Fix deprecation warnings for Python 3.10 ssl module

src/urllib3/contrib/pyopenssl.py

@@ -76,6 +76,7 @@ class UnsupportedExtension(Exception):
 
 from .. import util
 from ..packages import six
+from ..util.ssl_ import PROTOCOL_TLS_CLIENT
 
 __all__ = ["inject_into_urllib3", "extract_from_urllib3"]
 
@@ -85,6 +86,7 @@ class UnsupportedExtension(Exception):
 # Map from urllib3 to PyOpenSSL compatible parameter-values.
 _openssl_versions = {
  util.PROTOCOL_TLS: OpenSSL.SSL.SSLv23_METHOD,
+ PROTOCOL_TLS_CLIENT: OpenSSL.SSL.SSLv23_METHOD,
  ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
 }
 

src/urllib3/contrib/securetransport.py

@@ -67,6 +67,7 @@
 import six
 
 from .. import util
+from ..util.ssl_ import PROTOCOL_TLS_CLIENT
 from ._securetransport.bindings import CoreFoundation, Security, SecurityConst
 from ._securetransport.low_level import (
  _assert_no_error,
@@ -154,7 +155,8 @@
 # TLSv1 and a high of TLSv1.2. For everything else, we pin to that version.
 # TLSv1 to 1.2 are supported on macOS 10.8+
 _protocol_to_min_max = {
- util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12)
+ util.PROTOCOL_TLS: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12),
+ PROTOCOL_TLS_CLIENT: (SecurityConst.kTLSProtocol1, SecurityConst.kTLSProtocol12),
 }
 
 if hasattr(ssl, "PROTOCOL_SSLv2"):

src/urllib3/packages/ssl_match_hostname/__init__.py

@@ -1,9 +1,11 @@
 import sys
 
 try:
- # Our match_hostname function is the same as 3.5's, so we only want to
+ # Our match_hostname function is the same as 3.10's, so we only want to
  # import the match_hostname function if it's at least that good.
- if sys.version_info < (3, 5):
+ # We also fallback on Python 3.10+ because our code doesn't emit
+ # deprecation warnings and is the same as Python 3.10 otherwise.
+ if sys.version_info < (3, 5) or sys.version_info >= (3, 10):
  raise ImportError("Fallback to vendored code")
 
  from ssl import CertificateError, match_hostname

src/urllib3/util/ssl_.py

@@ -71,6 +71,11 @@ def _const_compare_digest_backport(a, b):
  except ImportError:
  PROTOCOL_SSLv23 = PROTOCOL_TLS = 2
 
+try:
+ from ssl import PROTOCOL_TLS_CLIENT
+except ImportError:
+ PROTOCOL_TLS_CLIENT = PROTOCOL_TLS
+
 
 try:
  from ssl import OP_NO_COMPRESSION, OP_NO_SSLv2, OP_NO_SSLv3
@@ -278,7 +283,11 @@ def create_urllib3_context(
  Constructed SSLContext object with specified options
  :rtype: SSLContext
  """
- context = SSLContext(ssl_version or PROTOCOL_TLS)
+ # PROTOCOL_TLS is deprecated in Python 3.10
+ if not ssl_version or ssl_version == PROTOCOL_TLS:
+ ssl_version = PROTOCOL_TLS_CLIENT
+
+ context = SSLContext(ssl_version)
 
  context.set_ciphers(ciphers or DEFAULT_CIPHERS)
 
@@ -313,13 +322,25 @@ def create_urllib3_context(
  ) is not None:
  context.post_handshake_auth = True
 
- context.verify_mode = cert_reqs
- if (
- getattr(context, "check_hostname", None) is not None
- ): # Platform-specific: Python 3.2
- # We do our own verification, including fingerprints and alternative
- # hostnames. So disable it here
- context.check_hostname = False
+ def disable_check_hostname():
+ if (
+ getattr(context, "check_hostname", None) is not None
+ ): # Platform-specific: Python 3.2
+ # We do our own verification, including fingerprints and alternative
+ # hostnames. So disable it here
+ context.check_hostname = False
+
+ # The order of the below lines setting verify_mode and check_hostname
+ # matter due to safe-guards SSLContext has to prevent an SSLContext with
+ # check_hostname=True, verify_mode=NONE/OPTIONAL. This is made even more
+ # complex because we don't know whether PROTOCOL_TLS_CLIENT will be used
+ # or not so we don't know the initial state of the freshly created SSLContext.
+ if cert_reqs == ssl.CERT_REQUIRED:
+ context.verify_mode = cert_reqs
+ disable_check_hostname()
+ else:
+ disable_check_hostname()
+ context.verify_mode = cert_reqs
 
  # Enable logging of TLS session keys via defacto standard environment variable
  # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values.