeError):
+            _verify_openssl_version(lib)
diff --git a/tox.ini b/tox.ini
@@ -13,6 +13,8 @@ deps =
     ./vectors
     randomorder: pytest-randomly
 passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME PYTHONIOENCODING OPENSSL_FORCE_FIPS_MODE
+setenv =
+    CRYPTOGRAPHY_ALLOW_OPENSSL_102=1
 commands =
     pip list
     # We use parallel mode and then combine here so that coverage.py will take