breaking: Python 3.12 compatibility & remove custom SSL adapter (#3185)

Add support for Python 3.12.

`match_hostname` is gone in Python 3.12 and has been unused by
Python since 3.7.

The custom SSL adapter allows passing a specific SSL version; this
was first introduced a looong time ago to handle some SSL issues
at the time.

Closes #3176.

---------

Signed-off-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Signed-off-by: Milas Bowman <milas.bowman@docker.com>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>

Author: milas

.github/workflows/ci.yml

@@ -4,15 +4,16 @@ on: [push, pull_request]
 
 env:
   DOCKER_BUILDKIT: '1'
+  FORCE_COLOR: 1
 
 jobs:
     lint:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - uses: actions/setup-python@v4
               with:
-                  python-version: '3.11'
+                  python-version: '3.x'
             - run: pip install -U ruff==0.0.284
             - name: Run ruff
               run: ruff docker tests
@@ -21,14 +22,15 @@ jobs:
         runs-on: ubuntu-latest
         strategy:
             matrix:
-                python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
+                python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "3.12"]
 
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: Set up Python ${{ matrix.python-version }}
               uses: actions/setup-python@v4
               with:
                 python-version: ${{ matrix.python-version }}
+                allow-prereleases: true
             - name: Install dependencies
               run: |
                   python3 -m pip install --upgrade pip
@@ -46,7 +48,7 @@ jobs:
                 variant: [ "integration-dind", "integration-dind-ssl", "integration-dind-ssh" ]
 
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: make ${{ matrix.variant }}
               run: |
                   docker logout

.github/workflows/release.yml

@@ -12,11 +12,15 @@ on:
         type: boolean
         default: true
 
+env:
+  DOCKER_BUILDKIT: '1'
+  FORCE_COLOR: 1
+
 jobs:
   publish:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: actions/setup-python@v4
         with:

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 

Dockerfile-docs

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 

Jenkinsfile

@@ -4,6 +4,7 @@
 from functools import partial
 
 import requests
+import requests.adapters
 import requests.exceptions
 
 from .. import auth
@@ -14,7 +15,7 @@
 from ..errors import (DockerException, InvalidVersion, TLSParameterError,
                       create_api_error_from_http_exception)
 from ..tls import TLSConfig
-from ..transport import SSLHTTPAdapter, UnixHTTPAdapter
+from ..transport import UnixHTTPAdapter
 from ..utils import check_resource, config, update_headers, utils
 from ..utils.json_stream import json_stream
 from ..utils.proxy import ProxyConfig
@@ -183,7 +184,7 @@ def __init__(self, base_url=None, version=None,
             if isinstance(tls, TLSConfig):
                 tls.configure_client(self)
             elif tls:
-                self._custom_adapter = SSLHTTPAdapter(
+                self._custom_adapter = requests.adapters.HTTPAdapter(
                     pool_connections=num_pools)
                 self.mount('https://', self._custom_adapter)
             self.base_url = base_url

docker/api/client.py

@@ -71,8 +71,6 @@ def from_env(cls, **kwargs):
             timeout (int): Default timeout for API calls, in seconds.
             max_pool_size (int): The maximum number of connections
                 to save in the pool.
-            ssl_version (int): A valid `SSL version`_.
-            assert_hostname (bool): Verify the hostname of the server.
             environment (dict): The environment to read environment variables
                 from. Default: the value of ``os.environ``
             credstore_env (dict): Override environment variables when calling

docker/client.py

@@ -1,8 +1,6 @@
 import os
-import ssl
 
 from . import errors
-from .transport import SSLHTTPAdapter
 
 
 class TLSConfig:
@@ -15,35 +13,18 @@ class TLSConfig:
         verify (bool or str): This can be a bool or a path to a CA cert
             file to verify against. If ``True``, verify using ca_cert;
             if ``False`` or not specified, do not verify.
-        ssl_version (int): A valid `SSL version`_.
-        assert_hostname (bool): Verify the hostname of the server.
-
-    .. _`SSL version`:
-        https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
     """
     cert = None
     ca_cert = None
     verify = None
-    ssl_version = None
 
-    def __init__(self, client_cert=None, ca_cert=None, verify=None,
-                 ssl_version=None, assert_hostname=None,
-                 assert_fingerprint=None):
+    def __init__(self, client_cert=None, ca_cert=None, verify=None):
         # Argument compatibility/mapping with
         # https://docs.docker.com/engine/articles/https/
         # This diverges from the Docker CLI in that users can specify 'tls'
         # here, but also disable any public/default CA pool verification by
         # leaving verify=False
 
-        self.assert_hostname = assert_hostname
-        self.assert_fingerprint = assert_fingerprint
-
-        # If the user provides an SSL version, we should use their preference
-        if ssl_version:
-            self.ssl_version = ssl_version
-        else:
-            self.ssl_version = ssl.PROTOCOL_TLS_CLIENT
-
         # "client_cert" must have both or neither cert/key files. In
         # either case, Alert the user when both are expected, but any are
         # missing.
@@ -77,18 +58,10 @@ def configure_client(self, client):
         """
         Configure a client with these TLS options.
         """
-        client.ssl_version = self.ssl_version
-
         if self.verify and self.ca_cert:
             client.verify = self.ca_cert
         else:
             client.verify = self.verify
 
         if self.cert:
             client.cert = self.cert
-
-        client.mount('https://', SSLHTTPAdapter(
-            ssl_version=self.ssl_version,
-            assert_hostname=self.assert_hostname,
-            assert_fingerprint=self.assert_fingerprint,
-        ))

docker/tls.py

@@ -1,5 +1,4 @@
 from .unixconn import UnixHTTPAdapter
-from .ssladapter import SSLHTTPAdapter
 try:
     from .npipeconn import NpipeHTTPAdapter
     from .npipesocket import NpipeSocket