diff --git a/acme/src/acme/crypto_util.py b/acme/src/acme/crypto_util.py index b0783952c..f6d668f90 100644 --- a/acme/src/acme/crypto_util.py +++ b/acme/src/acme/crypto_util.py @@ -100,11 +100,10 @@ class SSLSocket: # pylint: disable=too-few-public-methods ] ] = None, ) -> None: + warnings.warn("SSLSocket is deprecated and will be removed in an upcoming release", + DeprecationWarning) self.sock = sock self.alpn_selection = alpn_selection - if alpn_selection: - warnings.warn("alpn_selection ivar is deprecated and will be removed in an " - "upcoming certbot major version update", DeprecationWarning) self.method = method if not cert_selection and not certs: raise ValueError("Neither cert_selection or certs specified.") @@ -160,11 +159,15 @@ class SSLSocket: # pylint: disable=too-few-public-methods # OpenSSL.SSL.Connection.shutdown doesn't accept any args try: return self._wrapped.shutdown() - except SSL.Error as error: + except SSL.Error as error: # pragma: no cover # We wrap the error so we raise the same error type as sockets # in the standard library. This is useful when this object is # used by code which expects a standard socket such as # socketserver in the standard library. + # + # We don't track code coverage in this "except" branch to avoid spurious CI failures + # caused by missing test coverage. These aren't worth fixing because this entire + # class has been deprecated. See https://github.com/certbot/certbot/issues/10284. raise OSError(error) def accept(self) -> Tuple[FakeConnection, Any]: # pylint: disable=missing-function-docstring diff --git a/acme/src/acme/standalone.py b/acme/src/acme/standalone.py index cf3df7081..b056c7916 100644 --- a/acme/src/acme/standalone.py +++ b/acme/src/acme/standalone.py @@ -26,9 +26,15 @@ logger = logging.getLogger(__name__) class TLSServer(socketserver.TCPServer): - """Generic TLS Server.""" + """Generic TLS Server + + .. deprecated:: 4.1.0 + + """ def __init__(self, *args: Any, **kwargs: Any) -> None: + warnings.warn("TLSServer is deprecated and will be removed in an upcoming release", + DeprecationWarning) self.ipv6 = kwargs.pop("ipv6", False) if self.ipv6: self.address_family = socket.AF_INET6 @@ -41,10 +47,7 @@ class TLSServer(socketserver.TCPServer): def _wrap_sock(self) -> None: with warnings.catch_warnings(): - warnings.filterwarnings( - 'ignore', - message='alpn_selection ivar is deprecated' - ) + warnings.filterwarnings('ignore', 'SSLSocket is deprecated') self.socket = cast(socket.socket, crypto_util.SSLSocket( self.socket, cert_selection=self._cert_selection, alpn_selection=getattr(self, '_alpn_selection', None), @@ -169,9 +172,11 @@ class TLSALPN01Server(TLSServer, ACMEServerMixin): # We don't need to implement a request handler here because the work # (including logging) is being done by wrapped socket set up in the # parent TLSServer class. - TLSServer.__init__( - self, server_address, socketserver.BaseRequestHandler, certs=certs, - ipv6=ipv6) + with warnings.catch_warnings(): + warnings.filterwarnings("ignore", "TLSServer is deprecated") + TLSServer.__init__( + self, server_address, socketserver.BaseRequestHandler, certs=certs, + ipv6=ipv6) self.challenge_certs = challenge_certs def _cert_selection(self, connection: SSL.Connection) -> Optional[crypto_util._KeyAndCert]: diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index 011eb8470..08abbbd1b 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -14,8 +14,9 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). * acme.client.ClientNetwork now makes the "key" parameter optional. * Deprecated `acme.challenges.TLSALPN01Response` * Deprecated `acme.challenges.TLSALPN01` -* Deprecated ivar `alpn_selection` from `acme.crypto_util.SSLSocket` * Deprecated parameter `alpn_protocols` from `acme.crypto_util.probe_sni` +* Deprecated `acme.crypto_util.SSLSocket` +* Deprecated `acme.standalone.TLSServer` * Deprecated `acme.standalone.TLSALPN01Server` * Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer versions of the cryptography Python package. Python 3.9.2+ is still diff --git a/pytest.ini b/pytest.ini index 1bcf2640b..355a6af20 100644 --- a/pytest.ini +++ b/pytest.ini @@ -20,10 +20,11 @@ # 3) Ignore DeprecationWarning for datetime.utcfromtimestamp() triggered # from dateutil. See https://github.com/dateutil/dateutil/issues/1314. # 4 & 5) The pyOpenSSL X509/PKey warnings are due to TLS-ALPN-01 support. -# Resolving these warnings is being tracked by +# Resolving these warnings is being tracked by # https://github.com/certbot/certbot/issues/10079. -# 6 - 10) Planning to remove unused TLS-ALPN support in acme. -# See https://github.com/certbot/certbot/issues/10266 +# 6 - 11) Planning to remove unused TLS-ALPN support in acme. +# See https://github.com/certbot/certbot/issues/10266 and +# https://github.com/certbot/certbot/pull/10294. filterwarnings = error ignore:.*rsyncdir:DeprecationWarning @@ -31,8 +32,9 @@ filterwarnings = ignore:.*datetime.utcfromtimestamp\(\) is deprecated:DeprecationWarning:dateutil ignore:Passing pyOpenSSL X509 objects is deprecated:DeprecationWarning ignore:Passing pyOpenSSL PKey objects is deprecated:DeprecationWarning - ignore:alpn_selection ivar is deprecated:DeprecationWarning ignore:alpn_protocols parameter is deprecated:DeprecationWarning + ignore:SSLSocket is deprecated:DeprecationWarning ignore:TLSALPN01Server is deprecated:DeprecationWarning ignore:TLSALPN01Response is deprecated:DeprecationWarning ignore:TLSALPN01 is deprecated:DeprecationWarning + ignore:TLSServer is deprecated:DeprecationWarning