Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions.
- The minimum
cryptographyversion is now 3.2. - Remove deprecated
OpenSSL.tsafemodule. - Removed deprecated
OpenSSL.SSL.Context.set_npn_advertise_callback,OpenSSL.SSL.Context.set_npn_select_callback, andOpenSSL.SSL.Connection.get_next_proto_negotiated. - Drop support for Python 3.4
- Drop support for OpenSSL 1.0.1 and 1.0.2
- Deprecated
OpenSSL.crypto.loads_pkcs7andOpenSSL.crypto.loads_pkcs12.
- Added a new optional
chainparameter toOpenSSL.crypto.X509StoreContext()where additional untrusted certificates can be specified to help chain building. #948 - Added
OpenSSL.crypto.X509Store.load_locationsto set trusted certificate file bundles and/or directories for verification. #943 - Added
Context.set_keylog_callbackto log key material. #910 - Added
OpenSSL.SSL.Connection.get_verified_chainto retrieve the verified certificate chain of the peer. #894. - Make verification callback optional in
Context.set_verify. If omitted, OpenSSL's default verification is used. #933 - Fixed a bug that could truncate or cause a zero-length key error due to a
null byte in private key passphrase in
OpenSSL.crypto.load_privatekeyandOpenSSL.crypto.dump_privatekey. #947
- Removed deprecated
ContextType,ConnectionType,PKeyType,X509NameType,X509ReqType,X509Type,X509StoreType,CRLType,PKCS7Type,PKCS12Type, andNetscapeSPKITypealiases. Use the classes without theTypesuffix instead. #814 - The minimum
cryptographyversion is now 2.8 due to issues on macOS with a transitive dependency. #875
- Deprecated
OpenSSL.SSL.Context.set_npn_advertise_callback,OpenSSL.SSL.Context.set_npn_select_callback, andOpenSSL.SSL.Connection.get_next_proto_negotiated. ALPN should be used instead. #820
- Support
bytearrayinSSL.Connection.send()by using cffi's from_buffer. #852 - The
OpenSSL.SSL.Context.set_alpn_select_callbackcan return a newNO_OVERLAPPING_PROTOCOLSsentinel value to allow a TLS handshake to complete without an application protocol.
X509Store.add_certno longer raises an error if you add a duplicate cert. #787
none
- pyOpenSSL now works with OpenSSL 1.1.1. #805
- pyOpenSSL now handles NUL bytes in
X509Name.get_components()#804
- The minimum
cryptographyversion is now 2.2.1. - Support for Python 2.6 has been dropped.
none
- Added
Connection.get_certificateto retrieve the local certificate. #733 OpenSSL.SSL.Connectionnow setsSSL_MODE_AUTO_RETRYby default. #753- Added
Context.set_tlsext_use_srtpto enable negotiation of SRTP keying material. #734
- The minimum
cryptographyversion is now 2.1.4.
none
- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with
cacerts. #723 - Added
Connection.export_keying_materialfor RFC 5705 compatible export of keying material. #725
none
none
- Re-added a subset of the
OpenSSL.randmodule. This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. #708 - Corrected a use-after-free when reusing an issuer or subject from an
X509object after the underlying object has been mutated. #709
- Dropped support for Python 3.3. #677
- Removed the deprecated
OpenSSL.randmodule. This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.os.urandom()should be used instead. #675
- Deprecated
OpenSSL.tsafe. #673
- Fixed a memory leak in
OpenSSL.crypto.CRL. #690 - Fixed a memory leak when verifying certificates with
OpenSSL.crypto.X509StoreContext. #691
none
- Deprecated
OpenSSL.rand- callers should useos.urandom()instead. #658
- Fixed a bug causing
Context.set_default_verify_paths()to not work with cryptographymanylinux1wheels on Python 3.x. #665 - Fixed a crash with (EC)DSA signatures in some cases. #670
- Removed the deprecated
OpenSSL.rand.egd()function. Applications should preferos.urandom()for random number generation. #630 - Removed the deprecated default
digestargument toOpenSSL.crypto.CRL.export(). Callers must now always pass an explicitdigest. #652 - Fixed a bug with
ASN1_TIMEcasting inX509.set_notBefore(),X509.set_notAfter(),Revoked.set_rev_date(),Revoked.set_nextUpdate(), andRevoked.set_lastUpdate(). You must now pass times in the formYYYYMMDDhhmmssZ.YYYYMMDDhhmmss+hhmmandYYYYMMDDhhmmss-hhmmwill no longer work. #612
- Deprecated the legacy "Type" aliases:
ContextType,ConnectionType,PKeyType,X509NameType,X509ExtensionType,X509ReqType,X509Type,X509StoreType,CRLType,PKCS7Type,PKCS12Type,NetscapeSPKIType. The names without the "Type"-suffix should be used instead.
- Added
OpenSSL.crypto.X509.from_cryptography()andOpenSSL.crypto.X509.to_cryptography()for converting X.509 certificate to and from pyca/cryptography objects. #640 - Added
OpenSSL.crypto.X509Req.from_cryptography(),OpenSSL.crypto.X509Req.to_cryptography(),OpenSSL.crypto.CRL.from_cryptography(), andOpenSSL.crypto.CRL.to_cryptography()for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. #645 - Added
OpenSSL.debugthat allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information usingpython -m OpenSSL.debug. #620 - Added a fallback path to
Context.set_default_verify_paths()to accommodate the upcoming release ofcryptographymanylinux1wheels. #633
none
none
- Added
OpenSSL.X509Store.set_time()to set a custom verification time when verifying certificate chains. #567 - Added a collection of functions for working with OCSP stapling.
None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
Users will need to write their own code to handle OCSP assertions.
We specifically added:
Context.set_ocsp_server_callback(),Context.set_ocsp_client_callback(), andConnection.request_ocsp(). #580 - Changed the
SSLmodule's memory allocation policy to avoid zeroing memory it allocates when unnecessary. This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. #578 - Automatically set
SSL_CTX_set_ecdh_auto()onOpenSSL.SSL.Context. #575 - Fix empty exceptions from
OpenSSL.crypto.load_privatekey(). #581
none
none
- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons. #552
none
- Dropped support for OpenSSL 0.9.8.
- Fix memory leak in
OpenSSL.crypto.dump_privatekey()withFILETYPE_TEXT. #496 - Enable use of CRL (and more) in verify context. #483
OpenSSL.crypto.PKeycan now be constructed fromcryptographyobjects and also exported as such. #439- Support newer versions of
cryptographywhich use opaque structs for OpenSSL 1.1.0 compatibility.
This is the first release under full stewardship of PyCA. We have made many changes to make local development more pleasing. The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. It has been moved to pytest, all CI test runs are part of tox and the source code has been made fully flake8 compliant.
We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
- Python 3.2 support has been dropped.
It never had significant real world usage and has been dropped by our main dependency
cryptography. Affected users should upgrade to Python 3.3 or later.
The support for EGD has been removed. The only affected function
OpenSSL.rand.egd()now usesos.urandom()to seed the internal PRNG instead. Please see pyca/cryptography#1636 for more background information on this decision. In accordance with our backward compatibility policyOpenSSL.rand.egd()will be removed no sooner than a year from the release of 16.0.0.Please note that you should use urandom for all your secure random number needs.
Python 2.6 support has been deprecated. Our main dependency
cryptographydeprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. pyOpenSSL will drop Python 2.6 support oncecryptographydoes.
- Fixed
OpenSSL.SSL.Context.set_session_id,OpenSSL.SSL.Connection.renegotiate,OpenSSL.SSL.Connection.renegotiate_pending, andOpenSSL.SSL.Context.load_client_ca. They were lacking an implementation since 0.14. #422 - Fixed segmentation fault when using keys larger than 4096-bit to sign data. #428
- Fixed
AttributeErrorwhenOpenSSL.SSL.Connection.get_app_data()was called before setting any app data. #304 - Added
OpenSSL.crypto.dump_publickey()to dumpOpenSSL.crypto.PKeyobjects that represent public keys, andOpenSSL.crypto.load_publickey()to load such objects from serialized representations. #382 - Added
OpenSSL.crypto.dump_crl()to dump a certificate revocation list out to a string buffer. #368 - Added
OpenSSL.SSL.Connection.get_state_string()using the OpenSSL bindingstate_string_long. #358 - Added support for the
socket.MSG_PEEKflag toOpenSSL.SSL.Connection.recv()andOpenSSL.SSL.Connection.recv_into(). #294 - Added
OpenSSL.SSL.Connection.get_protocol_version()andOpenSSL.SSL.Connection.get_protocol_version_name(). #244 - Switched to
utf8stringmask by default. OpenSSL formerly defaulted to aT61Stringif there were UTF-8 characters present. This was changed to default toUTF8Stringin the config around 2005, but the actual code didn't change it until late last year. This will default us to the setting that actually works. To revert this you can callOpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default"). #234
The changes from before release 16.0.0 are preserved in the repository.