Changes:
20.0.1 (2020-12-15)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations:
^^^^^^^^^^^^^
Changes:
^^^^^^^^
- Fixed compatibility with OpenSSL 1.1.0.
20.0.0 (2020-11-27)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- The minimum ``cryptography`` version is now 3.2.
- Remove deprecated ``OpenSSL.tsafe`` module.
- Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
- Drop support for Python 3.4
- Drop support for OpenSSL 1.0.1 and 1.0.2
Deprecations:
^^^^^^^^^^^^^
- Deprecated ``OpenSSL.crypto.loads_pkcs7`` and ``OpenSSL.crypto.loads_pkcs12``.
Changes:
^^^^^^^^
- Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()``
where additional untrusted certificates can be specified to help chain building.
`#948 <https://github.com/pyca/pyopenssl/pull/948>`_
- Added ``OpenSSL.crypto.X509Store.load_locations`` to set trusted
certificate file bundles and/or directories for verification.
`#943 <https://github.com/pyca/pyopenssl/pull/943>`_
- Added ``Context.set_keylog_callback`` to log key material.
`#910 <https://github.com/pyca/pyopenssl/pull/910>`_
- Added ``OpenSSL.SSL.Connection.get_verified_chain`` to retrieve the
verified certificate chain of the peer.
`#894 <https://github.com/pyca/pyopenssl/pull/894>`_.
- Make verification callback optional in ``Context.set_verify``.
If omitted, OpenSSL's default verification is used.
`#933 <https://github.com/pyca/pyopenssl/pull/933>`_
- Fixed a bug that could truncate or cause a zero-length key error due to a
null byte in private key passphrase in ``OpenSSL.crypto.load_privatekey``
and ``OpenSSL.crypto.dump_privatekey``.
`#947 <https://github.com/pyca/pyopenssl/pull/947>`_
- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
- Added a collection of functions for working with OCSP stapling.
None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
Users will need to write their own code to handle OCSP assertions.
We specifically added: ``Context.set_ocsp_server_callback``, ``Context.set_ocsp_client_callback``, and ``Connection.request_ocsp``.
- Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary.
This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
- Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
Add patch that makes tests on NetBSD progress further.
But then there's a segfault. See
https://github.com/pyca/pyopenssl/issues/596
16.2.0 (2016-10-15)
-------------------
Changes:
^^^^^^^^
- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
`#552 <https://github.com/pyca/pyopenssl/pull/552>`_
16.1.0 (2016-08-26)
-------------------
Deprecations:
^^^^^^^^^^^^^
- Dropped support for OpenSSL 0.9.8.
Changes:
^^^^^^^^
- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
`#496 <https://github.com/pyca/pyopenssl/pull/496>`_
- Enable use of CRL (and more) in verify context.
`#483 <https://github.com/pyca/pyopenssl/pull/483>`_
- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
`#439 <https://github.com/pyca/pyopenssl/pull/439>`_
- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
