2.1:
FINAL DEPRECATION Python 2.6 support is deprecated, and will be removed in the next release of cryptography.
BACKWARDS INCOMPATIBLE: Whirlpool, RIPEMD160, and UnsupportedExtension have been removed in accordance with our :doc:`/api-stability` policy.
BACKWARDS INCOMPATIBLE: :attr:`~cryptography.x509.DNSName.value`, :attr:`~cryptography.x509.RFC822Name.value`, and :attr:`~cryptography.x509.UniformResourceIdentifier.value` will now return an :term:`A-label` string when parsing a certificate containing an internationalized domain name (IDN) or if the caller passed a :term:`U-label` to the constructor. See below for additional deprecations related to this change.
Installing cryptography now requires pip 6 or newer.
Deprecated passing :term:`U-label` strings to the :class:`~cryptography.x509.DNSName`, :class:`~cryptography.x509.UniformResourceIdentifier`, and :class:`~cryptography.x509.RFC822Name` constructors. Instead, users should pass values as :term:`A-label` strings with idna encoding if necessary. This change will not affect anyone who is not processing internationalized domains.
Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`. In most cases users should choose :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` rather than using this unauthenticated form.
Added :meth:`~cryptography.x509.CertificateRevocationList.is_signature_valid` to :class:`~cryptography.x509.CertificateRevocationList`.
Support :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` with :class:`~cryptography.hazmat.primitives.hmac.HMAC`.
Added support for :class:`~cryptography.hazmat.primitives.ciphers.modes.XTS` mode for AES.
Added support for using labels with :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using OpenSSL 1.0.2 or greater.
Improved compatibility with NSS when issuing certificates from an issuer that has a subject with non-UTF8String string types.
Add support for the :class:`~cryptography.x509.DeltaCRLIndicator` extension.
Add support for the :class:`~cryptography.x509.TLSFeature` extension. This is commonly used for enabling OCSP Must-Staple in certificates.
Add support for the :class:`~cryptography.x509.FreshestCRL` extension.
Marked all symbols as hidden in the manylinux1 wheel to avoid a bug with symbol resolution in certain scenarios.
2.0.1:
Fixed a compilation bug affecting OpenBSD.
Altered the manylinux1 wheels to statically link OpenSSL instead of dynamically linking and bundling the shared object. This should resolve crashes seen when using uwsgi or other binaries that link against OpenSSL independently.
Fixed the stack level for the signer and verifier warnings.
BACKWARDS INCOMPATIBLE: Support for Python 3.3 has been dropped.
We now ship manylinux1 wheels linked against OpenSSL 1.1.0f. These wheels will be automatically used with most Linux distributions if you are running the latest pip.
Deprecated the use of signer on :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, and :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` in favor of sign.
Deprecated the use of verifier on :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, and :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` in favor of verify.
Added support for parsing :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp` objects from X.509 certificate extensions.
Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`.
Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`.
Added :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, a "one shot" API for AES GCM encryption.
Added support for :doc:`/hazmat/primitives/asymmetric/x25519`.
Added support for serializing and deserializing Diffie-Hellman parameters with :func:`~cryptography.hazmat.primitives.serialization.load_pem_parameters`, :func:`~cryptography.hazmat.primitives.serialization.load_der_parameters`, and :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters.parameter_bytes` .
The extensions attribute on :class:`~cryptography.x509.Certificate`, :class:`~cryptography.x509.CertificateSigningRequest`, :class:`~cryptography.x509.CertificateRevocationList`, and :class:`~cryptography.x509.RevokedCertificate` now caches the computed Extensions object. There should be no performance change, just a performance improvement for programs accessing the extensions attribute multiple times.
BACKWARDS INCOMPATIBLE: Elliptic Curve signature verification no longer returns True on success. This brings it in line with the interface's documentation, and our intent. The correct way to use :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify` has always been to check whether or not :class:`~cryptography.exceptions.InvalidSignature` was raised.
BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.7 and 10.8.
BACKWARDS INCOMPATIBLE: The minimum supported PyPy version is now 5.3.
Python 3.3 support has been deprecated, and will be removed in the next cryptography release.
Add support for providing tag during :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
Fixed an issue preventing cryptography from compiling against LibreSSL 2.5.x.
Added :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size` and :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size` as convenience methods for determining the bit size of a secret scalar for the curve.
Accessing an unrecognized extension marked critical on an X.509 object will no longer raise an UnsupportedExtension exception, instead an :class:`~cryptography.x509.UnrecognizedExtension` object will be returned. This behavior was based on a poor reading of the RFC, unknown critical extensions only need to be rejected on certificate verification.
The CommonCrypto backend has been removed.
MultiBackend has been removed.
Whirlpool and RIPEMD160 have been deprecated.
