gh-138633: indicate SSL backend requirements for SSL functions

Doc/library/intro.rst

@@ -65,6 +65,10 @@ Notes on availability
   *Availability: Linux >= 3.17 with glibc >= 2.27* requires both Linux 3.17 or
   newer and glibc 2.27 or newer.
 
+* A particular library dependency with an optional minimal ``major.minor``
+  version constraint is indicated by *Availability: library >= major.minor*.
+
+
 .. _wasm-availability:
 
 WebAssembly platforms

Doc/library/ssl.rst

@@ -28,7 +28,15 @@ probably additional platforms, as long as OpenSSL is installed on that platform.
    cause variations in behavior. For example, TLSv1.3 comes with OpenSSL version
    1.1.1.
 
+.. note::
+
+   Support for other implementations of ``libssl`` such as AWS-LC, BoringSSL,
+   or LibreSSL may be assumed but not guaranteed. When a feature is known to
+   be unavailable for a specific backend, it will be explicitly mentioned in
+   an :ref:`Availability <availability>` note as *Availability: not <backend>*.
+
 .. warning::
+
    Don't use this module without reading the :ref:`ssl-security`.  Doing so
    may lead to a false sense of security, as the default settings of the
    ssl module are not necessarily appropriate for your application.
@@ -232,6 +240,8 @@ Signature algorithms
    :meth:`SSLContext.set_client_sigalgs` and
    :meth:`SSLContext.set_server_sigalgs` methods.
 
+   .. availability:: OpenSSL >= 3.4
+
    .. versionadded:: next
 
 
@@ -1318,6 +1328,8 @@ SSL sockets also have the following additional methods and attributes:
    Return the group used for doing key agreement on this connection. If no
    connection has been established, returns ``None``.
 
+   .. availability:: OpenSSL >= 3.2
+
    .. versionadded:: next
 
 .. method:: SSLSocket.client_sigalg()
@@ -1326,6 +1338,8 @@ SSL sockets also have the following additional methods and attributes:
    authentication on this connection, or ``None`` if no connection has been
    established or client authentication didn't occur.
 
+   .. availability:: OpenSSL >= 3.5
+
    .. versionadded:: next
 
 .. method:: SSLSocket.server_sigalg()
@@ -1334,6 +1348,8 @@ SSL sockets also have the following additional methods and attributes:
    handshake on this connection, or ``None`` if no connection has been
    established or the cipher suite has no signature.
 
+   .. availability:: OpenSSL >= 3.5
+
    .. versionadded:: next
 
 .. method:: SSLSocket.compression()
@@ -1710,6 +1726,8 @@ to speed up repeated connections from the same clients.
    :const:`True` this method will also return any associated aliases such as
    the ECDH curve names supported in older versions of OpenSSL.
 
+   .. availability:: OpenSSL >= 3.5
+
    .. versionadded:: next
 
 .. method:: SSLContext.set_default_verify_paths()
@@ -1777,6 +1795,8 @@ to speed up repeated connections from the same clients.
       sockets will return the signature algorithm used for performing
       certificate-based client authentication on that connection.
 
+   .. availability:: not AWS-LC
+
    .. versionadded:: next
 
 .. method:: SSLContext.set_server_sigalgs(sigalgs, /)

Doc/tools/extensions/availability.py

@@ -46,7 +46,13 @@
     # POSIX platforms with pthreads
     "pthreads",
 })
-KNOWN_PLATFORMS = _PLATFORMS | _LIBC | _THREADING
+_SSL_BACKENDS = frozenset({
+    "OpenSSL",
+    "AWS-LC",
+    "LibreSSL",
+    "BoringSSL",
+})
+KNOWN_PLATFORMS = _PLATFORMS | _LIBC | _THREADING | _SSL_BACKENDS
 
 
 class Availability(SphinxDirective):