Changes:
16.0.0 (2016-03-19)
-------------------
This is the first release under full stewardship of PyCA.
We have made *many* changes to make local development more pleasing.
The test suite now passes both on Linux and OS X with OpenSSL 0.9.8,
1.0.1, and 1.0.2. It has been moved to `py.test <https://pytest.org/>`_,
all CI test runs are part of `tox <https://testrun.org/tox/>`_ and
the source code has been made fully `flake8
<https://flake8.readthedocs.org/>`_ compliant.
We hope to have lowered the barrier for contributions significantly
but are open to hear about any remaining frustrations.
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Python 3.2 support has been dropped.
It never had significant real world usage and has been dropped
by our main dependency ``cryptography``. Affected users should
upgrade to Python 3.3 or later.
Deprecations:
^^^^^^^^^^^^^
- The support for EGD has been removed.
The only affected function ``OpenSSL.rand.egd()`` now uses
``os.urandom()`` to seed the internal PRNG instead. Please see
`pyca/cryptography#1636
<https://github.com/pyca/cryptography/pull/1636>`_ for more
background information on this decision. In accordance with our
backward compatibility policy ``OpenSSL.rand.egd()`` will be
*removed* no sooner than a year from the release of 16.0.0.
Please note that you should `use urandom
<http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_
for all your secure random number needs.
- Python 2.6 support has been deprecated.
Our main dependency ``cryptography`` deprecated 2.6 in version
0.9 (2015-05-14) with no time table for actually dropping it.
pyOpenSSL will drop Python 2.6 support once ``cryptography``
does.
Changes:
^^^^^^^^
- Fixed ``OpenSSL.SSL.Context.set_session_id``,
``OpenSSL.SSL.Connection.renegotiate``,
``OpenSSL.SSL.Connection.renegotiate_pending``, and
``OpenSSL.SSL.Context.load_client_ca``.
They were lacking an implementation since 0.14. `#422
<https://github.com/pyca/pyopenssl/pull/422>`_
- Fixed segmentation fault when using keys larger than 4096-bit to sign data.
`#428 <https://github.com/pyca/pyopenssl/pull/428>`_
- Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()``
was called before setting any app data.
`#304 <https://github.com/pyca/pyopenssl/pull/304>`_
- Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey``
objects that represent public keys, and ``OpenSSL.crypto.load_publickey()``
to load such objects from serialized representations.
`#382 <https://github.com/pyca/pyopenssl/pull/382>`_
- Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation
list out to a string buffer.
`#368 <https://github.com/pyca/pyopenssl/pull/368>`_
- Added ``OpenSSL.SSL.Connection.get_state_string()`` using the
OpenSSL binding ``state_string_long``.
`#358 <https://github.com/pyca/pyopenssl/pull/358>`_
- Added support for the ``socket.MSG_PEEK`` flag to
``OpenSSL.SSL.Connection.recv()`` and
``OpenSSL.SSL.Connection.recv_into()``.
`#294 <https://github.com/pyca/pyopenssl/pull/294>`_
- Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and
``OpenSSL.SSL.Connection.get_protocol_version_name()``.
`#244 <https://github.com/pyca/pyopenssl/pull/244>`_
- Switched to ``utf8string`` mask by default.
OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8
characters present. This was changed to default to ``UTF8String``
in the config around 2005, but the actual code didn't change it
until late last year. This will default us to the setting that
actually works. To revert this you can call
``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``.
`#234 <https://github.com/pyca/pyopenssl/pull/234>`_
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
pkgsrc changes:
* Update HOMEPAGE
Changes:
0.15.1:
* OpenSSL/SSL.py, OpenSSL/test/test_ssl.py: Fix a regression
present in 0.15, where when an error occurs and no errno() is set,
a KeyError is raised. This happens, for example, if
Connection.shutdown() is called when the underlying transport has
gone away.
0.15:
* OpenSSL/rand.py, OpenSSL/SSL.py: APIs which previously accepted
filenames only as bytes now accept them as either bytes or
unicode (and respect sys.getfilesystemencoding()).
* OpenSSL/SSL.py: Add Cory Benfield's next-protocol-negotiation
(NPN) bindings.
* OpenSSL/SSL.py: Add ``Connection.recv_into``, mirroring the
builtin ``socket.recv_into``. Based on work from Cory Benfield.
* OpenSSL/test/test_ssl.py: Add tests for ``recv_into``.
* OpenSSL/crypto.py: Expose ``X509StoreContext`` for verifying certificates.
* OpenSSL/test/test_crypto.py: Add intermediate certificates for
* OpenSSL/SSL.py: ``Connection.shutdown`` now propagates errors from the
underlying socket.
* OpenSSL/SSL.py: Fixed a regression ``Context.check_privatekey``
causing it to always succeed - even if it should fail.
* OpenSSL/crypto.py: Fixed a regression where calling ``load_pkcs7_data``
with ``FILETYPE_ASN1`` would fail with a ``NameError``.
* OpenSSL/SSL.py: Fix a regression in which the first argument of
the "verify" callback was incorrectly passed a ``Context`` instance
instead of the ``Connection`` instance.
* OpenSSL/test/test_ssl.py: Add a test for the value passed as the
first argument of the "verify" callback.
* OpenSSL/crypto.py: Based on work from Alex Gaynor, Andrew
Lutomirski, Tobias Oberstein, Laurens Van Houtven, and Hynek
Schlawack, add ``get_elliptic_curve`` and ``get_elliptic_curves``
to support TLS ECDHE modes.
* OpenSSL/SSL.py: Add ``Context.set_tmp_ecdh`` to configure a TLS
context with a particular elliptic curve for ECDHE modes.
* OpenSSL/SSL.py: ``Connection.send`` and ``Connection.sendall``
now also accept the ``buffer`` type as data.
* OpenSSL/crypto.py: Make ``load_pkcs12`` backwards compatible with
pyOpenSSL 0.13 by making passphrase optional.
* OpenSSL/SSL.py: Add ``get_finished``, ``get_peer_finished``
methods to ``Connection``. If you use these methods to
implement TLS channel binding (RFC 5929) disable session
resumption because triple handshake attacks against TLS.
<https://www.ietf.org/mail-archive/web/tls/current/msg11337.html>
<https://secure-resumption.com/tlsauth.pdf>
* OpenSSL/SSL.py: Add ``get_cipher_name``, ``get_cipher_bits``,
and ``get_cipher_version`` to ``Connection``.
* OpenSSL/tsafe.py: Replace the use of ``apply`` (which has been
removed in Python 3) with the equivalent syntax.
* OpenSSL/crypto.py: Fix memory leak in _X509_REVOKED_dup.
* leakcheck/crypto.py: Add checks for _X509_REVOKED_dup, CRL.add_revoked
and CRL.get_revoked.
* setup.py: Require cryptography 0.3 to have the ASN1_TIME_free binding.
* OpenSSL/crypto.py: Add ``get_extensions`` method to ``X509Req``.
py-OpenSSL 0.14 started depending on six, but this package didn't, so
"import OpenSSL" failed. Confusingly, this led to build failures in
tahoe-lafs because somehow setuptools determined six was needed and
tried to download it.
After this commit, "make test" in py-OpenSSL still fails; it tries to download
"cryptography" and "cffi".
2014-01-09 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL: Port to the cffi-based OpenSSL bindings provided by
<https://github.com/pyca/cryptography>
2013-10-06 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/context.c: Add support for negotiating TLS v1.1 or
v1.2.
2013-10-03 Christian Heimes <christian@python.org>
* OpenSSL/crypto/x509.c: Fix an inconsistency in memory management
in X509.get_serial_number which leads to crashes on some runtimes
(certain Windows/Python 3.3 environments, at least).
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
Upstream changes:
2011-09-02 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* Release 0.13
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/pkey.c: Add the PKey.check method, mostly
implemented by Rick Dean, to verify the internal consistency of a
PKey instance.
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.c: Fix the sign and verify functions so
they handle data with embedded NULs. Fix by David Brodsky
<lp:~lihalla>.
2011-05-20 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/connection.c, OpenSSL/test/test_ssl.py: Add a new
method to the Connection type, get_peer_cert_chain, for retrieving
the peer's certificate chain.
2011-05-19 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/x509.c, OpenSSL/test/test_crypto.py: Add a new
method to the X509 type, get_signature_algorithm, for inspecting
the signature algorithm field of the certificate. Based on a
patch from <lp:~okuda>.
2011-05-10 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.h: Work around a Windows/OpenSSL 1.0 issue
explicitly including a Windows header before any OpenSSL headers.
* OpenSSL/crypto/pkcs12.c: Work around an OpenSSL 1.0 issue by
explicitly flushing errors known to be uninteresting after calling
PKCS12_parse.
* OpenSSL/ssl/context.c: Remove SSLv2 support if the underlying
OpenSSL library does not provide it.
* OpenSSL/test/test_crypto.py: Support an OpenSSL 1.0 change from
MD5 to SHA1 by allowing either hash algorithm's result as the
return value of X509.subject_name_hash.
* OpenSSL/test/test_ssl.py: Support an OpenSSL 1.0 change from MD5
to SHA1 by constructing certificate files named using both hash
algorithms' results when testing Context.load_verify_locations.
* Support OpenSSL 1.0.0a.
2011-04-15 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/ssl.c: Add OPENSSL_VERSION_NUMBER, SSLeay_version
and related constants for retrieving version information about the
underlying OpenSSL library.
* OpenSSL/crypto/x509.c: Add get_extension_count and get_extension
to the X509 type, allowing read access to certificate extensions.
* OpenSSL/crypto/x509ext.c: Add get_short_name and get_data to the
X509Extension type, allowing read access to the contents of an
extension.
* OpenSSL/ssl/ssl.c: Expose a number of symbolic constants for
values passed to the connection "info" callback.
* OpenSSL/ssl/connection.py: Add support for new-style
buffers (primarily memoryviews) to Connection.send and
Connection.sendall.
on some platforms that lacked shared library support in the past. The
list hasn't been maintained at all and the gain is very limited, so just
get rid of it.
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
Changes:
* doc/pyOpenSSL.tex: Updates to the docs.
* src/crypto/x509.c: Add X509.add_extensions based on a patch
from Han S. Lee.
* src/ssl/ssl.c: Add more SSL_OP_ constants. Patch from Mihai
Ibanescu.
* setup.py src/crypto/: Add support for Netscape SPKI extensions
based on a patch from Tollef Fog Heen.
* src/crypto/crypto.c: Add support for python passphrase callbacks
based on a patch from Robert Olson.
* src/ssl/context.c: Applied patch from Frederic Peters to add
Context.use_certificate_chain_file.
* src/crypto/x509.c: Applid patch from Tollef Fog Heen to add
X509.subject_name_hash and X509.digest.
* src/crypto/crypto.c src/ssl/ssl.c: Applied patch from Bastian
Kleineidam to fix full names of exceptions.
* doc/pyOpenSSL.tex: Fix the errors regarding X509Name's field names.
* examples/certgen.py: Fixed wrong attributes in doc string, thanks
Remy. (SFbug#913315)
* __init__.py, setup.py, version.py: Add __version__, as suggested by
Ronald Oussoren in SFbug#888729.
* examples/proxy.py: Fix typos, thanks Mihai Ibanescu. (SFpatch#895820)
* Use cyclic GC protocol in SSL.Connection, SSL.Context, crypto.PKCS12
and crypto.X509Name.
* tsafe.py: Add some missing methods.
* __init__.py: Import tsafe too!
* src/crypto/x509name.c: Use unicode strings instead of ordinary
strings in getattr/setattr. Note that plain ascii strings should
still work.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
sourceforge dot net, cleaned by cjep@, and modified by me.
pyOpenSSL is a Python module that is a rather think wrapper around (a
subset of) the OpenSSL library. A lot of the object methods do
nothing more than call a corresponding function in the OpenSSL
library.
