gh-94598: Remove deprecated ssl modules features

[tiran]

• Issue: [ssl] Remove deprecated protocols, OP_NO_TLS/SSL, and support for TLS < 1.2 #94598

[tiran]

• documentation updates are still work in progress
• update whatsnew in 3.12 and porting to 3.12

[graingert]

Can you make these attributes warn on access in 3.11? using the approach here

cpython/Lib/importlib/abc.py

Lines 28 to 38 in 6dadf6c

	def __getattr__(name):
	"""
	For backwards compatibility, continue to make names
	from _resources_abc available through this module. #93963
	"""
	if name in _resources_abc.__all__:
	obj = getattr(_resources_abc, name)
	warnings._deprecated(f"{__name__}.{name}", remove=(3, 14))
	globals()[name] = obj
	return obj
	raise AttributeError(f'module {__name__!r} has no attribute {name!r}')

Currently they only warn at use, and it would make testing this change much easier if they warn on access

[tiran]

Enum's convert helper gets in the way. It adds the variables to global name space unconditionally.

[graingert]

Could you del the globals, adding them back with __getattr__?

[tiran]

That's ugly.

[hugovk]

It's ugly but it would give users a heads-up this is going to be removed.

[tiran]

It's ugly but it would give users a heads-up this is going to be removed.

The ssl module has been warning about deprecated features since 3.10:

$ python3.10 -Werror -c 'import ssl; ssl.SSLContext(ssl.PROTOCOL_TLS)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python3.10/ssl.py", line 496, in __new__
    self = _SSLContext.__new__(cls, protocol)
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated

Functions and methods don't warn on attribute access either. They typically warn when they are called (used).

[tiran]

Compromise: 3.11 is at the end of its beta phase. I don't want to add ugly code to it. Instead I'm going to add warnings for the deprecated module constants to 3.12 and remove them in 3.13. They won't work in 3.12, though. Attribute access won't raise an AttributeError.

$ ./python -Wonce -c "import ssl; print(ssl.PROTOCOL_TLS)"
<string>:1: DeprecationWarning: ssl.PROTOCOL_TLS is no longer supported. The constants will be removed in 3.13. Use ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER instead.
NotImplemented

$ ./python -Wonce -c "import ssl; print(ssl.OP_NO_TLSv1)"
<string>:1: DeprecationWarning: ssl.OP_NO_TLSv1 is no longer supported. The constants will be removed in 3.13. Use SSLContext's 'minimum_version' and 'maximum_version' properties instead.
67108864

[arhadthedev]

Deprecated :mod:`ssl` features have been removed

• support for SSL 3.0, TLS 1.0, and TLS 1.1
• all ``PROTOCOL_*`` constants except ``PROTOCOL_TLS_CLIENT`` and ``PROTOCOL_TLS_SERVER``
• all ``OP_NO_SSL*`` and ``OP_NO_TLS*`` option flags
• ``TLSVersion.SSLv3``, ``TLSVersion.TLSv1``, and ``TLSVersion.TLSv1_1``
• :class:`ssl.SSLContext` now requires a protocol argument

Is there any chance to get it into 3.12b1?

cc @dstufft, @alex

[erlend-aasland]

Is there any chance to get it into 3.12b1?

Feel free to pick it up and prepare it for the next 3.13 alpha.