From 54425cd302b00e3c495d397007d0fdc08da7c457 Mon Sep 17 00:00:00 2001
From: Adrien Ferrand <ferrand.ad@gmail.com>
Date: Tue, 9 Feb 2021 20:53:30 +0100
Subject: [PATCH] Pin cryptography on 3.1.1 specifically for RHEL/CentOS 7 to
 avoid build failures during test_sdists test.

---
 tests/letstest/scripts/test_sdists.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/letstest/scripts/test_sdists.sh b/tests/letstest/scripts/test_sdists.sh
index 525266831..61f27a210 100755
--- a/tests/letstest/scripts/test_sdists.sh
+++ b/tests/letstest/scripts/test_sdists.sh
@@ -13,6 +13,14 @@ sudo $BOOTSTRAP_SCRIPT
 # constraints in the commands given to pip and the mix of hashed and unhashed
 # packages makes pip error out.
 python3 tools/strip_hashes.py tools/certbot_constraints.txt > requirements.txt
+
+# We pin cryptography to 3.1.1 specifically for CentOS 7 / RHEL 7 because these systems ship
+# only with OpenSSL 1.0.2, and this OpenSSL version support has been dropped on cryptography>=3.2.
+# Using this old version of OpenSSL would break the cryptography wheel build.
+if [ -f /etc/redhat-release ] && [ "$(. /etc/os-release 2> /dev/null && echo "$VERSION_ID")" -eq 7 ]; then
+  sed -i 's|cryptography==.*|cryptography==3.1.1|g' requirements.txt
+fi
+
 CERTBOT_PIP_NO_BINARY=:all: tools/venv.py --requirement requirements.txt
 . "$VENV_PATH/bin/activate"
 # pytest is needed to run tests on some of our packages so we install a pinned version here.