From 427faf70fe8268287443a15c0c70bf8dba1a9a8b Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@eff.org>
Date: Fri, 10 Jul 2020 12:35:34 -0700
Subject: [PATCH] Prefetching is not supported with old cryptography

---
 .../certbot_apache/_internal/prefetch_ocsp.py |  4 +++
 certbot-apache/tests/ocsp_prefetch_test.py    | 31 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/certbot-apache/certbot_apache/_internal/prefetch_ocsp.py b/certbot-apache/certbot_apache/_internal/prefetch_ocsp.py
index 1a5598743..7d891775f 100644
--- a/certbot-apache/certbot_apache/_internal/prefetch_ocsp.py
+++ b/certbot-apache/certbot_apache/_internal/prefetch_ocsp.py
@@ -112,6 +112,10 @@ class OCSPPrefetchMixin(object):
 
         :raises: errors.NotSupportedError
         """
+        if not ocsp.CRYPTOGRAPHY_OCSP_AVAILABLE:
+            raise errors.NotSupportedError(
+                "You need version 2.5+ of the Python library cryptography to"
+                " use this feature.")
         try:
             import bsddb  # pylint: disable=unused-variable
         except ImportError:
diff --git a/certbot-apache/tests/ocsp_prefetch_test.py b/certbot-apache/tests/ocsp_prefetch_test.py
index 6ac3dae35..a9b0f0f2e 100644
--- a/certbot-apache/tests/ocsp_prefetch_test.py
+++ b/certbot-apache/tests/ocsp_prefetch_test.py
@@ -18,6 +18,7 @@ import six  # pylint: disable=unused-import
 from acme.magic_typing import Dict, List, Set, Union  # pylint: disable=unused-import, no-name-in-module
 
 from certbot import errors
+from certbot import ocsp
 
 from certbot.compat import os
 import util
@@ -83,6 +84,36 @@ class Mockdb(object):
             fh.write(json.dumps(self._data))
 
 
+class OldCryptographyOCSPPrefetchTest(util.ApacheTest):
+    """Tests for OCSP Prefetch with an old version of cryptography."""
+
+    def setUp(self):  # pylint: disable=arguments-differ
+        super(OldCryptographyOCSPPrefetchTest, self).setUp()
+
+        with mock.patch('certbot.ocsp.CRYPTOGRAPHY_OCSP_AVAILABLE', False):
+            self.config = util.get_apache_configurator(
+                self.config_path, self.vhost_path, self.config_dir, self.work_dir,
+                os_info="debian")
+
+    def test_enable(self):
+        with mock.patch('certbot.ocsp.CRYPTOGRAPHY_OCSP_AVAILABLE', False):
+            self.assertRaises(
+                errors.NotSupportedError,
+                self.config.enable_ocsp_prefetch,
+                mock.MagicMock(),
+                ['example.org'])
+
+    @mock.patch('certbot_apache._internal.configurator.ApacheConfigurator.restart')
+    def test_restart(self, mock_restart):
+        with mock.patch('certbot.ocsp') as mock_ocsp:
+            mock_ocsp.CRYPTOGRAPHY_OCSP_AVAILABLE = False
+            self.config.restart()
+            mock_restart.assert_called_once_with()
+            # assert nothing in mock_ocsp was ever called
+            self.assertFalse(mock_ocsp.mock_calls)
+
+
+@unittest.skipIf(not ocsp.CRYPTOGRAPHY_OCSP_AVAILABLE, "cryptography is too old")
 class OCSPPrefetchTest(util.ApacheTest):
     """Tests for OCSP Prefetch feature"""
     # pylint: disable=protected-access