Merge 43e4e1b into d510103

nix/pyopenssl.nix

@@ -0,0 +1,12 @@
+{ pyopenssl, fetchPypi, isPyPy }:
+pyopenssl.overrideAttrs (old: rec {
+  pname = "pyopenssl";
+  version = "23.2.0";
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "1qgarxcmlrrrlyjnsry47lz04z8bviy7rrlbbp9874kdj799rckc";
+  };
+  # Building the docs requires sphinx which brings in a dependency on babel,
+  # the test suite of which fails.
+  dontBuildDocs = isPyPy;
+})

nix/python-overrides.nix

@@ -27,6 +27,12 @@ in {
     inherit (super) klein;
   };
 
+  # Update the version of pyopenssl.
+  pyopenssl = self.callPackage ./pyopenssl.nix {
+    # Avoid infinite recursion.
+    inherit (super) pyopenssl;
+  };
+
   # collections-extended is currently broken for Python 3.11 in nixpkgs but
   # we know where a working version lives.
   collections-extended = self.callPackage ./collections-extended.nix {
@@ -60,10 +66,6 @@ in {
   # a5f8184fb816a4fd5ae87136838c9981e0d22c67.
   six = onPyPy dontCheck super.six;
 
-  # Building the docs requires sphinx which brings in a dependency on babel,
-  # the test suite of which fails.
-  pyopenssl = onPyPy (dontBuildDocs { sphinx-rtd-theme = null; }) super.pyopenssl;
-
   # Likewise for beautifulsoup4.
   beautifulsoup4 = onPyPy (dontBuildDocs {}) super.beautifulsoup4;
 

setup.py

@@ -63,11 +63,10 @@ def read_version_py(infname):
     #   Twisted[conch] also depends on cryptography and Twisted[tls]
     #   transitively depends on cryptography.  So it's anyone's guess what
     #   version of cryptography will *really* be installed.
+    "cryptography >= 2.6",
 
-    # * cryptography 40 broke constants we need; should really be using them
-    # * via pyOpenSSL; will be fixed in
-    # * https://github.com/pyca/pyopenssl/issues/1201
-    "cryptography >= 2.6, < 40",
+    # * Used for custom HTTPS validation
+    "pyOpenSSL >= 23.2.0",
 
     # * The SFTP frontend depends on Twisted 11.0.0 to fix the SSH server
     #   rekeying bug <https://twistedmatrix.com/trac/ticket/4395>

src/allmydata/storage/http_client.py

@@ -46,7 +46,6 @@
 from treq.client import HTTPClient
 from treq.testing import StubTreq
 from OpenSSL import SSL
-from cryptography.hazmat.bindings.openssl.binding import Binding
 from werkzeug.http import parse_content_range_header
 
 from .http_common import (
@@ -60,8 +59,6 @@
 from ..util.hashutil import timing_safe_compare
 from ..util.deferredutil import async_to_deferred
 
-_OPENSSL = Binding().lib
-
 
 def _encode_si(si):  # type: (bytes) -> str
     """Encode the storage index into Unicode string."""
@@ -256,11 +253,11 @@ def always_validate(conn, cert, errno, depth, preverify_ok):
             # not the usual TLS concerns about invalid CAs or revoked
             # certificates.
             things_are_ok = (
-                _OPENSSL.X509_V_OK,
-                _OPENSSL.X509_V_ERR_CERT_NOT_YET_VALID,
-                _OPENSSL.X509_V_ERR_CERT_HAS_EXPIRED,
-                _OPENSSL.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
-                _OPENSSL.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
+                SSL.X509VerificationCodes.OK,
+                SSL.X509VerificationCodes.ERR_CERT_NOT_YET_VALID,
+                SSL.X509VerificationCodes.ERR_CERT_HAS_EXPIRED,
+                SSL.X509VerificationCodes.ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+                SSL.X509VerificationCodes.ERR_SELF_SIGNED_CERT_IN_CHAIN,
             )
             # TODO can we do this once instead of multiple times?
             if errno in things_are_ok and timing_safe_compare(