remove historical SSL context compatibility for Python2 (#250)

Thriftpy · Mar 14, 2024 · bb37883 · bb37883
1 parent e0f0081
commit bb37883
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 34 deletions.
diff --git a/tests/test_sslsocket.py b/tests/test_sslsocket.py
@@ -7,7 +7,6 @@
 
 import pytest
 
-from thriftpy2._compat import MODERN_SSL
 from thriftpy2.transport import TTransportException, create_thriftpy_context
 from thriftpy2.transport.sslsocket import TSSLSocket, TSSLServerSocket
 

diff --git a/thriftpy2/_compat.py b/thriftpy2/_compat.py
@@ -19,9 +19,6 @@
 UNIX = platform.system() in ("Linux", "Darwin")
 CYTHON = UNIX and not PYPY  # Cython always disabled in pypy and windows
 
-# only Python 2.7.9 and Python 3.4 or above have true ssl context
-MODERN_SSL = sys.version_info >= (2, 7, 9)
-
 if PY3:
     text_type = str
     string_types = (str,)

diff --git a/thriftpy2/transport/_ssl.py b/thriftpy2/transport/_ssl.py
@@ -7,8 +7,6 @@
 import ssl
 import warnings
 
-from .._compat import MODERN_SSL
-
 try:
     from ssl import (
         OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
@@ -110,8 +108,7 @@ def wrap_socket(self, socket, server_hostname=None, server_side=False):
 
 
 def create_thriftpy_context(server_side=False, ciphers=None):
-    """Backport create_default_context for older python versions.
-
+    """
     The SSLContext has some default security options, you can disable them
     manually, for example::
 
@@ -121,34 +118,25 @@ def create_thriftpy_context(server_side=False, ciphers=None):
 
     You can do the same to enable compression.
     """
-    if MODERN_SSL:
-        if server_side:
-            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-        else:
-            context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
 
-        if ciphers:
-            context.set_ciphers(ciphers)
+    context = SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= OP_NO_SSLv2
+    context.options |= OP_NO_SSLv3
+    context.options |= OP_NO_COMPRESSION
 
+    # server/client default options
+    if server_side:
+        context.options |= OP_CIPHER_SERVER_PREFERENCE
+        context.options |= OP_SINGLE_DH_USE
+        context.options |= OP_SINGLE_ECDH_USE
     else:
-        context = SSLContext(ssl.PROTOCOL_SSLv23)
-        context.options |= OP_NO_SSLv2
-        context.options |= OP_NO_SSLv3
-        context.options |= OP_NO_COMPRESSION
-
-        # server/client default options
-        if server_side:
-            context.options |= OP_CIPHER_SERVER_PREFERENCE
-            context.options |= OP_SINGLE_DH_USE
-            context.options |= OP_SINGLE_ECDH_USE
-        else:
-            context.verify_mode = ssl.CERT_REQUIRED
-            # context.check_hostname = True
-            warnings.warn(
-                "ssl check hostname support disabled, upgrade your python",
-                InsecurePlatformWarning)
-
-        if ciphers:
-            context.set_ciphers(ciphers)
+        context.verify_mode = ssl.CERT_REQUIRED
+        # context.check_hostname = True
+        warnings.warn(
+            "ssl check hostname support disabled, upgrade your python",
+            InsecurePlatformWarning)
+
+    if ciphers:
+        context.set_ciphers(ciphers)
 
     return context