this is a follow-up from #10054 that i think we should resolve soon

our dependency cryptography's deprecation policy says that features deprecated in version X will be removed in version X + 2. the properties in use were deprecated in version 43.0.0. 44.0.0 is already out so according to this policy they're slated to be removed in their next major release of 45.0.0

fixing the exact problem here should be pretty easy if we bump our minimum cryptography version to 43.0.0 where the new properties were introduced, however, i think there's followup work that should be done to prevent this kind of thing from happening in the future. our users were getting deprecation warnings. why weren't we?

i suspect the biggest culprit here is our integration tests are probably not set up to error on warnings like our unit tests are. we have integration tests of OCSP status reporting. if this code was set up to error on warnings, it should have been failing and we could have caught this

additionally, our unit tests didn't catch this because mock is used extensively in the unit tests of this code. i think it'd be possible to create and verify real, self-signed OCSP responses rather than mocking everything. this also would have allowed us to catch this, but fixing integration tests may be sufficient here and it comes with benefits for the rest of the codebase