bpo-43669: Remove OpenSSL 0.9 to 1.1.0 specific documentation (GH-25453)

2025-10-07 07:31:46 +00:00 · 2021-04-17 15:49:50 +02:00 · 2021-04-17 15:49:50 +02:00 · b8d0fa035d
commit b8d0fa035d
parent ea39f82b97
4 changed files with 12 additions and 175 deletions
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@ -280,8 +280,6 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
   factor and *maxmem* limits memory (OpenSSL 1.1.0 defaults to 32 MiB).
   *dklen* is the length of the derived key.
   .. availability:: OpenSSL 1.1+.
   .. versionadded:: 3.6
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@ -58,6 +58,11 @@ by SSL sockets created through the :meth:`SSLContext.wrap_socket` method.
   In the future the ssl module will require at least OpenSSL 1.0.2 or
   1.1.0.
 .. versionchanged:: 3.10
   :pep:`644` has been implemented. The ssl module requires OpenSSL 1.1.1
   or newer.
 Functions, Constants, and Exceptions
 ------------------------------------
@ -325,19 +330,6 @@ Random generation
   :func:`ssl.RAND_egd` and :func:`ssl.RAND_add` to increase the randomness of
   the pseudo-random number generator.
 .. function:: RAND_egd(path)
   If you are running an entropy-gathering daemon (EGD) somewhere, and *path*
   is the pathname of a socket connection open to it, this will read 256 bytes
   of randomness from the socket, and add it to the SSL pseudo-random number
   generator to increase the security of generated secret keys.  This is
   typically only necessary on systems without better sources of randomness.
   See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources
   of entropy-gathering daemons.
   .. availability:: not available with LibreSSL and OpenSSL > 1.1.0.
 .. function:: RAND_add(bytes, entropy)
   Mix the given *bytes* into the SSL pseudo-random number generator.  The
@ -879,8 +871,6 @@ Constants
   Disable compression on the SSL channel.  This is useful if the application
   protocol supports its own compression scheme.
   This option is only available with OpenSSL 1.0.0 and later.
   .. versionadded:: 3.3
 .. class:: Options
@ -1593,25 +1583,7 @@ to speed up repeated connections from the same clients.
       >>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
       >>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
-       >>> ctx.get_ciphers()  # OpenSSL 1.0.x
+       >>> ctx.get_ciphers()
       [{'alg_bits': 256,
         'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
                        'Enc=AESGCM(256) Mac=AEAD',
         'id': 50380848,
         'name': 'ECDHE-RSA-AES256-GCM-SHA384',
         'protocol': 'TLSv1/SSLv3',
         'strength_bits': 256},
        {'alg_bits': 128,
         'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                        'Enc=AESGCM(128) Mac=AEAD',
         'id': 50380847,
         'name': 'ECDHE-RSA-AES128-GCM-SHA256',
         'protocol': 'TLSv1/SSLv3',
         'strength_bits': 128}]
   On OpenSSL 1.1 and newer the cipher dict contains additional fields::
       >>> ctx.get_ciphers()  # OpenSSL 1.1+
       [{'aead': True,
         'alg_bits': 256,
         'auth': 'auth-rsa',
@ -1637,8 +1609,6 @@ to speed up repeated connections from the same clients.
         'strength_bits': 128,
         'symmetric': 'aes-128-gcm'}]
   .. availability:: OpenSSL 1.0.2+.
   .. versionadded:: 3.6
 .. method:: SSLContext.set_default_verify_paths()
@ -1663,8 +1633,8 @@ to speed up repeated connections from the same clients.
      when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
      give the currently selected cipher.
-      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
+      TLS 1.3 cipher suites cannot be disabled with
-      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+      :meth:`~SSLContext.set_ciphers`.
 .. method:: SSLContext.set_alpn_protocols(protocols)
@ -1678,10 +1648,6 @@ to speed up repeated connections from the same clients.
   This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
   ``False``.
   OpenSSL 1.1.0 to 1.1.0e will abort the handshake and raise :exc:`SSLError`
   when both sides support ALPN but cannot agree on a protocol. 1.1.0f+
   behaves like 1.0.2, :meth:`SSLSocket.selected_alpn_protocol` returns None.
   .. versionadded:: 3.5
 .. method:: SSLContext.set_npn_protocols(protocols)
@ -1883,7 +1849,7 @@ to speed up repeated connections from the same clients.
 .. method:: SSLContext.session_stats()
   Get statistics about the SSL sessions created or managed by this context.
-   A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_sess_number.html>`_ to their
+   A dictionary is returned which maps the names of each `piece of information <https://www.openssl.org/docs/man1.1.1/ssl/SSL_CTX_sess_number.html>`_ to their
   numeric values.  For example, here is the total number of hits and misses
   in the session cache since the context was created::
@ -1926,10 +1892,6 @@ to speed up repeated connections from the same clients.
      :attr:`~SSLContext.verify_mode` is :data:`CERT_NONE`. Previously
      the same operation would have failed with a :exc:`ValueError`.
   .. note::
     This features requires OpenSSL 0.9.8f or newer.
 .. attribute:: SSLContext.keylog_filename
   Write TLS keys to a keylog file, whenever key material is generated or
@ -1940,10 +1902,6 @@ to speed up repeated connections from the same clients.
   .. versionadded:: 3.8
   .. note::
     This features requires OpenSSL 1.1.1 or newer.
 .. attribute:: SSLContext.maximum_version
   A :class:`TLSVersion` enum member representing the highest supported
@ -1960,11 +1918,6 @@ to speed up repeated connections from the same clients.
   :attr:`~SSLContext.maximum_version` set to :attr:`TLSVersion.TLSv1_2`
   will not be able to establish a TLS 1.2 connection.
   .. note::
     This attribute is not available unless the ssl module is compiled
     with OpenSSL 1.1.0g or newer.
   .. versionadded:: 3.7
 .. attribute:: SSLContext.minimum_version
@ -1972,11 +1925,6 @@ to speed up repeated connections from the same clients.
   Like :attr:`SSLContext.maximum_version` except it is the lowest
   supported version or :attr:`TLSVersion.MINIMUM_SUPPORTED`.
   .. note::
     This attribute is not available unless the ssl module is compiled
     with OpenSSL 1.1.0g or newer.
   .. versionadded:: 3.7
 .. attribute:: SSLContext.num_tickets
@ -1985,11 +1933,6 @@ to speed up repeated connections from the same clients.
   :attr:`TLS_PROTOCOL_SERVER` context. The setting has no impact on TLS
   1.0 to 1.2 connections.
   .. note::
     This attribute is not available unless the ssl module is compiled
     with OpenSSL 1.1.1 or newer.
   .. versionadded:: 3.8
 .. attribute:: SSLContext.options
@ -1998,11 +1941,6 @@ to speed up repeated connections from the same clients.
   The default value is :data:`OP_ALL`, but you can specify other options
   such as :data:`OP_NO_SSLv2` by ORing them together.
   .. note::
      With versions of OpenSSL older than 0.9.8m, it is only possible
      to set options, not to clear them.  Attempting to clear an option
      (by resetting the corresponding bits) will raise a :exc:`ValueError`.
   .. versionchanged:: 3.6
      :attr:`SSLContext.options` returns :class:`Options` flags:
@ -2025,10 +1963,6 @@ to speed up repeated connections from the same clients.
   :meth:`SSLSocket.verify_client_post_handshake` is called and some I/O is
   performed.
   .. note::
      Only available with OpenSSL 1.1.1 and TLS 1.3 enabled. Without TLS 1.3
      support, the property value is None and can't be modified
   .. versionadded:: 3.8
 .. attribute:: SSLContext.protocol
@ -2042,9 +1976,6 @@ to speed up repeated connections from the same clients.
   subject common name in the absence of a subject alternative name
   extension (default: true).
   .. note::
      Only writeable with OpenSSL 1.1.0 or higher.
   .. versionadded:: 3.7
   .. versionchanged:: 3.10
@ -2058,8 +1989,6 @@ to speed up repeated connections from the same clients.
   <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>`_
   for the context. This attribute is read-only.
   .. availability:: OpenSSL 1.1.0 or newer
   .. versionadded:: 3.10
 .. attribute:: SSLContext.verify_flags
@ -2067,7 +1996,6 @@ to speed up repeated connections from the same clients.
   The flags for certificate verification operations. You can set flags like
   :data:`VERIFY_CRL_CHECK_LEAF` by ORing them together. By default OpenSSL
   does neither require nor verify certificate revocation lists (CRLs).
   Available only with openssl version 0.9.8+.
   .. versionadded:: 3.4
@ -2733,9 +2661,8 @@ TLS 1.3
 .. versionadded:: 3.7
-Python has provisional and experimental support for TLS 1.3 with OpenSSL
+The TLS 1.3 protocol behaves slightly differently than previous version
-1.1.1.  The new protocol behaves slightly differently than previous version
+of TLS/SSL. Some new TLS 1.3 features are not yet available.
 of TLS/SSL.  Some new TLS 1.3 features are not yet available.
 - TLS 1.3 uses a disjunct set of cipher suites. All AES-GCM and
  ChaCha20 cipher suites are enabled by default.  The method
@ -2752,23 +2679,6 @@ of TLS/SSL.  Some new TLS 1.3 features are not yet available.
  signature algorithm configuration, and rekeying are not supported yet.
 .. _ssl-libressl:
 LibreSSL support
 ----------------
 LibreSSL is a fork of OpenSSL 1.0.1. The ssl module has limited support for
 LibreSSL. Some features are not available when the ssl module is compiled
 with LibreSSL.
 * LibreSSL >= 2.6.1 no longer supports NPN. The methods
  :meth:`SSLContext.set_npn_protocols` and
  :meth:`SSLSocket.selected_npn_protocol` are not available.
 * :meth:`SSLContext.set_default_verify_paths` ignores the env vars
  :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_PATH` although
  :func:`get_default_verify_paths` still reports them.
 .. seealso::
   Class :class:`socket.socket`
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -4971,38 +4971,6 @@ _ssl_RAND_status_impl(PyObject *module)
    return PyLong_FromLong(RAND_status());
 }
 #ifndef OPENSSL_NO_EGD
 /* LCOV_EXCL_START */
 /*[clinic input]
 _ssl.RAND_egd
    path: object(converter="PyUnicode_FSConverter")
    /
 Queries the entropy gather daemon (EGD) on the socket named by 'path'.
 Returns number of bytes read.  Raises SSLError if connection to EGD
 fails or if it does not provide enough data to seed PRNG.
 [clinic start generated code]*/
 static PyObject *
 _ssl_RAND_egd_impl(PyObject *module, PyObject *path)
 /*[clinic end generated code: output=02a67c7c367f52fa input=1aeb7eb948312195]*/
 {
    int bytes = RAND_egd(PyBytes_AsString(path));
    Py_DECREF(path);
    if (bytes == -1) {
        PyErr_SetString(PySSLErrorObject,
                        "EGD connection failed or EGD did not return "
                        "enough data to seed the PRNG");
        return NULL;
    }
    return PyLong_FromLong(bytes);
 }
 /* LCOV_EXCL_STOP */
 #endif /* OPENSSL_NO_EGD */
 /*[clinic input]
 _ssl.get_default_verify_paths
@ -5445,7 +5413,6 @@ static PyMethodDef PySSL_methods[] = {
    _SSL_RAND_ADD_METHODDEF
    _SSL_RAND_BYTES_METHODDEF
    _SSL_RAND_PSEUDO_BYTES_METHODDEF
    _SSL_RAND_EGD_METHODDEF
    _SSL_RAND_STATUS_METHODDEF
    _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF
    _SSL_ENUM_CERTIFICATES_METHODDEF
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@ -1105,40 +1105,6 @@ _ssl_RAND_status(PyObject *module, PyObject *Py_UNUSED(ignored))
    return _ssl_RAND_status_impl(module);
 }
 #if !defined(OPENSSL_NO_EGD)
 PyDoc_STRVAR(_ssl_RAND_egd__doc__,
 "RAND_egd($module, path, /)\n"
 "--\n"
 "\n"
 "Queries the entropy gather daemon (EGD) on the socket named by \'path\'.\n"
 "\n"
 "Returns number of bytes read.  Raises SSLError if connection to EGD\n"
 "fails or if it does not provide enough data to seed PRNG.");
 #define _SSL_RAND_EGD_METHODDEF    \
    {"RAND_egd", (PyCFunction)_ssl_RAND_egd, METH_O, _ssl_RAND_egd__doc__},
 static PyObject *
 _ssl_RAND_egd_impl(PyObject *module, PyObject *path);
 static PyObject *
 _ssl_RAND_egd(PyObject *module, PyObject *arg)
 {
    PyObject *return_value = NULL;
    PyObject *path;
    if (!PyUnicode_FSConverter(arg, &path)) {
        goto exit;
    }
    return_value = _ssl_RAND_egd_impl(module, path);
 exit:
    return return_value;
 }
 #endif /* !defined(OPENSSL_NO_EGD) */
 PyDoc_STRVAR(_ssl_get_default_verify_paths__doc__,
 "get_default_verify_paths($module, /)\n"
 "--\n"
@ -1351,10 +1317,6 @@ exit:
 #endif /* defined(_MSC_VER) */
 #ifndef _SSL_RAND_EGD_METHODDEF
    #define _SSL_RAND_EGD_METHODDEF
 #endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
 #ifndef _SSL_ENUM_CERTIFICATES_METHODDEF
    #define _SSL_ENUM_CERTIFICATES_METHODDEF
 #endif /* !defined(_SSL_ENUM_CERTIFICATES_METHODDEF) */
@ -1362,4 +1324,4 @@ exit:
 #ifndef _SSL_ENUM_CRLS_METHODDEF
    #define _SSL_ENUM_CRLS_METHODDEF
 #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=9468e58904a565a2 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=ae3d1851daba6562 input=a9049054013a1b77]*/