PYTHON-4492 Fallback to stdlib ssl when pyopenssl import fails with AttributeError

[oh2fih]

Catch AttributeError caused by incompatibility between PyOpenSSL < 23.2.0 & cryptography >= 42.0.0.

In a situation where incompatible versions are already installed on the system (regardless pip install "pymongo[ocsp]" as noticed in https://jira.mongodb.org/browse/PYTHON-4491), the user now gets an unhandled exception with a stack trace:

  File "/home/user/.local/lib/python3.10/site-packages/pymongo/ssl_support.py", line 24, in <module>
    import pymongo.pyopenssl_context as _ssl
  File "/home/user/.local/lib/python3.10/site-packages/pymongo/pyopenssl_context.py", line 29, in <module>
    from OpenSSL import SSL as _SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1579, in <module>
    class X509StoreFlags(object):
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1598, in X509StoreFlags
    NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'. Did you mean: 'X509_V_FLAG_EXPLICIT_POLICY'?

The added exception handling tries to fix this problem by falling back to stdlib SSL as would happen if the PyOpenSSL was not installed at all. Additionally, the stack trace is replaced with a user-friendly warning suggesting a possible solution in case the OCSP support is desired.

Ref. cve-search/cve-search#1099 (comment), conda/conda#13619 (comment) & #1666.

[ShaneHarvey]

Thanks @oh2fih! I scheduled the CI checks now.