From ef121d449086ec2e8acefa4834c525ddf7cff01c Mon Sep 17 00:00:00 2001 From: Aarni Koskela Date: Wed, 18 Mar 2026 17:03:02 +0200 Subject: [PATCH] Remove OpenSSL dependency The only place where `OpenSSL` is used is via an indirect dependency from `urllib3.contrib.pyopenssl`, which itself is only used when the Python built-in SSL module doesn't support SNI (Server Name Indication). That module itself is only imported via the vendored `requests` init, _iff_ `ssl.HAS_SNI` is `False`, or as an optional import in vendored `requests.help` (which is never imported by code; in the original `requests` library, it's supposed to be run as a command-line module, but it's unlikely `python -m oci._vendor.requests.help` is a real use case). The `urllib3.contrib.pyopenssl` module's docstring says: > This module was relevant before the standard library ``ssl`` > module supported SNI, but now that we've dropped support for > Python 2.7 all relevant Python versions support SNI so > **this module is no longer recommended**. This is related to https://github.com/oracle/oci-python-sdk/pull/802; right now there are upper version pins on `pyOpenSSL`, which prevent downstream users from upgrading to e.g. non-vulnerable versions of that library downstream. Signed-off-by: Aarni Koskela --- requirements.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 168ef046d4..f88db40010 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,6 @@ coverage==4.5.2 cryptography>=3.2.1,<47.0.0 flake8>=3.6.0,<6 mock==2.0.0 -pyOpenSSL>=17.5.0,<=25.3.0 pytest==4.1.0 pytest-cov==2.6.1 attrs==19.1.0 @@ -21,4 +20,4 @@ circuitbreaker>=1.3.1,<3.0.0; python_version >= '3.7' urllib3==1.26.2; python_version < '3.10.0' urllib3>=2.6.3; python_version >= '3.10.0' docutils<0.18 -Jinja2<3.1 \ No newline at end of file +Jinja2<3.1