Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions.
- The minimum
cryptographyversion is now 2.1.4.
- Removed the deprecated
OpenSSL.rand.egd()function. Applications should prefer
os.urandom()for random number generation. #630
- Removed the deprecated default
OpenSSL.crypto.CRL.export(). Callers must now always pass an explicit
- Fixed a bug with
Revoked.set_lastUpdate(). You must now pass times in the form
YYYYMMDDhhmmss-hhmmwill no longer work. #612
- Deprecated the legacy “Type” aliases:
NetscapeSPKIType. The names without the “Type”-suffix should be used instead.
OpenSSL.crypto.X509.to_cryptography()for converting X.509 certificate to and from pyca/cryptography objects. #640
OpenSSL.crypto.CRL.to_cryptography()for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. #645
OpenSSL.debugthat allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using
python -m OpenSSL.debug. #620
- Added a fallback path to
Context.set_default_verify_paths()to accommodate the upcoming release of
OpenSSL.X509Store.set_time()to set a custom verification time when verifying certificate chains. #567
- Added a collection of functions for working with OCSP stapling.
None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
Users will need to write their own code to handle OCSP assertions.
We specifically added:
- Changed the
SSLmodule’s memory allocation policy to avoid zeroing memory it allocates when unnecessary. This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. #578
- Automatically set
- Fix empty exceptions from
- Dropped support for OpenSSL 0.9.8.
- Fix memory leak in
- Enable use of CRL (and more) in verify context. #483
OpenSSL.crypto.PKeycan now be constructed from
cryptographyobjects and also exported as such. #439
- Support newer versions of
cryptographywhich use opaque structs for OpenSSL 1.1.0 compatibility.
This is the first release under full stewardship of PyCA. We have made many changes to make local development more pleasing. The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. It has been moved to pytest, all CI test runs are part of tox and the source code has been made fully flake8 compliant.
We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
- Python 3.2 support has been dropped.
It never had significant real world usage and has been dropped by our main dependency
cryptography. Affected users should upgrade to Python 3.3 or later.
The support for EGD has been removed. The only affected function
os.urandom()to seed the internal PRNG instead. Please see pyca/cryptography#1636 for more background information on this decision. In accordance with our backward compatibility policy
OpenSSL.rand.egd()will be removed no sooner than a year from the release of 16.0.0.
Please note that you should use urandom for all your secure random number needs.
Python 2.6 support has been deprecated. Our main dependency
cryptographydeprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. pyOpenSSL will drop Python 2.6 support once
OpenSSL.SSL.Context.load_client_ca. They were lacking an implementation since 0.14. #422
- Fixed segmentation fault when using keys larger than 4096-bit to sign data. #428
OpenSSL.SSL.Connection.get_app_data()was called before setting any app data. #304
OpenSSL.crypto.PKeyobjects that represent public keys, and
OpenSSL.crypto.load_publickey()to load such objects from serialized representations. #382
OpenSSL.crypto.dump_crl()to dump a certificate revocation list out to a string buffer. #368
OpenSSL.SSL.Connection.get_state_string()using the OpenSSL binding
- Added support for the
- Switched to
utf8stringmask by default. OpenSSL formerly defaulted to a
T61Stringif there were UTF-8 characters present. This was changed to default to
UTF8Stringin the config around 2005, but the actual code didn’t change it until late last year. This will default us to the setting that actually works. To revert this you can call