deprecate SSLSocket and TLSServer (#10294)

fixes https://github.com/certbot/certbot/issues/10284

acme/src/acme/crypto_util.py

@@ -100,11 +100,10 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
             ]
         ] = None,
     ) -> None:
+        warnings.warn("SSLSocket is deprecated and will be removed in an upcoming release",
+                      DeprecationWarning)
         self.sock = sock
         self.alpn_selection = alpn_selection
-        if alpn_selection:
-            warnings.warn("alpn_selection ivar is deprecated and will be removed in an "
-                "upcoming certbot major version update", DeprecationWarning)
         self.method = method
         if not cert_selection and not certs:
             raise ValueError("Neither cert_selection or certs specified.")
@@ -160,11 +159,15 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
             # OpenSSL.SSL.Connection.shutdown doesn't accept any args
             try:
                 return self._wrapped.shutdown()
-            except SSL.Error as error:
+            except SSL.Error as error:  # pragma: no cover
                 # We wrap the error so we raise the same error type as sockets
                 # in the standard library. This is useful when this object is
                 # used by code which expects a standard socket such as
                 # socketserver in the standard library.
+                #
+                # We don't track code coverage in this "except" branch to avoid spurious CI failures
+                # caused by missing test coverage. These aren't worth fixing because this entire
+                # class has been deprecated. See https://github.com/certbot/certbot/issues/10284.
                 raise OSError(error)
 
     def accept(self) -> Tuple[FakeConnection, Any]:  # pylint: disable=missing-function-docstring

acme/src/acme/standalone.py

@@ -26,9 +26,15 @@ logger = logging.getLogger(__name__)
 
 
 class TLSServer(socketserver.TCPServer):
-    """Generic TLS Server."""
+    """Generic TLS Server
+
+    .. deprecated:: 4.1.0
+
+    """
 
     def __init__(self, *args: Any, **kwargs: Any) -> None:
+        warnings.warn("TLSServer is deprecated and will be removed in an upcoming release",
+                      DeprecationWarning)
         self.ipv6 = kwargs.pop("ipv6", False)
         if self.ipv6:
             self.address_family = socket.AF_INET6
@@ -41,10 +47,7 @@ class TLSServer(socketserver.TCPServer):
 
     def _wrap_sock(self) -> None:
         with warnings.catch_warnings():
-            warnings.filterwarnings(
-                'ignore',
-                message='alpn_selection ivar is deprecated'
-            )
+            warnings.filterwarnings('ignore', 'SSLSocket is deprecated')
             self.socket = cast(socket.socket, crypto_util.SSLSocket(
                 self.socket, cert_selection=self._cert_selection,
                 alpn_selection=getattr(self, '_alpn_selection', None),
@@ -169,9 +172,11 @@ class TLSALPN01Server(TLSServer, ACMEServerMixin):
         # We don't need to implement a request handler here because the work
         # (including logging) is being done by wrapped socket set up in the
         # parent TLSServer class.
-        TLSServer.__init__(
-            self, server_address, socketserver.BaseRequestHandler, certs=certs,
-            ipv6=ipv6)
+        with warnings.catch_warnings():
+            warnings.filterwarnings("ignore", "TLSServer is deprecated")
+            TLSServer.__init__(
+                self, server_address, socketserver.BaseRequestHandler, certs=certs,
+                ipv6=ipv6)
         self.challenge_certs = challenge_certs
 
     def _cert_selection(self, connection: SSL.Connection) -> Optional[crypto_util._KeyAndCert]:

certbot/CHANGELOG.md

@@ -14,8 +14,9 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 * acme.client.ClientNetwork now makes the "key" parameter optional.
 * Deprecated `acme.challenges.TLSALPN01Response`
 * Deprecated `acme.challenges.TLSALPN01`
-* Deprecated ivar `alpn_selection` from `acme.crypto_util.SSLSocket`
 * Deprecated parameter `alpn_protocols` from `acme.crypto_util.probe_sni`
+* Deprecated `acme.crypto_util.SSLSocket`
+* Deprecated `acme.standalone.TLSServer`
 * Deprecated `acme.standalone.TLSALPN01Server`
 * Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
   versions of the cryptography Python package. Python 3.9.2+ is still

pytest.ini

@@ -20,10 +20,11 @@
 # 3) Ignore DeprecationWarning for datetime.utcfromtimestamp() triggered
 #    from dateutil. See https://github.com/dateutil/dateutil/issues/1314.
 # 4 & 5) The pyOpenSSL X509/PKey warnings are due to TLS-ALPN-01 support.
-#    Resolving these warnings is being tracked by
+#        Resolving these warnings is being tracked by
 #        https://github.com/certbot/certbot/issues/10079.
-# 6 - 10) Planning to remove unused TLS-ALPN support in acme.
-#        See https://github.com/certbot/certbot/issues/10266
+# 6 - 11) Planning to remove unused TLS-ALPN support in acme.
+#         See https://github.com/certbot/certbot/issues/10266 and
+#         https://github.com/certbot/certbot/pull/10294.
 filterwarnings =
     error
     ignore:.*rsyncdir:DeprecationWarning
@@ -31,8 +32,9 @@ filterwarnings =
     ignore:.*datetime.utcfromtimestamp\(\) is deprecated:DeprecationWarning:dateutil
     ignore:Passing pyOpenSSL X509 objects is deprecated:DeprecationWarning
     ignore:Passing pyOpenSSL PKey objects is deprecated:DeprecationWarning
-    ignore:alpn_selection ivar is deprecated:DeprecationWarning
     ignore:alpn_protocols parameter is deprecated:DeprecationWarning
+    ignore:SSLSocket is deprecated:DeprecationWarning
     ignore:TLSALPN01Server is deprecated:DeprecationWarning
     ignore:TLSALPN01Response is deprecated:DeprecationWarning
     ignore:TLSALPN01 is deprecated:DeprecationWarning
+    ignore:TLSServer is deprecated:DeprecationWarning