[ruby/openssl] Require OpenSSL 1.1.1 or later

Drop support for OpenSSL 1.1.0. OpenSSL 1.1.0 was a non-LTS release and
it has reached upstream EOL in 2019-12 along with OpenSSL 1.0.2.
Distributions that shipped with OpenSSL 1.1.0 include:

 - Debian 9 (EOL 2022-06)
 - Ubuntu 18.04 LTS (EOL 2023-04)

https://github.com/ruby/openssl/commit/ba83abe920

14 files changed, 37 insertions, 164 deletions

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 9eaf4d4829..249444135a 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -115,11 +115,11 @@ version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
     try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x30900000L", "openssl/opensslv.h") }
 else
   is_openssl = true
-  checking_for("OpenSSL version >= 1.1.0") {
-    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10100000L", "openssl/opensslv.h") }
+  checking_for("OpenSSL version >= 1.1.1") {
+    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10101000L", "openssl/opensslv.h") }
 end
 unless version_ok
-  raise "OpenSSL >= 1.1.0 or LibreSSL >= 3.9.0 is required"
+  raise "OpenSSL >= 1.1.1 or LibreSSL >= 3.9.0 is required"
 end
 
 # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
@@ -138,11 +138,8 @@ have_func("RAND_egd()", "openssl/rand.h")
 # added in 1.1.0, currently not in LibreSSL
 have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
 
-# added in 1.1.1
+# added in OpenSSL 1.1.1 and LibreSSL 3.5.0, then removed in LibreSSL 4.0.0
 have_func("EVP_PKEY_check(NULL)", evp_h)
-have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h)
-have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h)
-have_func("SSL_CTX_set_post_handshake_auth(NULL, 0)", ssl_h)
 
 # added in 3.0.0
 have_func("SSL_set0_tmp_dh_pkey(NULL, NULL)", ssl_h)
diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c
index c1875005c3..3aa7aead4d 100644
--- a/ext/openssl/ossl_hmac.c
+++ b/ext/openssl/ossl_hmac.c
@@ -97,19 +97,11 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
 
     GetHMAC(self, ctx);
     StringValue(key);
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
     pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
                                         (unsigned char *)RSTRING_PTR(key),
                                         RSTRING_LENINT(key));
     if (!pkey)
         ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
-#else
-    pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
-                                (unsigned char *)RSTRING_PTR(key),
-                                RSTRING_LENINT(key));
-    if (!pkey)
-        ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
-#endif
     if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
                            NULL, pkey) != 1) {
         EVP_PKEY_free(pkey);
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
index f7862002bb..207d1fa361 100644
--- a/ext/openssl/ossl_pkey.c
+++ b/ext/openssl/ossl_pkey.c
@@ -634,7 +634,6 @@ ossl_pkey_initialize_copy(VALUE self, VALUE other)
 }
 #endif
 
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
 /*
  *  call-seq:
  *      OpenSSL::PKey.new_raw_private_key(algo, string) -> PKey
@@ -665,9 +664,7 @@ ossl_pkey_new_raw_private_key(VALUE self, VALUE type, VALUE key)
 
     return ossl_pkey_new(pkey);
 }
-#endif
 
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
 /*
  *  call-seq:
  *      OpenSSL::PKey.new_raw_public_key(algo, string) -> PKey
@@ -698,7 +695,6 @@ ossl_pkey_new_raw_public_key(VALUE self, VALUE type, VALUE key)
 
     return ossl_pkey_new(pkey);
 }
-#endif
 
 /*
  * call-seq:
@@ -889,7 +885,6 @@ ossl_pkey_private_to_pem(int argc, VALUE *argv, VALUE self)
     return do_pkcs8_export(argc, argv, self, 0);
 }
 
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
 /*
  *  call-seq:
  *     pkey.raw_private_key   => string
@@ -916,7 +911,6 @@ ossl_pkey_raw_private_key(VALUE self)
 
     return str;
 }
-#endif
 
 VALUE
 ossl_pkey_export_spki(VALUE self, int to_der)
@@ -973,7 +967,6 @@ ossl_pkey_public_to_pem(VALUE self)
     return ossl_pkey_export_spki(self, 0);
 }
 
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
 /*
  *  call-seq:
  *     pkey.raw_public_key   => string
@@ -1000,7 +993,6 @@ ossl_pkey_raw_public_key(VALUE self)
 
     return str;
 }
-#endif
 
 /*
  *  call-seq:
@@ -1104,7 +1096,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
             rb_jump_tag(state);
         }
     }
-#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
     if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),
                        RSTRING_LEN(data)) < 1) {
         EVP_MD_CTX_free(ctx);
@@ -1125,30 +1116,6 @@ ossl_pkey_sign(int argc, VALUE *argv, VALUE self)
         EVP_MD_CTX_free(ctx);
         ossl_raise(ePKeyError, "EVP_DigestSign");
     }
-#else
-    if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) {
-        EVP_MD_CTX_free(ctx);
-        ossl_raise(ePKeyError, "EVP_DigestSignUpdate");
-    }
-    if (EVP_DigestSignFinal(ctx, NULL, &siglen) < 1) {
-        EVP_MD_CTX_free(ctx);
-        ossl_raise(ePKeyError, "EVP_DigestSignFinal");
-    }
-    if (siglen > LONG_MAX) {
-        EVP_MD_CTX_free(ctx);
-        rb_raise(ePKeyError, "signature would be too large");
-    }
-    sig = ossl_str_new(NULL, (long)siglen, &state);
-    if (state) {
-        EVP_MD_CTX_free(ctx);
-        rb_jump_tag(state);
-    }
-    if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(sig),
-                            &siglen) < 1) {
-        EVP_MD_CTX_free(ctx);
-        ossl_raise(ePKeyError, "EVP_DigestSignFinal");
-    }
-#endif
     EVP_MD_CTX_free(ctx);
     rb_str_set_len(sig, siglen);
     return sig;
@@ -1209,24 +1176,12 @@ ossl_pkey_verify(int argc, VALUE *argv, VALUE self)
             rb_jump_tag(state);
         }
     }
-#if OSSL_OPENSSL_PREREQ(1, 1, 1) || OSSL_IS_LIBRESSL
     ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),
                            RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),
                            RSTRING_LEN(data));
     EVP_MD_CTX_free(ctx);
     if (ret < 0)
         ossl_raise(ePKeyError, "EVP_DigestVerify");
-#else
-    if (EVP_DigestVerifyUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) < 1) {
-        EVP_MD_CTX_free(ctx);
-        ossl_raise(ePKeyError, "EVP_DigestVerifyUpdate");
-    }
-    ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)RSTRING_PTR(sig),
-                                RSTRING_LEN(sig));
-    EVP_MD_CTX_free(ctx);
-    if (ret < 0)
-        ossl_raise(ePKeyError, "EVP_DigestVerifyFinal");
-#endif
     if (ret)
         return Qtrue;
     else {
@@ -1739,10 +1694,8 @@ Init_ossl_pkey(void)
     rb_define_module_function(mPKey, "read", ossl_pkey_new_from_data, -1);
     rb_define_module_function(mPKey, "generate_parameters", ossl_pkey_s_generate_parameters, -1);
     rb_define_module_function(mPKey, "generate_key", ossl_pkey_s_generate_key, -1);
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
     rb_define_module_function(mPKey, "new_raw_private_key", ossl_pkey_new_raw_private_key, 2);
     rb_define_module_function(mPKey, "new_raw_public_key", ossl_pkey_new_raw_public_key, 2);
-#endif
 
     rb_define_alloc_func(cPKey, ossl_pkey_alloc);
     rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);
@@ -1758,10 +1711,8 @@ Init_ossl_pkey(void)
     rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1);
     rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);
     rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0);
-#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
     rb_define_method(cPKey, "raw_private_key", ossl_pkey_raw_private_key, 0);
     rb_define_method(cPKey, "raw_public_key", ossl_pkey_raw_public_key, 0);
-#endif
     rb_define_method(cPKey, "compare?", ossl_pkey_compare, 1);
 
     rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);
diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c
index 843c9f8019..764900dfc6 100644
--- a/ext/openssl/ossl_rand.c
+++ b/ext/openssl/ossl_rand.c
@@ -189,9 +189,7 @@ Init_ossl_rand(void)
     rb_define_module_function(mRandom, "load_random_file", ossl_rand_load_file, 1);
     rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1);
     rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10101000 || defined(LIBRESSL_VERSION_NUMBER)
     rb_define_alias(rb_singleton_class(mRandom), "pseudo_bytes", "random_bytes");
-#endif
 #ifdef HAVE_RAND_EGD
     rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1);
     rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 518393c636..0845358a5a 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -109,9 +109,7 @@ parse_proto_version(VALUE str)
 	{ "TLS1", TLS1_VERSION },
 	{ "TLS1_1", TLS1_1_VERSION },
 	{ "TLS1_2", TLS1_2_VERSION },
-#ifdef TLS1_3_VERSION
 	{ "TLS1_3", TLS1_3_VERSION },
-#endif
     };
 
     if (NIL_P(str))
@@ -383,7 +381,7 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
     return 0;
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if !OSSL_IS_LIBRESSL
 /*
  * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
  * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
@@ -762,9 +760,7 @@ ossl_sslctx_setup(VALUE self)
     SSL_CTX_set_tmp_dh_callback(ctx, ossl_tmp_dh_callback);
 #endif
 
-#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
     SSL_CTX_set_post_handshake_auth(ctx, 1);
-#endif
 
     val = rb_attr_get(self, id_i_cert_store);
     if (!NIL_P(val)) {
@@ -904,7 +900,7 @@ ossl_sslctx_setup(VALUE self)
 	OSSL_Debug("SSL TLSEXT servername callback added");
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if !OSSL_IS_LIBRESSL
     /*
      * It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
      * SSL_CTX_set_keylog_callback() from v3.4.2, it does nothing (see
@@ -1016,7 +1012,6 @@ ossl_sslctx_set_ciphers(VALUE self, VALUE v)
     return v;
 }
 
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 /*
  * call-seq:
  *    ctx.ciphersuites = "cipher1:cipher2:..."
@@ -1043,7 +1038,6 @@ ossl_sslctx_set_ciphersuites(VALUE self, VALUE v)
 
     return v;
 }
-#endif
 
 #ifndef OPENSSL_NO_DH
 /*
@@ -2856,9 +2850,7 @@ Init_ossl_ssl(void)
 			     ossl_sslctx_set_minmax_proto_version, 2);
     rb_define_method(cSSLContext, "ciphers",     ossl_sslctx_get_ciphers, 0);
     rb_define_method(cSSLContext, "ciphers=",    ossl_sslctx_set_ciphers, 1);
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
     rb_define_method(cSSLContext, "ciphersuites=", ossl_sslctx_set_ciphersuites, 1);
-#endif
 #ifndef OPENSSL_NO_DH
     rb_define_method(cSSLContext, "tmp_dh=", ossl_sslctx_set_tmp_dh, 1);
 #endif
@@ -2994,7 +2986,7 @@ Init_ossl_ssl(void)
 #ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
     rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
 #endif
-#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
 #endif
     rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
@@ -3002,28 +2994,26 @@ Init_ossl_ssl(void)
     rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION));
     rb_define_const(mSSL, "OP_NO_COMPRESSION", ULONG2NUM(SSL_OP_NO_COMPRESSION));
     rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
-#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
 #endif
-#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
 #endif
-#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
 #endif
-#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
 #endif
     rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
     rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
     rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
     rb_define_const(mSSL, "OP_NO_TLSv1_2", ULONG2NUM(SSL_OP_NO_TLSv1_2));
-#ifdef SSL_OP_NO_TLSv1_3 /* OpenSSL 1.1.1 */
     rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
-#endif
     rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
     rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
-#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 */
+#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1, missing in LibreSSL */
     rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
 #endif
     rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
@@ -3085,10 +3075,8 @@ Init_ossl_ssl(void)
     rb_define_const(mSSL, "TLS1_1_VERSION", INT2NUM(TLS1_1_VERSION));
     /* TLS 1.2 */
     rb_define_const(mSSL, "TLS1_2_VERSION", INT2NUM(TLS1_2_VERSION));
-#ifdef TLS1_3_VERSION /* OpenSSL 1.1.1 */
     /* TLS 1.3 */
     rb_define_const(mSSL, "TLS1_3_VERSION", INT2NUM(TLS1_3_VERSION));
-#endif
 
 
     sym_exception = ID2SYM(rb_intern_const("exception"));
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index 8f7e38c455..2d552d7847 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -130,7 +130,7 @@ Init_ossl_x509(void)
 #if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
 #endif
-#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) /* OpenSSL 1.1.1, missing in LibreSSL */
     DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
     DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
     DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
diff --git a/ext/openssl/ossl_x509store.c b/ext/openssl/ossl_x509store.c
index c707160ea8..18acdc8ad0 100644
--- a/ext/openssl/ossl_x509store.c
+++ b/ext/openssl/ossl_x509store.c
@@ -357,15 +357,6 @@ ossl_x509store_add_file(VALUE self, VALUE file)
         ossl_raise(eX509StoreError, "X509_STORE_add_lookup");
     if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1)
         ossl_raise(eX509StoreError, "X509_LOOKUP_load_file");
-#if !OSSL_OPENSSL_PREREQ(1, 1, 1) && !OSSL_IS_LIBRESSL
-    /*
-     * X509_load_cert_crl_file() which is called from X509_LOOKUP_load_file()
-     * did not check the return value of X509_STORE_add_{cert,crl}(), leaking
-     * "cert already in hash table" errors on the error queue, if duplicate
-     * certificates are found. Fixed by OpenSSL 1.1.1 and LibreSSL 3.5.0.
-     */
-    ossl_clear_error();
-#endif
 
     return self;
 }
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb
index 3c0fc56988..8444cfdcda 100644
--- a/test/openssl/test_pkey.rb
+++ b/test/openssl/test_pkey.rb
@@ -84,7 +84,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
   def test_ed25519
     # Ed25519 is not FIPS-approved.
     omit_on_fips
-    omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
 
     # Test vector from RFC 8032 Section 7.1 TEST 2
     priv_pem = <<~EOF
@@ -157,9 +156,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
     assert_equal bob_pem, bob.public_to_pem
     assert_equal [shared_secret].pack("H*"), alice.derive(bob)
 
-    if openssl? && !openssl?(1, 1, 1)
-      omit "running OpenSSL version does not have raw public key support"
-    end
     alice_private = OpenSSL::PKey.new_raw_private_key("X25519", alice.raw_private_key)
     bob_public = OpenSSL::PKey.new_raw_public_key("X25519", bob.raw_public_key)
     assert_equal alice_private.private_to_pem,
@@ -173,8 +169,6 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
   end
 
   def test_raw_initialize_errors
-    omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
-
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("foo123", "xxx") }
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_private_key("ED25519", "xxx") }
     assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.new_raw_public_key("foo123", "xxx") }
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index c9cc7a02e7..c705f78794 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -40,7 +40,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
   def test_ctx_options_config
     omit "LibreSSL does not support OPENSSL_CONF" if libressl?
-    omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1)
 
     Tempfile.create("openssl.cnf") { |f|
       f.puts(<<~EOF)
@@ -922,7 +921,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
   end
 
   def test_keylog_cb
-    pend "Keylog callback is not supported" if !openssl?(1, 1, 1) || libressl?
+    omit "Keylog callback is not supported" if libressl?
 
     prefix = 'CLIENT_RANDOM'
     context = OpenSSL::SSL::SSLContext.new
@@ -942,30 +941,28 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       end
     end
 
-    if tls13_supported?
-      prefixes = [
-        'SERVER_HANDSHAKE_TRAFFIC_SECRET',
-        'EXPORTER_SECRET',
-        'SERVER_TRAFFIC_SECRET_0',
-        'CLIENT_HANDSHAKE_TRAFFIC_SECRET',
-        'CLIENT_TRAFFIC_SECRET_0',
-      ]
-      context = OpenSSL::SSL::SSLContext.new
-      context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION
-      cb_called = false
-      context.keylog_cb = proc do |_sock, line|
-        cb_called = true
-        assert_not_nil(prefixes.delete(line.split.first))
-      end
+    prefixes = [
+      'SERVER_HANDSHAKE_TRAFFIC_SECRET',
+      'EXPORTER_SECRET',
+      'SERVER_TRAFFIC_SECRET_0',
+      'CLIENT_HANDSHAKE_TRAFFIC_SECRET',
+      'CLIENT_TRAFFIC_SECRET_0',
+    ]
+    context = OpenSSL::SSL::SSLContext.new
+    context.min_version = context.max_version = OpenSSL::SSL::TLS1_3_VERSION
+    cb_called = false
+    context.keylog_cb = proc do |_sock, line|
+      cb_called = true
+      assert_not_nil(prefixes.delete(line.split.first))
+    end
 
-      start_server do |port|
-        server_connect(port, context) do |ssl|
-          ssl.puts "abc"
-          assert_equal("abc\n", ssl.gets)
-          assert_equal(true, cb_called)
-        end
-        assert_equal(0, prefixes.size)
+    start_server do |port|
+      server_connect(port, context) do |ssl|
+        ssl.puts "abc"
+        assert_equal("abc\n", ssl.gets)
+        assert_equal(true, cb_called)
       end
+      assert_equal(0, prefixes.size)
     end
   end
 
@@ -1204,8 +1201,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       OpenSSL::SSL::TLS1_VERSION,
       OpenSSL::SSL::TLS1_1_VERSION,
       OpenSSL::SSL::TLS1_2_VERSION,
-      # OpenSSL 1.1.1
-      defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION,
+      OpenSSL::SSL::TLS1_3_VERSION,
     ].compact
 
     # Prepare for testing & do sanity check
@@ -1265,9 +1261,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       OpenSSL::SSL::TLS1_VERSION => { name: "TLSv1", method: "TLSv1" },
       OpenSSL::SSL::TLS1_1_VERSION => { name: "TLSv1.1", method: "TLSv1_1" },
       OpenSSL::SSL::TLS1_2_VERSION => { name: "TLSv1.2", method: "TLSv1_2" },
-      # OpenSSL 1.1.1
-      defined?(OpenSSL::SSL::TLS1_3_VERSION) && OpenSSL::SSL::TLS1_3_VERSION =>
-      { name: "TLSv1.3", method: nil },
+      OpenSSL::SSL::TLS1_3_VERSION => { name: "TLSv1.3", method: nil },
     }
 
     # Server enables a single version
@@ -1381,8 +1375,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     # applications. The purpose of this test case is to check that SSL options
     # are properly propagated to OpenSSL library.
     supported = check_supported_protocol_versions
-    if !defined?(OpenSSL::SSL::TLS1_3_VERSION) ||
-        !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
+    if !supported.include?(OpenSSL::SSL::TLS1_2_VERSION) ||
         !supported.include?(OpenSSL::SSL::TLS1_3_VERSION)
       pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
         "and enabled by default"
@@ -1721,11 +1714,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
   end
 
   def test_ciphersuites_method_tls_connection
-    ssl_ctx = OpenSSL::SSL::SSLContext.new
-    if !tls13_supported? || !ssl_ctx.respond_to?(:ciphersuites=)
-      pend 'TLS 1.3 not supported'
-    end
-
     csuite = ['TLS_AES_128_GCM_SHA256', 'TLSv1.3', 128, 128]
     inputs = [csuite[0], [csuite[0]], [csuite]]
 
@@ -1746,23 +1734,17 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
   def test_ciphersuites_method_nil_argument
     ssl_ctx = OpenSSL::SSL::SSLContext.new
-    pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
-
     assert_nothing_raised { ssl_ctx.ciphersuites = nil }
   end
 
   def test_ciphersuites_method_frozen_object
     ssl_ctx = OpenSSL::SSL::SSLContext.new
-    pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
-
     ssl_ctx.freeze
     assert_raise(FrozenError) { ssl_ctx.ciphersuites = 'TLS_AES_256_GCM_SHA384' }
   end
 
   def test_ciphersuites_method_bogus_csuite
     ssl_ctx = OpenSSL::SSL::SSLContext.new
-    pend 'ciphersuites= method is missing' unless ssl_ctx.respond_to?(:ciphersuites=)
-
     assert_raise_with_message(
       OpenSSL::SSL::SSLError,
       /SSL_CTX_set_ciphersuites: no cipher match/i
@@ -1878,8 +1860,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
   end
 
   def test_ecdh_curves_tls13
-    pend "TLS 1.3 not supported" unless tls13_supported?
-
     ctx_proc = -> ctx {
       # Assume TLS 1.3 is enabled and chosen by default
       ctx.ecdh_curves = "P-384:P-521"
diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index 4fa3821177..0a9289136e 100644
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -250,7 +250,6 @@ __EOS__
   end
 
   def test_ctx_client_session_cb_tls13
-    omit "TLS 1.3 not supported" unless tls13_supported?
     omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
 
     start_server do |port|
@@ -274,7 +273,6 @@ __EOS__
   end
 
   def test_ctx_client_session_cb_tls13_exception
-    omit "TLS 1.3 not supported" unless tls13_supported?
     omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
 
     server_proc = lambda do |ctx, ssl|
@@ -375,11 +373,6 @@ __EOS__
       connections = 2
       sess2 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
         ssl.puts("abc"); assert_equal "abc\n", ssl.gets
-        if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7)
-          # OpenSSL >= 1.1.0, < 1.1.0g
-          pend "External session cache is not working; " \
-            "see https://github.com/openssl/openssl/pull/4014"
-        end
         assert_equal true, ssl.session_reused?
         ssl.session
       }
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 4f7aa0cb10..5fc87d9c67 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -294,7 +294,6 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
   def test_sign_and_verify_ed25519
     # Ed25519 is not FIPS-approved.
     omit_on_fips
-    omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
     ed25519 = OpenSSL::PKey::generate_key("ED25519")
     cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
     assert_equal(true, cert.verify(ed25519))
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index caab795d5b..89165388db 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -207,7 +207,6 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase
   def test_sign_and_verify_ed25519
     # Ed25519 is not FIPS-approved.
     omit_on_fips
-    omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
     ed25519 = OpenSSL::PKey::generate_key("ED25519")
     cert = issue_cert(@ca, ed25519, 1, [], nil, nil, digest: nil)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 88a7bee93a..18d3e7f8f3 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -135,7 +135,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
   def test_sign_and_verify_ed25519
     # Ed25519 is not FIPS-approved.
     omit_on_fips
-    omit "Ed25519 not supported" if openssl? && !openssl?(1, 1, 1)
     ed25519 = OpenSSL::PKey::generate_key("ED25519")
     req = issue_csr(0, @dn, ed25519, nil)
     assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 4110d9b0f2..e38b190927 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -186,14 +186,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
     @server = nil
   end
 
-  def tls13_supported?
-    return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION)
-    ctx = OpenSSL::SSL::SSLContext.new
-    ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_3_VERSION
-    true
-  rescue
-  end
-
   def readwrite_loop(ctx, ssl)
     while line = ssl.gets
       ssl.write(line)