fix tls_(min|max)_version having no effect on openssl 1.1.0g or lower

[graingert]

fixes #6558

see also https://github.com/encode/httpx/blob/master/httpx/_compat.py#L23 and urllib3/urllib3#2636

• Tests added / passed
• Passes pre-commit run --all-files

[graingert]

setting maximum_version=MAXIMUM_SUPPORTED or maximum_version=MINIMUM_SUPPORTED or minimum_version=MAXIMUM_SUPPORTED isn't possible because we can't introspect the versions until 1.1.0.g anyway

[github-actions]

Unit Test Results

See test report for an extended history of previous test failures. This is useful for diagnosing flaky tests.

       15 files  ±0         15 suites  ±0   6h 20m 13s ⏱️ - 29m 25s
  2 866 tests +1    2 785 ✔️ +34    80 💤  - 1  1 ❌  - 29 
21 231 runs  +7  20 291 ✔️ +42  939 💤 ±0  1 ❌  - 32 

For more details on these failures, see this check.

Results for commit d7e25cd. ± Comparison against base commit 344868a.

♻️ This comment has been updated with latest results.

[jcrist]

This seems reasonable to me, though I confess I don't fully understand the compatibility issues here. Is there an easy way we could test this fix?

[jakirkham]

Note if this is using newer APIs from OpenSSL, Python 3.10 is the only version I'm aware of doing that (from a different context). So checking the OpenSSL version may not be sufficient. In fact it may lead to issues as packagers may build with a newer OpenSSL even with old Python versions (as is the case in conda-forge)

[graingert]

This should work with both newer openssl versions or newer python versions

[graingert]

this is relying on new openssl features released in 1.1.0g and made available in Python 3.7

[graingert]

Is there an easy way we could test this fix?

It's very difficult to test this - as we'd need to find a docker image (centos:7) or similar to run the old version of openssl and compile a new version of python 3.7

instead of a test - I've simplified the code by a great deal by making distributed.security.Security immutable and then relying on earlier validation to support assignment of tls.TLSVersion.TLSv1_2

I have also deprecated support for openssl < 1.1.1 so we can remove this untested branch in the future

[graingert]

making Security frozen broke pickle support:

https://github.com/dask/distributed/runs/6863709912?check_suite_focus=true#step:11:182

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "C:\Miniconda3\envs\dask-distributed\lib\multiprocessing\spawn.py", line 116, in spawn_main
    exitcode = _main(fd, parent_sentinel)
  File "C:\Miniconda3\envs\dask-distributed\lib\multiprocessing\spawn.py", line 126, in _main
    self = reduction.pickle.load(from_parent)
  File "d:\a\distributed\distributed\distributed\security.py", line 368, in __setattr__
    raise AttributeError(f"Can't set attribute {name!r}")
AttributeError: Can't set attribute 'require_encryption'

maybe making it frozen isn't worth it?

[graingert]

I've removed the commits making security.Security frozen from this PR

[graingert]

macos-latest 3.10 not c1 failed with #6395

[fjetter]

It's amazing that CPython chooses to deal with this issue merely by leaving a comment in the documentation. They could've raised if the attribute is set but the OpenSSL is too old

[graingert]

@fjetter https://lwn.net/Articles/861910/

[fjetter]

Interesting but not the same thing, is it? You apparently had a typo but we had the proper name. It could be something like

... 
@property.setter
def minimal_version(self, value):
    if openssl_version < 42:
        raise
    ...

[graingert]

the fix suggested was to make ssl.SSLContext slotted, which would both prevent typos and use of correctly spelt attributes that are unsuported