#1: XXX maybe this can go away now we have auto-init, I'm not sure exactly
what python's lock protects

#2: ERR_get_state is no longer used in OpenSSL 3.0 or libressl as of 20240303

#3 - #6: treat ASN1_STRING as opaque

#7, #8: Drop CRYPTO_THREADID noops

Index: Modules/_ssl.c
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -164,6 +164,9 @@ struct py_ssl_library_code {
 #if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
 #define OPENSSL_NO_SSL2
 #endif
+#if defined(LIBRESSL_VERSION_NUMBER) && defined(WITH_THREAD)
+#define HAVE_OPENSSL_CRYPTO_LOCK
+#endif
 
 #ifndef PY_OPENSSL_1_1_API
 /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
@@ -592,7 +595,6 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObjec
     Py_INCREF(sslctx);
 
     /* Make sure the SSL error state is initialized */
-    (void) ERR_get_state();
     ERR_clear_error();
 
     PySSL_BEGIN_ALLOW_THREADS
@@ -956,18 +958,18 @@ _get_peer_alt_names (X509 *certificate) {
             goto fail;
         }
 
-        p = X509_EXTENSION_get_data(ext)->data;
+        p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
         if (method->it)
             names = (GENERAL_NAMES*)
               (ASN1_item_d2i(NULL,
                              &p,
-                             X509_EXTENSION_get_data(ext)->length,
+                             ASN1_STRING_length(X509_EXTENSION_get_data(ext)),
                              ASN1_ITEM_ptr(method->it)));
         else
             names = (GENERAL_NAMES*)
               (method->d2i(NULL,
                            &p,
-                           X509_EXTENSION_get_data(ext)->length));
+                           ASN1_STRING_length(X509_EXTENSION_get_data(ext))));
 
         for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
             /* get a rendering of each name in the set of names */
@@ -1028,7 +1030,7 @@ _get_peer_alt_names (X509 *certificate) {
                     goto fail;
                 }
                 PyTuple_SET_ITEM(t, 0, v);
-                v = PyString_FromStringAndSize((char *)ASN1_STRING_data(as),
+                v = PyString_FromStringAndSize((char *)ASN1_STRING_get0_data(as),
                                                ASN1_STRING_length(as));
                 if (v == NULL) {
                     Py_DECREF(t);
@@ -1173,8 +1175,8 @@ _get_aia_uri(X509 *certificate, int nid) {
             continue;
         }
         uri = ad->location->d.uniformResourceIdentifier;
-        ostr = PyUnicode_FromStringAndSize((char *)uri->data,
-                                           uri->length);
+        ostr = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri),
+                                           ASN1_STRING_length(uri));
         if (ostr == NULL) {
             goto fail;
         }
@@ -1240,8 +1242,8 @@ _get_crl_dp(X509 *certificate) {
                 continue;
             }
             uri = gn->d.uniformResourceIdentifier;
-            ouri = PyUnicode_FromStringAndSize((char *)uri->data,
-                                               uri->length);
+            ouri = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(uri),
+                                               ASN1_STRING_length(uri));
             if (ouri == NULL)
                 goto done;
 
@@ -4078,15 +4080,7 @@ static PyMethodDef PySSL_methods[] = {
 
 static PyThread_type_lock *_ssl_locks = NULL;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000
-/* use new CRYPTO_THREADID API. */
-static void
-_ssl_threadid_callback(CRYPTO_THREADID *id)
-{
-    CRYPTO_THREADID_set_numeric(id,
-                                (unsigned long)PyThread_get_thread_ident());
-}
-#else
+#if OPENSSL_VERSION_NUMBER < 0x10000000
 /* deprecated CRYPTO_set_id_callback() API. */
 static unsigned long
 _ssl_thread_id_function (void) {
@@ -4146,9 +4140,7 @@ static int _setup_ssl_threads(void) {
             }
         }
         CRYPTO_set_locking_callback(_ssl_thread_locking_function);
-#if OPENSSL_VERSION_NUMBER >= 0x10000000
-        CRYPTO_THREADID_set_callback(_ssl_threadid_callback);
-#else
+#if OPENSSL_VERSION_NUMBER < 0x10000000
         CRYPTO_set_id_callback(_ssl_thread_id_function);
 #endif
     }
