---
 Lib/test/test_ssl.py |   48 +++++++++++++++++++++++++++---------------------
 setup.py             |   33 ---------------------------------
 2 files changed, 27 insertions(+), 54 deletions(-)

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -96,6 +96,12 @@ OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SI
 OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
 OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
 
+def clean_OpenSSL30_san(in_tup):
+    if ssl._OPENSSL_API_VERSION >= (3, 0, 0):
+        return tuple([(x,y.strip() if type(y) == str else y)
+                      for x, y in in_tup])
+    else:
+        return in_tup
 
 def handle_error(prefix):
     exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
@@ -378,29 +384,29 @@ class BasicSocketTests(unittest.TestCase
                    ('URI', 'http://null.python.org\x00http://example.org'),
                    ('IP Address', '192.0.2.1'),
                    ('IP Address', '<invalid>'))
+        san = clean_OpenSSL30_san(san)
 
         self.assertEqual(p['subjectAltName'], san)
 
     def test_parse_all_sans(self):
         p = ssl._ssl._test_decode_cert(ALLSANFILE)
-        self.assertEqual(p['subjectAltName'],
-            (
-                ('DNS', 'allsans'),
-                ('othername', '<unsupported>'),
-                ('othername', '<unsupported>'),
-                ('email', 'user@example.org'),
-                ('DNS', 'www.example.org'),
-                ('DirName',
-                    ((('countryName', 'XY'),),
-                    (('localityName', 'Castle Anthrax'),),
-                    (('organizationName', 'Python Software Foundation'),),
-                    (('commonName', 'dirname example'),))),
-                ('URI', 'https://www.python.org/'),
-                ('IP Address', '127.0.0.1'),
-                ('IP Address', '0:0:0:0:0:0:0:1\n'),
-                ('Registered ID', '1.2.3.4.5')
-            )
-        )
+        expected = clean_OpenSSL30_san((
+            ('DNS', 'allsans'),
+            ('othername', '<unsupported>'),
+            ('othername', '<unsupported>'),
+            ('email', 'user@example.org'),
+            ('DNS', 'www.example.org'),
+            ('DirName',
+                ((('countryName', 'XY'),),
+                (('localityName', 'Castle Anthrax'),),
+                (('organizationName', 'Python Software Foundation'),),
+                (('commonName', 'dirname example'),))),
+            ('URI', 'https://www.python.org/'),
+            ('IP Address', '127.0.0.1'),
+            ('IP Address', '0:0:0:0:0:0:0:1\n'),
+            ('Registered ID', '1.2.3.4.5')
+        ))
+        self.assertEqual(p['subjectAltName'], expected)
 
     def test_DER_to_PEM(self):
         with open(CAFILE_CACERT, 'r') as f:
@@ -424,11 +430,11 @@ class BasicSocketTests(unittest.TestCase
         # Some sanity checks follow
         # >= 0.9
         self.assertGreaterEqual(n, 0x900000)
-        # < 3.0
-        self.assertLess(n, 0x30000000)
+        # < 3.3
+        self.assertLess(n, 0x33000000)
         major, minor, fix, patch, status = t
         self.assertGreaterEqual(major, 0)
-        self.assertLess(major, 3)
+        self.assertLess(major, 4)
         self.assertGreaterEqual(minor, 0)
         self.assertLess(minor, 256)
         self.assertGreaterEqual(fix, 0)
--- a/setup.py
+++ b/setup.py
@@ -873,47 +873,14 @@ class PyBuildExt(build_ext):
         else:
             missing.append('_ssl')
 
-        # find out which version of OpenSSL we have
-        openssl_ver = 0
-        openssl_ver_re = re.compile(
-            r'^\s*#\s*define\s+OPENSSL_VERSION_NUMBER\s+(0x[0-9a-fA-F]+)' )
-
-        # look for the openssl version header on the compiler search path.
-        opensslv_h = find_file('openssl/opensslv.h', [],
-                inc_dirs + search_for_ssl_incs_in)
-        if opensslv_h:
-            name = os.path.join(opensslv_h[0], 'openssl/opensslv.h')
-            if host_platform == 'darwin' and is_macosx_sdk_path(name):
-                name = os.path.join(macosx_sdk_root(), name[1:])
-            try:
-                with open(name, 'r') as incfile:
-                    for line in incfile:
-                        m = openssl_ver_re.match(line)
-                        if m:
-                            openssl_ver = int(m.group(1), 16)
-                            break
-            except IOError as msg:
-                print("IOError while reading opensshv.h:", msg)
-
-        #print('openssl_ver = 0x%08x' % openssl_ver)
-        min_openssl_ver = 0x00907000
         have_any_openssl = ssl_incs is not None and ssl_libs is not None
-        have_usable_openssl = (have_any_openssl and
-                               openssl_ver >= min_openssl_ver)
 
         if have_any_openssl:
-            if have_usable_openssl:
-                # The _hashlib module wraps optimized implementations
-                # of hash functions from the OpenSSL library.
                 exts.append( Extension('_hashlib', ['_hashopenssl.c'],
                                        depends = ['hashlib.h'],
                                        include_dirs = ssl_incs,
                                        library_dirs = ssl_libs,
                                        libraries = ['ssl', 'crypto']) )
-            else:
-                print("warning: openssl 0x%08x is too old for _hashlib" %
-                      openssl_ver)
-                missing.append('_hashlib')
 
         # We always compile these even when OpenSSL is available (issue #14693).
         # It's harmless and the object code is tiny (40-50 KB per module,