pyOpenSSL (original) (raw)

Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptographywhere possible. If you are using pyOpenSSL for anything other than making a TLS connectionyou should move to cryptography and drop your pyOpenSSL dependency.

High-level wrapper around a subset of the OpenSSL library. Includes

… and much more.

You can find more information in the documentation. Development takes place on GitHub.

Release Information

25.0.0 (2025-01-12)

Backward-incompatible changes:

Deprecations:

Changes:

• Corrected type annotations on Context.set_alpn_select_callback, Context.set_session_cache_mode, Context.set_options, Context.set_mode, X509.subject_name_hash, and X509Store.load_locations.
• Deprecated APIs are now marked using warnings.deprecated. mypy will emit deprecation notices for them when used with --enable-error-code deprecated.

24.3.0 (2024-11-27)

Backward-incompatible changes:

• Removed the deprecated OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl, and OpenSSL.crypto.load_crl. cryptography.x509’s CRL functionality should be used instead.
• Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric’s signature APIs should be used instead.

Deprecations:

• Deprecated OpenSSL.rand - callers should use os.urandom() instead.
• Deprecated add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography’s X.509 APIs instead.
• Deprecated OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve, as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh, users should instead pass curves from cryptography.
• Deprecated passing X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate, OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL’s X509 entirely.
• Deprecated passing PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey, users should instead pass cryptography priate key instances. This is in preparation for deprecating pyOpenSSL’s PKey entirely.

Changes:

• cryptography maximum version has been increased to 44.0.x.
• OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate, OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain now take an as_cryptography keyword-argument. When True is passed then cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509. In the future, passing False (the default) will be deprecated.

24.2.1 (2024-07-20)

Backward-incompatible changes:

Deprecations:

Changes:

• Fixed changelog to remove sphinx specific restructured text strings.

24.2.0 (2024-07-20)

Backward-incompatible changes:

Deprecations:

• Deprecated OpenSSL.crypto.X509Req, OpenSSL.crypto.load_certificate_request, OpenSSL.crypto.dump_certificate_request. Instead, cryptography.x509.CertificateSigningRequest, cryptography.x509.CertificateSigningRequestBuilder, cryptography.x509.load_der_x509_csr, or cryptography.x509.load_pem_x509_csr should be used.

Changes:

• Added type hints for the SSL module.#1308.
• Changed OpenSSL.crypto.PKey.from_cryptography_key to accept public and private EC, ED25519, ED448 keys.#1310.

24.1.0 (2024-03-09)

Backward-incompatible changes:

• Removed the deprecated OpenSSL.crypto.PKCS12 andOpenSSL.crypto.NetscapeSPKI. OpenSSL.crypto.PKCS12 may be replaced by the PKCS#12 APIs in the cryptography package.

Deprecations:

Changes:

24.0.0 (2024-01-22)

Backward-incompatible changes:

Deprecations:

Changes:

• Added OpenSSL.SSL.Connection.get_selected_srtp_profile to determine which SRTP profile was negotiated.#1279.

23.3.0 (2023-10-25)

Backward-incompatible changes:

• Dropped support for Python 3.6.
• The minimum cryptography version is now 41.0.5.
• Removed OpenSSL.crypto.load_pkcs7 and OpenSSL.crypto.load_pkcs12 which had been deprecated for 3 years.
• Added OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT to allow legacy insecure renegotiation between OpenSSL and unpatched servers.#1234.

Deprecations:

• Deprecated OpenSSL.crypto.PKCS12 (which was intended to have been deprecated at the same time as OpenSSL.crypto.load_pkcs12).
• Deprecated OpenSSL.crypto.NetscapeSPKI.
• Deprecated OpenSSL.crypto.CRL
• Deprecated OpenSSL.crypto.Revoked
• Deprecated OpenSSL.crypto.load_crl and OpenSSL.crypto.dump_crl
• Deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify
• Deprecated OpenSSL.crypto.X509Extension

Changes:

• Changed OpenSSL.crypto.X509Store.add_crl to also acceptcryptography’s x509.CertificateRevocationList arguments in addition to the now deprecated OpenSSL.crypto.CRL arguments.
• Fixed test_set_default_verify_paths test so that it is skipped if no network connection is available.

23.2.0 (2023-05-30)

Backward-incompatible changes:

• Removed X509StoreFlags.NOTIFY_POLICY.#1213.

Deprecations:

Changes:

• cryptography maximum version has been increased to 41.0.x.
• Invalid versions are now rejected in OpenSSL.crypto.X509Req.set_version.
• Added X509VerificationCodes to OpenSSL.SSL.#1202.

23.1.1 (2023-03-28)

Backward-incompatible changes:

Deprecations:

Changes:

• Worked around an issue in OpenSSL 3.1.0 which caused X509Extension.get_short_name to raise an exception when no short name was known to OpenSSL.#1204.

23.1.0 (2023-03-24)

Backward-incompatible changes:

Deprecations:

Changes:

• cryptography maximum version has been increased to 40.0.x.
• Add OpenSSL.SSL.Connection.DTLSv1_get_timeout and OpenSSL.SSL.Connection.DTLSv1_handle_timeoutto support DTLS timeouts #1180.

23.0.0 (2023-01-01)

Backward-incompatible changes:

Deprecations:

Changes:

• Add OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN constant to allow for users to perform certificate verification on partial certificate chains.#1166
• cryptography maximum version has been increased to 39.0.x.

22.1.0 (2022-09-25)

Backward-incompatible changes:

• Remove support for SSLv2 and SSLv3.
• The minimum cryptography version is now 38.0.x (and we now pin releases against cryptography major versions to prevent future breakage)
• The OpenSSL.crypto.X509StoreContextError exception has been refactored, changing its internal attributes.#1133

Deprecations:

• OpenSSL.SSL.SSLeay_version is deprecated in favor ofOpenSSL.SSL.OpenSSL_version. The constants OpenSSL.SSL.SSLEAY_* are deprecated in favor of OpenSSL.SSL.OPENSSL_*.

Changes:

• Add OpenSSL.SSL.Connection.set_verify and OpenSSL.SSL.Connection.get_verify_modeto override the context object’s verification flags.#1073
• Add OpenSSL.SSL.Connection.use_certificate and OpenSSL.SSL.Connection.use_privatekeyto set a certificate per connection (and not just per context) #1121.

22.0.0 (2022-01-29)

Backward-incompatible changes:

• Drop support for Python 2.7.#1047
• The minimum cryptography version is now 35.0.

Deprecations:

Changes:

• Expose wrappers for some DTLSprimitives. #1026

21.0.0 (2021-09-28)

Backward-incompatible changes:

• The minimum cryptography version is now 3.3.
• Drop support for Python 3.5

Deprecations:

Changes:

• Raise an error when an invalid ALPN value is set.#993
• Added OpenSSL.SSL.Context.set_min_proto_version and OpenSSL.SSL.Context.set_max_proto_versionto set the minimum and maximum supported TLS version #985.
• Updated to_cryptography and from_cryptography methods to support an upcoming release of cryptography without raising deprecation warnings.#1030

20.0.1 (2020-12-15)

Backward-incompatible changes:

Deprecations:

Changes:

• Fixed compatibility with OpenSSL 1.1.0.

20.0.0 (2020-11-27)

Backward-incompatible changes:

• The minimum cryptography version is now 3.2.
• Remove deprecated OpenSSL.tsafe module.
• Removed deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.
• Drop support for Python 3.4
• Drop support for OpenSSL 1.0.1 and 1.0.2

Deprecations:

• Deprecated OpenSSL.crypto.load_pkcs7 and OpenSSL.crypto.load_pkcs12.

Changes:

• Added a new optional chain parameter to OpenSSL.crypto.X509StoreContext()where additional untrusted certificates can be specified to help chain building.#948
• Added OpenSSL.crypto.X509Store.load_locations to set trusted certificate file bundles and/or directories for verification.#943
• Added Context.set_keylog_callback to log key material.#910
• Added OpenSSL.SSL.Connection.get_verified_chain to retrieve the verified certificate chain of the peer.#894.
• Make verification callback optional in Context.set_verify. If omitted, OpenSSL’s default verification is used.#933
• Fixed a bug that could truncate or cause a zero-length key error due to a null byte in private key passphrase in OpenSSL.crypto.load_privatekeyand OpenSSL.crypto.dump_privatekey.#947

19.1.0 (2019-11-18)

Backward-incompatible changes:

• Removed deprecated ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases. Use the classes without the Type suffix instead.#814
• The minimum cryptography version is now 2.8 due to issues on macOS with a transitive dependency.#875

Deprecations:

• Deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated. ALPN should be used instead.#820

Changes:

• Support bytearray in SSL.Connection.send() by using cffi’s from_buffer.#852
• The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value to allow a TLS handshake to complete without an application protocol.

Full changelog.