Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions.
- Deprecated
OpenSSL.rand
- callers should useos.urandom()
instead. - Deprecated
OpenSSL.crypto.get_elliptic_curves
andOpenSSL.crypto.get_elliptic_curve
, as well as passing the reult of them toOpenSSL.SSL.Context.set_tmp_ecdh
, users should instead pass curves fromcryptography
. - Deprecated passing
X509
objects toOpenSSL.SSL.Context.use_certificate
,OpenSSL.SSL.Connection.use_certificate
,OpenSSL.SSL.Context.add_extra_chain_cert
, andOpenSSL.SSL.Context.add_client_ca
, users should instead passcryptography.x509.Certificate
instances. This is in preparation for deprecating pyOpenSSL'sX509
entirely. - Deprecated passing
PKey
objects toOpenSSL.SSL.Context.use_privatekey
andOpenSSL.SSL.Connection.use_privatekey
, users should instead passcryptography
priate key instances. This is in preparation for deprecating pyOpenSSL'sPKey
entirely.
OpenSSL.SSL.Connection.get_certificate
,OpenSSL.SSL.Connection.get_peer_certificate
, andOpenSSL.SSL.Connection.get_peer_cert_chain
now take anas_cryptography
keyword-argument. WhenTrue
is passed thencryptography.x509.Certificate
are returned, instead ofOpenSSL.crypto.X509
. In the future, passingFalse
(the default) will be deprecated.
- Fixed changelog to remove sphinx specific restructured text strings.
- Deprecated
OpenSSL.crypto.X509Req
,OpenSSL.crypto.load_certificate_request
,OpenSSL.crypto.dump_certificate_request
. Instead,cryptography.x509.CertificateSigningRequest
,cryptography.x509.CertificateSigningRequestBuilder
,cryptography.x509.load_der_x509_csr
, orcryptography.x509.load_pem_x509_csr
should be used.
- Added type hints for the
SSL
module. #1308. - Changed
OpenSSL.crypto.PKey.from_cryptography_key
to accept public and private EC, ED25519, ED448 keys. #1310.
- Removed the deprecated
OpenSSL.crypto.PKCS12
andOpenSSL.crypto.NetscapeSPKI
.OpenSSL.crypto.PKCS12
may be replaced by the PKCS#12 APIs in thecryptography
package.
- Added
OpenSSL.SSL.Connection.get_selected_srtp_profile
to determine which SRTP profile was negotiated. #1279.
- Dropped support for Python 3.6.
- The minimum
cryptography
version is now 41.0.5. - Removed
OpenSSL.crypto.load_pkcs7
andOpenSSL.crypto.load_pkcs12
which had been deprecated for 3 years. - Added
OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT
to allow legacy insecure renegotiation between OpenSSL and unpatched servers. #1234.
- Deprecated
OpenSSL.crypto.PKCS12
(which was intended to have been deprecated at the same time asOpenSSL.crypto.load_pkcs12
). - Deprecated
OpenSSL.crypto.NetscapeSPKI
. - Deprecated
OpenSSL.crypto.CRL
- Deprecated
OpenSSL.crypto.Revoked
- Deprecated
OpenSSL.crypto.load_crl
andOpenSSL.crypto.dump_crl
- Deprecated
OpenSSL.crypto.sign
andOpenSSL.crypto.verify
- Deprecated
OpenSSL.crypto.X509Extension
- Changed
OpenSSL.crypto.X509Store.add_crl
to also acceptcryptography
'sx509.CertificateRevocationList
arguments in addition to the now deprecatedOpenSSL.crypto.CRL
arguments. - Fixed
test_set_default_verify_paths
test so that it is skipped if no network connection is available.
- Removed
X509StoreFlags.NOTIFY_POLICY
. #1213.
cryptography
maximum version has been increased to 41.0.x.- Invalid versions are now rejected in
OpenSSL.crypto.X509Req.set_version
. - Added
X509VerificationCodes
toOpenSSL.SSL
. #1202.
- Worked around an issue in OpenSSL 3.1.0 which caused X509Extension.get_short_name to raise an exception when no short name was known to OpenSSL. #1204.
cryptography
maximum version has been increased to 40.0.x.- Add
OpenSSL.SSL.Connection.DTLSv1_get_timeout
andOpenSSL.SSL.Connection.DTLSv1_handle_timeout
to support DTLS timeouts #1180.
- Add
OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN
constant to allow for users to perform certificate verification on partial certificate chains. #1166 cryptography
maximum version has been increased to 39.0.x.
- Remove support for SSLv2 and SSLv3.
- The minimum
cryptography
version is now 38.0.x (and we now pin releases againstcryptography
major versions to prevent future breakage) - The
OpenSSL.crypto.X509StoreContextError
exception has been refactored, changing its internal attributes. #1133
OpenSSL.SSL.SSLeay_version
is deprecated in favor ofOpenSSL.SSL.OpenSSL_version
. The constantsOpenSSL.SSL.SSLEAY_*
are deprecated in favor ofOpenSSL.SSL.OPENSSL_*
.
- Add
OpenSSL.SSL.Connection.set_verify
andOpenSSL.SSL.Connection.get_verify_mode
to override the context object's verification flags. #1073 - Add
OpenSSL.SSL.Connection.use_certificate
andOpenSSL.SSL.Connection.use_privatekey
to set a certificate per connection (and not just per context) #1121.
- Drop support for Python 2.7. #1047
- The minimum
cryptography
version is now 35.0.
- The minimum
cryptography
version is now 3.3. - Drop support for Python 3.5
- Raise an error when an invalid ALPN value is set. #993
- Added
OpenSSL.SSL.Context.set_min_proto_version
andOpenSSL.SSL.Context.set_max_proto_version
to set the minimum and maximum supported TLS version #985. - Updated
to_cryptography
andfrom_cryptography
methods to support an upcoming release ofcryptography
without raising deprecation warnings. #1030
- Fixed compatibility with OpenSSL 1.1.0.
- The minimum
cryptography
version is now 3.2. - Remove deprecated
OpenSSL.tsafe
module. - Removed deprecated
OpenSSL.SSL.Context.set_npn_advertise_callback
,OpenSSL.SSL.Context.set_npn_select_callback
, andOpenSSL.SSL.Connection.get_next_proto_negotiated
. - Drop support for Python 3.4
- Drop support for OpenSSL 1.0.1 and 1.0.2
- Deprecated
OpenSSL.crypto.load_pkcs7
andOpenSSL.crypto.load_pkcs12
.
- Added a new optional
chain
parameter toOpenSSL.crypto.X509StoreContext()
where additional untrusted certificates can be specified to help chain building. #948 - Added
OpenSSL.crypto.X509Store.load_locations
to set trusted certificate file bundles and/or directories for verification. #943 - Added
Context.set_keylog_callback
to log key material. #910 - Added
OpenSSL.SSL.Connection.get_verified_chain
to retrieve the verified certificate chain of the peer. #894. - Make verification callback optional in
Context.set_verify
. If omitted, OpenSSL's default verification is used. #933 - Fixed a bug that could truncate or cause a zero-length key error due to a
null byte in private key passphrase in
OpenSSL.crypto.load_privatekey
andOpenSSL.crypto.dump_privatekey
. #947
- Removed deprecated
ContextType
,ConnectionType
,PKeyType
,X509NameType
,X509ReqType
,X509Type
,X509StoreType
,CRLType
,PKCS7Type
,PKCS12Type
, andNetscapeSPKIType
aliases. Use the classes without theType
suffix instead. #814 - The minimum
cryptography
version is now 2.8 due to issues on macOS with a transitive dependency. #875
- Deprecated
OpenSSL.SSL.Context.set_npn_advertise_callback
,OpenSSL.SSL.Context.set_npn_select_callback
, andOpenSSL.SSL.Connection.get_next_proto_negotiated
. ALPN should be used instead. #820
- Support
bytearray
inSSL.Connection.send()
by using cffi's from_buffer. #852 - The
OpenSSL.SSL.Context.set_alpn_select_callback
can return a newNO_OVERLAPPING_PROTOCOLS
sentinel value to allow a TLS handshake to complete without an application protocol.
X509Store.add_cert
no longer raises an error if you add a duplicate cert. #787
none
- pyOpenSSL now works with OpenSSL 1.1.1. #805
- pyOpenSSL now handles NUL bytes in
X509Name.get_components()
#804
- The minimum
cryptography
version is now 2.2.1. - Support for Python 2.6 has been dropped.
none
- Added
Connection.get_certificate
to retrieve the local certificate. #733 OpenSSL.SSL.Connection
now setsSSL_MODE_AUTO_RETRY
by default. #753- Added
Context.set_tlsext_use_srtp
to enable negotiation of SRTP keying material. #734
- The minimum
cryptography
version is now 2.1.4.
none
- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with
cacerts
. #723 - Added
Connection.export_keying_material
for RFC 5705 compatible export of keying material. #725
none
none
- Re-added a subset of the
OpenSSL.rand
module. This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. #708 - Corrected a use-after-free when reusing an issuer or subject from an
X509
object after the underlying object has been mutated. #709
- Dropped support for Python 3.3. #677
- Removed the deprecated
OpenSSL.rand
module. This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.os.urandom()
should be used instead. #675
- Deprecated
OpenSSL.tsafe
. #673
- Fixed a memory leak in
OpenSSL.crypto.CRL
. #690 - Fixed a memory leak when verifying certificates with
OpenSSL.crypto.X509StoreContext
. #691
none
- Deprecated
OpenSSL.rand
- callers should useos.urandom()
instead. #658
- Fixed a bug causing
Context.set_default_verify_paths()
to not work with cryptographymanylinux1
wheels on Python 3.x. #665 - Fixed a crash with (EC)DSA signatures in some cases. #670
- Removed the deprecated
OpenSSL.rand.egd()
function. Applications should preferos.urandom()
for random number generation. #630 - Removed the deprecated default
digest
argument toOpenSSL.crypto.CRL.export()
. Callers must now always pass an explicitdigest
. #652 - Fixed a bug with
ASN1_TIME
casting inX509.set_notBefore()
,X509.set_notAfter()
,Revoked.set_rev_date()
,Revoked.set_nextUpdate()
, andRevoked.set_lastUpdate()
. You must now pass times in the formYYYYMMDDhhmmssZ
.YYYYMMDDhhmmss+hhmm
andYYYYMMDDhhmmss-hhmm
will no longer work. #612
- Deprecated the legacy "Type" aliases:
ContextType
,ConnectionType
,PKeyType
,X509NameType
,X509ExtensionType
,X509ReqType
,X509Type
,X509StoreType
,CRLType
,PKCS7Type
,PKCS12Type
,NetscapeSPKIType
. The names without the "Type"-suffix should be used instead.
- Added
OpenSSL.crypto.X509.from_cryptography()
andOpenSSL.crypto.X509.to_cryptography()
for converting X.509 certificate to and from pyca/cryptography objects. #640 - Added
OpenSSL.crypto.X509Req.from_cryptography()
,OpenSSL.crypto.X509Req.to_cryptography()
,OpenSSL.crypto.CRL.from_cryptography()
, andOpenSSL.crypto.CRL.to_cryptography()
for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. #645 - Added
OpenSSL.debug
that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information usingpython -m OpenSSL.debug
. #620 - Added a fallback path to
Context.set_default_verify_paths()
to accommodate the upcoming release ofcryptography
manylinux1
wheels. #633
none
none
- Added
OpenSSL.X509Store.set_time()
to set a custom verification time when verifying certificate chains. #567 - Added a collection of functions for working with OCSP stapling.
None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
Users will need to write their own code to handle OCSP assertions.
We specifically added:
Context.set_ocsp_server_callback()
,Context.set_ocsp_client_callback()
, andConnection.request_ocsp()
. #580 - Changed the
SSL
module's memory allocation policy to avoid zeroing memory it allocates when unnecessary. This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. #578 - Automatically set
SSL_CTX_set_ecdh_auto()
onOpenSSL.SSL.Context
. #575 - Fix empty exceptions from
OpenSSL.crypto.load_privatekey()
. #581
none
none
- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons. #552
none
- Dropped support for OpenSSL 0.9.8.
- Fix memory leak in
OpenSSL.crypto.dump_privatekey()
withFILETYPE_TEXT
. #496 - Enable use of CRL (and more) in verify context. #483
OpenSSL.crypto.PKey
can now be constructed fromcryptography
objects and also exported as such. #439- Support newer versions of
cryptography
which use opaque structs for OpenSSL 1.1.0 compatibility.
This is the first release under full stewardship of PyCA. We have made many changes to make local development more pleasing. The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. It has been moved to pytest, all CI test runs are part of tox and the source code has been made fully flake8 compliant.
We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
- Python 3.2 support has been dropped.
It never had significant real world usage and has been dropped by our main dependency
cryptography
. Affected users should upgrade to Python 3.3 or later.
The support for EGD has been removed. The only affected function
OpenSSL.rand.egd()
now usesos.urandom()
to seed the internal PRNG instead. Please see pyca/cryptography#1636 for more background information on this decision. In accordance with our backward compatibility policyOpenSSL.rand.egd()
will be removed no sooner than a year from the release of 16.0.0.Please note that you should use urandom for all your secure random number needs.
Python 2.6 support has been deprecated. Our main dependency
cryptography
deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. pyOpenSSL will drop Python 2.6 support oncecryptography
does.
- Fixed
OpenSSL.SSL.Context.set_session_id
,OpenSSL.SSL.Connection.renegotiate
,OpenSSL.SSL.Connection.renegotiate_pending
, andOpenSSL.SSL.Context.load_client_ca
. They were lacking an implementation since 0.14. #422 - Fixed segmentation fault when using keys larger than 4096-bit to sign data. #428
- Fixed
AttributeError
whenOpenSSL.SSL.Connection.get_app_data()
was called before setting any app data. #304 - Added
OpenSSL.crypto.dump_publickey()
to dumpOpenSSL.crypto.PKey
objects that represent public keys, andOpenSSL.crypto.load_publickey()
to load such objects from serialized representations. #382 - Added
OpenSSL.crypto.dump_crl()
to dump a certificate revocation list out to a string buffer. #368 - Added
OpenSSL.SSL.Connection.get_state_string()
using the OpenSSL bindingstate_string_long
. #358 - Added support for the
socket.MSG_PEEK
flag toOpenSSL.SSL.Connection.recv()
andOpenSSL.SSL.Connection.recv_into()
. #294 - Added
OpenSSL.SSL.Connection.get_protocol_version()
andOpenSSL.SSL.Connection.get_protocol_version_name()
. #244 - Switched to
utf8string
mask by default. OpenSSL formerly defaulted to aT61String
if there were UTF-8 characters present. This was changed to default toUTF8String
in the config around 2005, but the actual code didn't change it until late last year. This will default us to the setting that actually works. To revert this you can callOpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")
. #234
The changes from before release 16.0.0 are preserved in the repository.