0.32.0:
- setup.py: use ${CPP} as path to cpp
- Bump pipeline OpenSSL from 1.1.0i to 1.1.0j
- Stub wchar_t helpers and ignore unused WCHAR defs
- Add type comment to setup.py
Support for UNIX domain socket connections.
New configuration file settings pem-dir and pem-dir-glob.
Support for TLS 1.3.
Fixed a bug that would cause a crash on reload if ocsp-dir was changed.
Add log-level. This supersedes the previous quiet setting.
Add proxy-tlv. This enables extra reporting of cipher and protocol.
Drop TLSv1.1 from the default TLS protocols list.
Remove f-prot-antivirus6-ws-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
Remove f-prot-antivirus6-fs-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
Remove f-prot-antivirus6-ms-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
1.16.0:
Added support for Ed448 host/client keys and certificates and rewrote Ed25519 support to use the PyCA implementation, reducing the dependency on libnacl and libsodium to only be needed to support the chacha20-poly1305 cipher.
Added support for PKCS-8 format Ed25519 and Ed448 private and public keys (in addition to the OpenSSH format previously supported).
Added support for multiple delimiters in SSHReader’s readuntil() function, causing it to return data as soon as any of the specified delimiters are matched.
Added the ability to register custom key handlers in the line editor which can modify the input line, extending the built-in editing functionality.
Added SSHSubprocessProtocol and SSHSubprocessTransport classes to provide compatibility with asyncio.SubprocessProtocol and asyncio.SubprocessTransport. Code which is designed to call BaseEventLoop.subprocess_shell() or BaseEventLoop.subprocess_exec() can be easily adapted to work against a remote process by calling SSHClientConnection.create_subprocess().
Added support for sending keepalive messages when the SSH connection is idle, with an option to automatically disconnect the connection if the remote system doesn’t respond to these keepalives.
Changed AsyncSSH to ignore errors when loading unsupported key types from the default file locations.
Changed the reuse_port option to only be available on Python releases which support it (3.4.4 and later).
Fixed an issue where MSG_IGNORE packets could sometimes be sent between MSG_NEWKEYS and MSG_EXT_INFO, which caused some SSH implementations to fail to properly parse the MSG_EXT_INFO.
Fixed a couple of errors in the handling of disconnects occurring prior to authentication completing.
Renamed “session_encoding” and “session_errors” arguments in asyncssh.create_server() to “encoding” and “errors”, to match the names used for these arguments in other AsyncSSH APIs. The old names are still supported for now, but they are marked as deprecated and will be removed in a future release.
2.6.1:
* Resolved an error in our build infrastructure that broke our Python3 wheels
for macOS and Linux.
2.6:
* **BACKWARDS INCOMPATIBLE:** Removed
cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature
and
cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature,
which had been deprecated for nearly 4 years. Use
:func:~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature
and
:func:~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature
instead.
* **BACKWARDS INCOMPATIBLE**: Removed cryptography.x509.Certificate.serial,
which had been deprecated for nearly 3 years. Use
:attr:~cryptography.x509.Certificate.serial_number instead.
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.1b.
* Added support for :doc:/hazmat/primitives/asymmetric/ed448 when using
OpenSSL 1.1.1b or newer.
* Added support for :doc:/hazmat/primitives/asymmetric/ed25519 when using
OpenSSL 1.1.1b or newer.
* :func:~cryptography.hazmat.primitives.serialization.load_ssh_public_key can
now load ed25519 public keys.
* Add support for easily mapping an object identifier to its elliptic curve
class via
:func:~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid.
* Add support for OpenSSL when compiled with the no-engine
(OPENSSL_NO_ENGINE) flag.
18.0.0
* On macOS, the backend now raises a KeyringLocked
when access to the keyring is denied (on get or set) instead
of PasswordSetError or KeyringError. Any API users
may need to account for this change, probably by catching
the parent KeyringError.
Additionally, the error message from the underying error is
now included in any errors that occur.
17.1.1
* Update packaging technique to avoid 0.0.0 releases.
17.1.0
* When calling keyring.core.init_backend, if any
limit function is supplied, it is saved and later honored by
the ChainerBackend as well.
17.0.0
* Remove application attribute from stored passwords
using SecretService, addressing regression introduced in
10.5.0. Impacted Linux keyrings will once again
prompt for a password for "Python program".
16.1.1
* Fix error on import due to circular imports
on Python 3.4.
16.1.0
* Refactor ChainerBackend, introduced in 16.0 to function
as any other backend, activating when relevant.
16.0.2
* In Windows backend, trap all exceptions when
attempting to import pywin32.
16.0.1
* Once again allow all positive, non-zero priority
keyrings to participate.
16.0.0
* Fix race condition in delete_password on Windows.
* All suitable backends (priority 1 and greater) are
allowed to participate.
15.2.0
* Added new API for get_credentials, for backends
that can resolve both a username and password for a service.
15.1.0
* Add the Null keyring, disabled by default.
* Added --disable option to command-line
interface.
* Now honor a PYTHON_KEYRING_BACKEND
environment variable to select a backend. Environments
may set to keyring.backends.null.Keyring to disable
keyring.
This is based on a git checkout from a couple days ago; not completely
sure about the version number.
The Makefile now contains a short how-to for updating this package.
Many thanks for the www/firefox60 patches!
Use at your own risk!
Survives basic browsing and check.torproject.org claims it connects via tor.
Changes: too many to document.
1.3.0 2018-09-26
- Added support for Python 3.7.
- Update libsodium to 1.0.16.
- Run and test all code examples in PyNaCl docs through sphinx's doctest builder.
- Add low-level bindings for chacha20-poly1305 AEAD constructions.
- Add low-level bindings for the chacha20-poly1305 secretstream constructions.
- Add low-level bindings for ed25519ph pre-hashed signing construction.
- Add low-level bindings for constant-time increment and addition on fixed-precision big integers represented as little-endian byte sequences.
- Add low-level bindings for the ISO/IEC 7816-4 compatible padding API.
- Add low-level bindings for libsodium's crypto_kx... key exchange construction.
- Set hypothesis deadline to None in tests/test_pwhash.py to avoid incorrect test failures on slower processor architectures. GitHub issue #370
1.2.1 - 2017-12-04
- Update hypothesis minimum allowed version.
- Infrastructure: add proper configuration for readthedocs builder runtime environment.
1.2.0 - 2017-11-01
- Update libsodium to 1.0.15.
- Infrastructure: add jenkins support for automatic build of manylinux1 binary wheels
- Added support for SealedBox construction.
- Added support for argon2i and argon2id password hashing constructs and restructured high-level password hashing implementation to expose the same interface for all hashers.
- Added support for 128 bit siphashx24 variant of siphash24.
- Added support for from_seed APIs for X25519 keypair generation.
- Dropped support for Python 3.3.
version 0.8.6 (released 2018-12-24)
* Fixed compilation issues with different OpenSSL versions
* Fixed StrictHostKeyChecking in new knownhosts API
* Fixed ssh_send_keepalive() with packet filter
* Fixed possible crash with knownhosts options
* Fixed issus with rekeying
* Fixed strong ECDSA keys
* Fixed some issues with rsa-sha2 extentions
* Fixed access violation in ssh_init() (static linking)
* Fixed ssh_channel_close() handling
signing-party (2.8-1) unstable; urgency=low
[ Guilhem Moulin ]
* caff:
+ Add the "only-sign-text-ids" to the list of gpg(1) options imported from
~/.gnupg/gpg.conf.
+ Ensure the terminal is "sane enough" when asking questions ('echo',
'echok', 'icanon', 'icrnl' settings are all set), and restore original
settings when exit()'ing the program. (Closes: #872529)
* caff, gpglist, gpgsigs: in `gpg --with-colons` output, allow signature
class to be followed with an optional revocation reason. gpg(1) does that
since 2.2.9. (Closes: #905097.)
* caff, gpg-key2latex, gpg-key2ps, gpglist, gpgsigs, keylookup: Remove
references to https://pgp-tools.alioth.debian.org/ .
* caff, gpg-key2latex, gpg-key2ps, gpg-mailkeys, gpglist, gpgparticipants,
gpgsigs, keylookup: Remove SVN keywords ($Id$, $Rev$, etc.)
-- Guilhem Moulin <guilhem@debian.org> Mon, 28 Jan 2019 03:05:33 +0100
0.18.7
* Migrate from intltool to gettext [!2]
* Fix uninitialized memory returned by secret_item_get_schema_name() [#15]
* secret-session: Avoid double-free in service_encode_plain_secret()
* Port tap script to Python 3 [!4]
* Build and test fixes [#734630]
* Updated translations
Packaged for wip by Michael Bäuerle.
This is a collection of simple PIN or passphrase entry dialogs which
utilize the Assuan protocol as described by the aegypten project.
It provides programs for several graphical toolkits, such as FLTK,
GTK+ and QT, as well as for the console, using curses.
This package contains the FLTK frontend.
Noteworthy changes in version 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and
response
Noteworthy changes in version 2.5.3:
* Add a timeout for writing to a SOCKS5 proxy. This helps if another
service is running on the standard tor socket (e.g. Windows 10).
* Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
0.31.0:
Added
Avoid reprocessing challenges that are already validated when a certificate is issued.
Support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module.
Changed
Certbot's official Docker images are now based on Alpine Linux 3.9 rather than 3.7. The new version comes with OpenSSL 1.1.1.
Lexicon-based DNS plugins are now fully compatible with Lexicon 3.x (support on 2.x branch is maintained).
Apache plugin now attempts to configure all VirtualHosts matching requested domain name instead of only a single one when answering the HTTP-01 challenge.
Fixed
Fixed accessing josepy contents through acme.jose when the full acme.jose path is used.
Clarify behavior for deleting certs as part of revocation.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
acme
certbot
certbot-apache
certbot-dns-cloudxns
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-gehirn
certbot-dns-linode
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-ovh
certbot-dns-sakuracloud
More details about these changes can be found on our GitHub repo.
3.0.6:
Certifcates that are revoked now move to a revoked subdirectory
EasyRSA no longer clobbers non-EASYRSA environment variables
More sane string checking, allowingn for commas in CN
Support for reasonCode in CRL
Better handling for capturing passphrases
Improved LibreSSL/MacOS support
Adds support to renew certificates up to 30 days before expiration
This changes previous behavior allowing for certificate creation using
duplicate CNs.
Revision 0.2.4:
- Added modules for RFC8226 implementing JWT Claim Constraints
and TN Authorization List for X.509 certificate extensions
- Fixed bug in rfc5280.AlgorithmIdentifier ANY type definition
Trustme 0.5.0:
Features
Added CA.create_child_ca() to allow for certificate chains
Added CA.private_key_pem to export CA private keys; this allows signing other certs with the same CA outside of trustme.
CAs now include the KeyUsage and ExtendedKeyUsage extensions configured for SSL certificates.
CA.issue_cert now accepts email addresses as a valid form of identity.
It’s now possible to set the “common name” of generated certs; see CA.issue_cert for details
CA.issue_server_cert has been renamed to CA.issue_cert, since it supports both server and client certs. To preserve backwards compatibility, the old name is retained as an undocumented alias.
Bugfixes
Make sure cert expiration dates don’t exceed 2038-01-01, to avoid issues on some 32-bit platforms that suffer from the Y2038 problem.
2.5:
* **BACKWARDS INCOMPATIBLE:** :term:U-label strings were deprecated in
version 2.1, but this version removes the default idna dependency as
well. If you still need this deprecated path please install cryptography
with the idna extra: pip install cryptography[idna].
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
* Numerous classes and functions have been updated to allow :term:bytes-like
types for keying material and passwords, including symmetric algorithms, AEAD
ciphers, KDFs, loading asymmetric keys, and one time password classes.
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.1a.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHA512_224
and :class:~cryptography.hazmat.primitives.hashes.SHA512_256 when using
OpenSSL 1.1.1.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHA3_224,
:class:~cryptography.hazmat.primitives.hashes.SHA3_256,
:class:~cryptography.hazmat.primitives.hashes.SHA3_384, and
:class:~cryptography.hazmat.primitives.hashes.SHA3_512 when using OpenSSL
1.1.1.
* Added support for :doc:/hazmat/primitives/asymmetric/x448 when using
OpenSSL 1.1.1.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHAKE128
and :class:~cryptography.hazmat.primitives.hashes.SHAKE256 when using
OpenSSL 1.1.1.
* Added initial support for parsing PKCS12 files with
:func:~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates.
* Added support for :class:~cryptography.x509.IssuingDistributionPoint.
* Added rfc4514_string() method to
:meth:x509.Name <cryptography.x509.Name.rfc4514_string>,
:meth:x509.RelativeDistinguishedName
<cryptography.x509.RelativeDistinguishedName.rfc4514_string>, and
:meth:x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>
to format the name or component an :rfc:4514 Distinguished Name string.
* Added
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point,
which immediately checks if the point is on the curve and supports compressed
points. Deprecated the previous method
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point.
* Added :attr:~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm
to OCSPResponse.
* Updated :doc:/hazmat/primitives/asymmetric/x25519 support to allow
additional serialization methods. Calling
:meth:~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes
with no arguments has been deprecated.
* Added support for encoding compressed and uncompressed points via
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes. Deprecated the previous method
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point.
Release 1.15.1:
Added callback-based host validation in SSHClient, allowing callers to decide programmatically whether to trust server host keys and certificates rather than having to provide a list of trusted values in advance.
Changed SSH client code to only load the default known hosts file if if exists. Previously an error was returned if a known_hosts value wasn’t specified and the default known_hosts file didn’t exist. For host validate to work in this case, verification callbacks must be implemented or other forms of validation such as X.509 trusted CAs or GSS-based key exchange must be used.
Fixed known hosts validation to completely disable certificate checks when known_hosts is set to None. Previously, key checking was disabled in this case but other checks for certificate expiration and hostname mismatch were still performed, causing connections to fail even when checking was supposed to be disabled.
Switched curve25519 key exchange to use the PyCA implementation, avoiding a dependency on libnacl/libsodium. For now, support for Ed25519 keys still requires these libraries, but once that support appears in PyCA, it may be possible to remove this dependency entirely.
Added get_fingerprint() method to return a fingerprint of an SSHKey.
19.0.0:
Backward-incompatible changes:
- X509Store.add_cert no longer raises an error if you add a duplicate cert.
Changes:
- pyOpenSSL now works with OpenSSL 1.1.1.
- pyOpenSSL now handles NUL bytes in X509Name.get_components()
Changes since previous version:
+ Added general-purpose implementations of EAX and CCM modes (including
shared precomputation support for EAX).
+ Added general-purpose RSA/OAEP implementation.
+ Added general-purpose HKDF implementation.
+ Added support for CCM and CCM_8 TLS cipher suites (RFC 6655 and RFC 7251).
+ Added RSA and EC key generation.
+ Added private key encoding support ("raw" and PKCS#8 formats, both
in DER and PEM, for RSA and EC key pairs).
+ Made Base64 encoding/decoding constant-time (with regards to the
encoded data bytes).
+ Added a generic API for random seed providers.
+ Added an extra DRBG based on AES/CTR + Hirose construction for reseeding.
+ Some cosmetic fixes to avoid warnings with picky compilers.
+ Makefile fix to achieve compatibility with OpenBSD.
+ Fixed a bug in bit length computation for big integers (this was
breaking RSA signatures with some specific implementations and key lengths).
+ Made SSL/TLS client stricter in cipher suite selection (to align with
server behaviour).
3.7.3:
Resolved issues
False positive on PSS signatures when externally provided salt is too long.
Include type stub files for Crypto.IO and Crypto.Util.
