Drop CI for OpenSSL 1.0.2 (#953)

* Drop CI for OpenSSL 1.0.2

* Delete code for coverage reasons

* Bump minimum cryptography version

8 files changed, 15 insertions, 95 deletions

diff --git a/.travis.yml b/.travis.yml
index d6d566c..911ccef 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,10 +16,6 @@ jobs:
     os: osx
     osx_image: xcode11.6
     env: TOXENV=py27
-  - python: "2.7"
-    env: TOXENV=py27
-    # we should still test against OpenSSL 1.0.2. Xenial gives us that for now.
-    dist: xenial
   - python: "3.5"
     env: TOXENV=py35
   - python: "3.6"
@@ -71,13 +67,9 @@ jobs:
   - python: "3.7"
     env: TOXENV=py37-randomorder
 
-  # Make sure we don't break Twisted or urllib3
+  # Make sure we don't break Twisted
   - python: "3.7"
     env: TOXENV=py37-twistedMaster
-  - python: "3.5"
-    env: TOXENV=py35-urllib3Master
-    # Somehow urllib3 has trouble with newer distributions
-    dist: xenial
 
 
   # Meta
diff --git a/.travis/install_urllib3.sh b/.travis/install_urllib3.sh
deleted file mode 100755
index 1324ded..0000000
--- a/.travis/install_urllib3.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-set -e
-set -x
-
-git clone --depth 1 https://github.com/shazow/urllib3.git
-pip install -r ./urllib3/dev-requirements.txt
-pip install ./urllib3[socks]
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5df0a05..9f58d78 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -11,10 +11,11 @@ The third digit is only for regressions.
 Backward-incompatible changes:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+- The minimum ``cryptography`` version is now 3.2.
 - Remove deprecated ``OpenSSL.tsafe`` module.
 - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
 - Drop support for Python 3.4
-- Drop support for OpenSSL 1.0.1
+- Drop support for OpenSSL 1.0.1 and 1.0.2
 
 Deprecations:
 ^^^^^^^^^^^^^
diff --git a/setup.py b/setup.py
index 6f3afd7..08769d2 100755
--- a/setup.py
+++ b/setup.py
@@ -94,7 +94,7 @@ if __name__ == "__main__":
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=2.8",
+            "cryptography>=3.2",
             "six>=1.5.2",
         ],
         extras_require={
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index bbb721c..9b9f638 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -28,7 +28,6 @@ from OpenSSL.crypto import (
     X509Name,
     X509,
     X509Store,
-    X509StoreContext,
 )
 
 __all__ = [
@@ -147,10 +146,7 @@ OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
 OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
 OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1
 OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2
-try:
-    OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
-except AttributeError:
-    pass
+OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3
 
 MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS
 
@@ -202,14 +198,6 @@ SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL
 SSL_ST_CONNECT = _lib.SSL_ST_CONNECT
 SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT
 SSL_ST_MASK = _lib.SSL_ST_MASK
-if _lib.Cryptography_HAS_SSL_ST:
-    SSL_ST_INIT = _lib.SSL_ST_INIT
-    SSL_ST_BEFORE = _lib.SSL_ST_BEFORE
-    SSL_ST_OK = _lib.SSL_ST_OK
-    SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE
-    __all__.extend(
-        ["SSL_ST_INIT", "SSL_ST_BEFORE", "SSL_ST_OK", "SSL_ST_RENEGOTIATE"]
-    )
 
 SSL_CB_LOOP = _lib.SSL_CB_LOOP
 SSL_CB_EXIT = _lib.SSL_CB_EXIT
@@ -972,11 +960,7 @@ class Context(object):
         """
         buf = _text_to_bytes_and_warn("buf", buf)
         _openssl_assert(
-            _lib.SSL_CTX_set_session_id_context(
-                self._context,
-                buf,
-                len(buf),
-            )
+            _lib.SSL_CTX_set_session_id_context(self._context, buf, len(buf))
             == 1
         )
 
@@ -2175,29 +2159,12 @@ class Connection(object):
 
         .. versionadded:: 20.0
         """
-        if hasattr(_lib, "SSL_get0_verified_chain"):
-            # OpenSSL 1.1+
-            cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
-            if cert_stack == _ffi.NULL:
-                return None
-
-            return self._cert_stack_to_list(cert_stack)
-
-        pycert = self.get_peer_certificate()
-        if pycert is None:
-            return None
-
-        # Should never be NULL because the peer presented a certificate.
-        cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl)
-        _openssl_assert(cert_stack != _ffi.NULL)
-
-        pystore = self._context.get_cert_store()
-        if pystore is None:
+        # OpenSSL 1.1+
+        cert_stack = _lib.SSL_get0_verified_chain(self._ssl)
+        if cert_stack == _ffi.NULL:
             return None
 
-        pystorectx = X509StoreContext(pystore, pycert)
-        pystorectx._chain = cert_stack
-        return pystorectx.get_verified_chain()
+        return self._cert_stack_to_list(cert_stack)
 
     def want_read(self):
         """
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 11be813..84f92b1 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1603,16 +1603,8 @@ class X509Store(object):
         if not isinstance(cert, X509):
             raise TypeError()
 
-        # As of OpenSSL 1.1.0i adding the same cert to the store more than
-        # once doesn't cause an error. Accordingly, this code now silences
-        # the error for OpenSSL < 1.1.0i as well.
-        if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
-            code = _lib.ERR_peek_error()
-            err_reason = _lib.ERR_GET_REASON(code)
-            _openssl_assert(
-                err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
-            )
-            _lib.ERR_clear_error()
+        res = _lib.X509_STORE_add_cert(self._store, cert._x509)
+        _openssl_assert(res == 1)
 
     def add_crl(self, crl):
         """
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index e405b1a..aed2367 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -2621,17 +2621,8 @@ class TestConnection(object):
         with a context using a different SSL method than the `Connection`
         is using, a `OpenSSL.SSL.Error` is raised.
         """
-        # Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2
-        # and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT
-        # is a way to check for 1.1.0)
-        if SSL_ST_INIT is None:
-            v1 = TLSv1_2_METHOD
-            v2 = TLSv1_METHOD
-        elif hasattr(_lib, "SSLv3_method"):
-            v1 = TLSv1_METHOD
-            v2 = SSLv3_METHOD
-        else:
-            pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")
+        v1 = TLSv1_2_METHOD
+        v2 = TLSv1_METHOD
 
         key = load_privatekey(FILETYPE_PEM, server_key_pem)
         cert = load_certificate(FILETYPE_PEM, server_cert_pem)
diff --git a/tox.ini b/tox.ini
index 4217abb..a338c94 100644
--- a/tox.ini
+++ b/tox.ini
@@ -10,7 +10,7 @@ extras =
 deps =
     coverage>=4.2
     cryptographyMaster: git+https://github.com/pyca/cryptography.git
-    cryptographyMinimum: cryptography==2.8
+    cryptographyMinimum: cryptography==3.2
     randomorder: pytest-randomly
 setenv =
     # Do not allow the executing environment to pollute the test environment
@@ -32,21 +32,6 @@ commands =
     python -c "import cryptography; print(cryptography.__version__)"
     python -m twisted.trial --reporter=text twisted
 
-[testenv:py35-urllib3Master]
-basepython=python3.5
-deps =
-    pyasn1
-    ndg-httpsclient
-passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM TRAVIS_INFRA
-whitelist_externals =
-    rm
-commands =
-    python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"
-    python -c "import cryptography; print(cryptography.__version__)"
-    {toxinidir}/.travis/install_urllib3.sh
-    pytest urllib3/test
-    rm -rf ./urllib3
-
 [testenv:flake8]
 basepython = python3
 deps =