Error out on OpenSSL 1.0.0 by default (#3276)

* Error out on OpenSSL 1.0.0 by default

* what the heck

1 files changed, 13 insertions, 6 deletions

diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 25849bf3..19151b0e 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -191,12 +191,19 @@ class Binding(object):
 
 def _verify_openssl_version(version):
     if version < 0x10001000:
-        warnings.warn(
-            "OpenSSL version 1.0.0 is no longer supported by the OpenSSL "
-            "project, please upgrade. The next version of cryptography will "
-            "drop support for it.",
-            DeprecationWarning
-        )
+        if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"):
+            warnings.warn(
+                "OpenSSL version 1.0.0 is no longer supported by the OpenSSL "
+                "project, please upgrade. The next version of cryptography "
+                "will completely remove support for it.",
+                DeprecationWarning
+            )
+        else:
+            raise RuntimeError(
+                "You are linking against OpenSSL 1.0.0, which is no longer "
+                "support by the OpenSSL project. You need to upgrade to a "
+                "newer version of OpenSSL."
+            )
 
 
 # OpenSSL is not thread safe until the locks are initialized. We call this