Fixes #5018 -- break users on OpenSSL 1.0.1 (#5022)

* Fixes #5018 -- break users on OpenSSL 1.0.1

* Grammar

* Syntax error

* Missing import

* Missing import

6 files changed, 47 insertions, 9 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 228c5f43..607f67b8 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,6 +8,9 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL
+  will need to upgrade.
+
 .. _v2-8:
 
 2.8 - 2019-10-16
diff --git a/docs/faq.rst b/docs/faq.rst
index 6d876610..235da672 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -82,6 +82,19 @@ Your ``pip`` and/or ``setuptools`` are outdated. Please upgrade to the latest
 versions with ``pip install -U pip setuptools`` (or on Windows
 ``python -m pip install -U pip setuptools``).
 
+Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.1
+--------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 1.0.1 release series. Since it
+is no longer receiving security patches from upstream, ``cryptography`` is also
+dropping support for it. To fix this issue you should upgrade to a newer
+version of OpenSSL (1.0.2 or later). This may require you to upgrade to a newer
+operating system.
+
+For the 2.9 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_101``
+environment variable. Please note that this is *temporary* and will be removed
+in ``cryptography`` 3.0.
+
 Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails
 ---------------------------------------------------------
 
diff --git a/docs/installation.rst b/docs/installation.rst
index 2c83f33a..fc3fa894 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -32,8 +32,8 @@ OpenSSL releases:
 * ``OpenSSL 1.1.1-latest``
 
 .. warning::
-    OpenSSL 1.0.1 is no longer supported by the OpenSSL project. Cryptography
-    will drop support for it in the next release.
+    Cryptography 2.9 has dropped support for OpenSSL 1.0.1, see the
+    :doc:`FAQ </faq>` for more details
 
 Building cryptography on Windows
 --------------------------------
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 97405162..1e0f34c9 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,6 +5,7 @@
 from __future__ import absolute_import, division, print_function
 
 import collections
+import os
 import threading
 import types
 import warnings
@@ -156,12 +157,19 @@ def _verify_openssl_version(lib):
         lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
         not lib.CRYPTOGRAPHY_IS_LIBRESSL
     ):
-        warnings.warn(
-            "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
-            "project, please upgrade. The next version of cryptography will "
-            "drop support for it.",
-            utils.CryptographyDeprecationWarning
-        )
+        if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_101"):
+            warnings.warn(
+                "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
+                "project, please upgrade. The next version of cryptography "
+                "will completely remove support for it.",
+                utils.CryptographyDeprecationWarning
+            )
+        else:
+            raise RuntimeError(
+                "You are linking against OpenSSL 1.0.1, which is no longer "
+                "supported by the OpenSSL project. You need to upgrade to a "
+                "newer version of OpenSSL."
+            )
 
 
 def _verify_package_version(version):
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 29a1c459..e9bcc18e 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -4,11 +4,14 @@
 
 from __future__ import absolute_import, division, print_function
 
+import pretend
+
 import pytest
 
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings.openssl.binding import (
-    Binding, _consume_errors, _openssl_assert, _verify_package_version
+    Binding, _consume_errors, _openssl_assert, _verify_openssl_version,
+    _verify_package_version
 )
 
 
@@ -122,3 +125,12 @@ class TestOpenSSL(object):
     def test_version_mismatch(self):
         with pytest.raises(ImportError):
             _verify_package_version("nottherightversion")
+
+    def test_verify_openssl_version(self, monkeypatch):
+        monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_101", raising=False)
+        lib = pretend.stub(
+            CRYPTOGRAPHY_OPENSSL_LESS_THAN_102=True,
+            CRYPTOGRAPHY_IS_LIBRESSL=False
+        )
+        with pytest.raises(RuntimeError):
+            _verify_openssl_version(lib)
diff --git a/tox.ini b/tox.ini
index 7de764f7..6c414973 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,6 +13,8 @@ deps =
     ./vectors
     randomorder: pytest-randomly
 passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME PYTHONIOENCODING
+setenv =
+    CRYPTOGRAPHY_ALLOW_OPENSSL_101=1
 commands =
     pip list
     # We use parallel mode and then combine here so that coverage.py will take