Add SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version bindings (#985)

* add Context.set_*_proto_version, fix #860

* docs: add new openssl tls methods

* accept the fact that nothing can be taken for granted

* bump minimum required cryptography version to 3.3

* drop support for Python 3.5

* use binary wheels for cryptography

* Revert "use binary wheels for cryptography"

This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.

* docker ci: compile cryptography with rust

1 files changed, 58 insertions, 2 deletions

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index cd1e9be..660cd9f 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -44,6 +44,14 @@ __all__ = [
     "TLSv1_METHOD",
     "TLSv1_1_METHOD",
     "TLSv1_2_METHOD",
+    "TLS_METHOD",
+    "TLS_SERVER_METHOD",
+    "TLS_CLIENT_METHOD",
+    "SSL3_VERSION",
+    "TLS1_VERSION",
+    "TLS1_1_VERSION",
+    "TLS1_2_VERSION",
+    "TLS1_3_VERSION",
     "OP_NO_SSLv2",
     "OP_NO_SSLv3",
     "OP_NO_TLSv1",
@@ -139,6 +147,24 @@ SSLv23_METHOD = 3
 TLSv1_METHOD = 4
 TLSv1_1_METHOD = 5
 TLSv1_2_METHOD = 6
+TLS_METHOD = 7
+TLS_SERVER_METHOD = 8
+TLS_CLIENT_METHOD = 9
+
+try:
+    SSL3_VERSION = _lib.SSL3_VERSION
+    TLS1_VERSION = _lib.TLS1_VERSION
+    TLS1_1_VERSION = _lib.TLS1_1_VERSION
+    TLS1_2_VERSION = _lib.TLS1_2_VERSION
+    TLS1_3_VERSION = _lib.TLS1_3_VERSION
+except AttributeError:
+    # Hardcode constants for cryptography < 3.4, see
+    # https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682
+    SSL3_VERSION = 768
+    TLS1_VERSION = 769
+    TLS1_1_VERSION = 770
+    TLS1_2_VERSION = 771
+    TLS1_3_VERSION = 772
 
 OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2
 OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
@@ -603,8 +629,9 @@ class Context(object):
     :class:`OpenSSL.SSL.Context` instances define the parameters for setting
     up new SSL connections.
 
-    :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or
-        TLSv1_METHOD.
+    :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, or TLS_SERVER_METHOD.
+                   SSLv23_METHOD, TLSv1_METHOD, etc. are deprecated and should
+                   not be used.
     """
 
     _methods = {
@@ -614,6 +641,9 @@ class Context(object):
         TLSv1_METHOD: "TLSv1_method",
         TLSv1_1_METHOD: "TLSv1_1_method",
         TLSv1_2_METHOD: "TLSv1_2_method",
+        TLS_METHOD: "TLS_method",
+        TLS_SERVER_METHOD: "TLS_server_method",
+        TLS_CLIENT_METHOD: "TLS_client_method",
     }
     _methods = dict(
         (identifier, getattr(_lib, name))
@@ -661,6 +691,32 @@ class Context(object):
 
         self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)
 
+    def set_min_proto_version(self, version):
+        """
+        Set the minimum supported protocol version. Setting the minimum
+        version to 0 will enable protocol versions down to the lowest version
+        supported by the library.
+
+        If the underlying OpenSSL build is missing support for the selected
+        version, this method will raise an exception.
+        """
+        _openssl_assert(
+            _lib.SSL_CTX_set_min_proto_version(self._context, version) == 1
+        )
+
+    def set_max_proto_version(self, version):
+        """
+        Set the maximum supported protocol version. Setting the maximum
+        version to 0 will enable protocol versions up to the highest version
+        supported by the library.
+
+        If the underlying OpenSSL build is missing support for the selected
+        version, this method will raise an exception.
+        """
+        _openssl_assert(
+            _lib.SSL_CTX_set_max_proto_version(self._context, version) == 1
+        )
+
     def load_verify_locations(self, cafile, capath=None):
         """
         Let SSL know where we can find trusted certificates for the certificate