Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 1 | Changelog |
| 2 | ========= |
| 3 | |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 4 | Versions are year-based with a strict backward-compatibility policy. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 5 | The third digit is only for regressions. |
| 6 | |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 7 | 20.0.0 (UNRELEASED) |
| 8 | ------------------- |
| 9 | |
| 10 | |
| 11 | Backward-incompatible changes: |
| 12 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 13 | |
Benjamin Peterson | 2dca7a7 | 2020-05-22 11:32:07 -0500 | [diff] [blame^] | 14 | - Remove deprecated ``OpenSSL.tsafe`` module. |
Alex Gaynor | 1ede584 | 2019-12-14 11:15:47 -0500 | [diff] [blame] | 15 | - Drop support for Python 3.4 |
Alex Gaynor | 77debda | 2020-04-07 13:40:59 -0400 | [diff] [blame] | 16 | - Drop support for OpenSSL 1.0.1 |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 17 | |
| 18 | Deprecations: |
| 19 | ^^^^^^^^^^^^^ |
| 20 | |
| 21 | *none* |
| 22 | |
| 23 | |
| 24 | Changes: |
| 25 | ^^^^^^^^ |
| 26 | |
| 27 | *none* |
| 28 | |
| 29 | |
Paul Kehrer | da402f4 | 2019-11-18 12:47:22 +0800 | [diff] [blame] | 30 | 19.1.0 (2019-11-18) |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 31 | ------------------- |
| 32 | |
| 33 | |
| 34 | Backward-incompatible changes: |
| 35 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 36 | |
Alex Gaynor | 01f90a1 | 2019-02-07 09:14:48 -0500 | [diff] [blame] | 37 | - Removed deprecated ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, and ``NetscapeSPKIType`` aliases. |
| 38 | Use the classes without the ``Type`` suffix instead. |
| 39 | `#814 <https://github.com/pyca/pyopenssl/pull/814>`_ |
Paul Kehrer | 8543286 | 2019-11-18 09:20:29 +0800 | [diff] [blame] | 40 | - The minimum ``cryptography`` version is now 2.8 due to issues on macOS with a transitive dependency. |
| 41 | `#875 <https://github.com/pyca/pyopenssl/pull/875>`_ |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 42 | |
| 43 | Deprecations: |
| 44 | ^^^^^^^^^^^^^ |
| 45 | |
Alex Gaynor | be2bd54 | 2019-02-21 21:41:22 -0500 | [diff] [blame] | 46 | - Deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. |
| 47 | ALPN should be used instead. |
| 48 | `#820 <https://github.com/pyca/pyopenssl/pull/820>`_ |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 49 | |
| 50 | |
| 51 | Changes: |
| 52 | ^^^^^^^^ |
| 53 | |
Daniel Holth | 079c963 | 2019-11-17 22:45:52 -0500 | [diff] [blame] | 54 | - Support ``bytearray`` in ``SSL.Connection.send()`` by using cffi's from_buffer. |
| 55 | `#852 <https://github.com/pyca/pyopenssl/pull/852>`_ |
Mark Williams | 5d890a0 | 2019-11-17 19:56:26 -0800 | [diff] [blame] | 56 | - The ``OpenSSL.SSL.Context.set_alpn_select_callback`` can return a new ``NO_OVERLAPPING_PROTOCOLS`` sentinel value |
| 57 | to allow a TLS handshake to complete without an application protocol. |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 58 | |
| 59 | |
| 60 | ---- |
| 61 | |
Paul Kehrer | c9a71e1 | 2019-01-21 13:22:19 -0600 | [diff] [blame] | 62 | 19.0.0 (2019-01-21) |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 63 | ------------------- |
| 64 | |
| 65 | |
| 66 | Backward-incompatible changes: |
| 67 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 68 | |
Paul Kehrer | 0e6c553 | 2018-08-23 10:52:15 -0500 | [diff] [blame] | 69 | - ``X509Store.add_cert`` no longer raises an error if you add a duplicate cert. |
| 70 | `#787 <https://github.com/pyca/pyopenssl/pull/787>`_ |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 71 | |
| 72 | |
| 73 | Deprecations: |
| 74 | ^^^^^^^^^^^^^ |
| 75 | |
| 76 | *none* |
| 77 | |
| 78 | |
| 79 | Changes: |
| 80 | ^^^^^^^^ |
| 81 | |
Paul Kehrer | fd70632 | 2019-01-21 12:58:35 -0600 | [diff] [blame] | 82 | - pyOpenSSL now works with OpenSSL 1.1.1. |
| 83 | `#805 <https://github.com/pyca/pyopenssl/pull/805>`_ |
| 84 | - pyOpenSSL now handles NUL bytes in ``X509Name.get_components()`` |
| 85 | `#804 <https://github.com/pyca/pyopenssl/pull/804>`_ |
| 86 | |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 87 | |
| 88 | |
| 89 | ---- |
| 90 | |
Paul Kehrer | 74de8a1 | 2018-05-16 15:12:28 -0400 | [diff] [blame] | 91 | 18.0.0 (2018-05-16) |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 92 | ------------------- |
| 93 | |
| 94 | |
| 95 | Backward-incompatible changes: |
| 96 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 97 | |
Alex Gaynor | 4f9b706 | 2018-05-14 13:25:05 -0400 | [diff] [blame] | 98 | - The minimum ``cryptography`` version is now 2.2.1. |
| 99 | - Support for Python 2.6 has been dropped. |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 100 | |
| 101 | |
| 102 | Deprecations: |
| 103 | ^^^^^^^^^^^^^ |
| 104 | |
| 105 | *none* |
| 106 | |
| 107 | |
| 108 | Changes: |
| 109 | ^^^^^^^^ |
| 110 | |
Jeremy Lainé | 460a19d | 2018-05-16 19:44:19 +0200 | [diff] [blame] | 111 | - Added ``Connection.get_certificate`` to retrieve the local certificate. |
| 112 | `#733 <https://github.com/pyca/pyopenssl/pull/733>`_ |
Paul Kehrer | 15c2935 | 2018-05-14 13:31:27 -0400 | [diff] [blame] | 113 | - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. |
| 114 | `#753 <https://github.com/pyca/pyopenssl/pull/753>`_ |
Jeremy Lainé | 02261ad | 2018-05-16 18:33:25 +0200 | [diff] [blame] | 115 | - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. |
| 116 | `#734 <https://github.com/pyca/pyopenssl/pull/734>`_ |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 117 | |
| 118 | |
| 119 | ---- |
| 120 | |
Paul Kehrer | d21fcd8 | 2017-12-01 10:13:50 +0800 | [diff] [blame] | 121 | 17.5.0 (2017-11-30) |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 122 | ------------------- |
| 123 | |
| 124 | |
| 125 | Backward-incompatible changes: |
| 126 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 127 | |
Alex Gaynor | 4f9b706 | 2018-05-14 13:25:05 -0400 | [diff] [blame] | 128 | - The minimum ``cryptography`` version is now 2.1.4. |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 129 | |
| 130 | |
| 131 | Deprecations: |
| 132 | ^^^^^^^^^^^^^ |
| 133 | |
| 134 | *none* |
| 135 | |
| 136 | |
| 137 | Changes: |
| 138 | ^^^^^^^^ |
| 139 | |
Paul Kehrer | e738186 | 2017-11-30 20:55:25 +0800 | [diff] [blame] | 140 | - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. |
| 141 | `#723 <https://github.com/pyca/pyopenssl/pull/723>`_ |
Paul Kehrer | bdb7639 | 2017-12-01 04:54:32 +0800 | [diff] [blame] | 142 | - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. |
| 143 | `#725 <https://github.com/pyca/pyopenssl/pull/725>`_ |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 144 | |
| 145 | ---- |
| 146 | |
| 147 | |
| 148 | |
Paul Kehrer | 5a3fb40 | 2017-11-22 02:20:14 +0800 | [diff] [blame] | 149 | 17.4.0 (2017-11-21) |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 150 | ------------------- |
| 151 | |
| 152 | |
| 153 | Backward-incompatible changes: |
| 154 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 155 | |
| 156 | *none* |
| 157 | |
| 158 | |
| 159 | Deprecations: |
| 160 | ^^^^^^^^^^^^^ |
| 161 | |
| 162 | *none* |
| 163 | |
| 164 | |
| 165 | Changes: |
| 166 | ^^^^^^^^ |
| 167 | |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 168 | |
Paul Kehrer | acbd662 | 2017-11-20 22:25:18 +0800 | [diff] [blame] | 169 | - Re-added a subset of the ``OpenSSL.rand`` module. |
| 170 | This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. |
| 171 | `#708 <https://github.com/pyca/pyopenssl/pull/708>`_ |
Alex Gaynor | 4aa52c3 | 2017-11-20 09:04:08 -0500 | [diff] [blame] | 172 | - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. |
| 173 | `#709 <https://github.com/pyca/pyopenssl/pull/709>`_ |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 174 | |
| 175 | ---- |
| 176 | |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 177 | |
Paul Kehrer | 9bd33dc | 2017-09-14 10:53:56 +0800 | [diff] [blame] | 178 | 17.3.0 (2017-09-14) |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 179 | ------------------- |
| 180 | |
| 181 | |
| 182 | Backward-incompatible changes: |
| 183 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 184 | |
Alex Gaynor | 209de94 | 2017-07-25 09:08:05 -0400 | [diff] [blame] | 185 | - Dropped support for Python 3.3. |
| 186 | `#677 <https://github.com/pyca/pyopenssl/pull/677>`_ |
Alex Gaynor | 23c965e | 2017-07-25 10:33:17 -0400 | [diff] [blame] | 187 | - Removed the deprecated ``OpenSSL.rand`` module. |
| 188 | This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. |
| 189 | ``os.urandom()`` should be used instead. |
| 190 | `#675 <https://github.com/pyca/pyopenssl/pull/675>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 191 | |
| 192 | |
| 193 | Deprecations: |
| 194 | ^^^^^^^^^^^^^ |
| 195 | |
Alex Gaynor | a079213 | 2017-07-22 09:13:57 -0400 | [diff] [blame] | 196 | - Deprecated ``OpenSSL.tsafe``. |
| 197 | `#673 <https://github.com/pyca/pyopenssl/pull/673>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 198 | |
| 199 | Changes: |
| 200 | ^^^^^^^^ |
| 201 | |
Paul Kehrer | 9bd33dc | 2017-09-14 10:53:56 +0800 | [diff] [blame] | 202 | - Fixed a memory leak in ``OpenSSL.crypto.CRL``. |
| 203 | `#690 <https://github.com/pyca/pyopenssl/pull/690>`_ |
| 204 | - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. |
| 205 | `#691 <https://github.com/pyca/pyopenssl/pull/691>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 206 | |
| 207 | |
| 208 | ---- |
| 209 | |
| 210 | |
Hynek Schlawack | dd44662 | 2017-07-20 11:39:51 +0200 | [diff] [blame] | 211 | 17.2.0 (2017-07-20) |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 212 | ------------------- |
| 213 | |
| 214 | |
| 215 | Backward-incompatible changes: |
| 216 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 217 | |
| 218 | *none* |
| 219 | |
| 220 | |
| 221 | Deprecations: |
| 222 | ^^^^^^^^^^^^^ |
| 223 | |
Alex Gaynor | 8a1de8d | 2017-07-06 22:40:07 -0400 | [diff] [blame] | 224 | - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead. |
| 225 | `#658 <https://github.com/pyca/pyopenssl/pull/658>`_ |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 226 | |
| 227 | |
| 228 | Changes: |
| 229 | ^^^^^^^^ |
| 230 | |
Hynek Schlawack | 8102128 | 2017-07-20 10:32:37 +0200 | [diff] [blame] | 231 | - Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x. |
Paul Kehrer | a92a1a7 | 2017-07-19 15:53:23 +0200 | [diff] [blame] | 232 | `#665 <https://github.com/pyca/pyopenssl/pull/665>`_ |
Paul Kehrer | 59d2625 | 2017-07-20 10:45:54 +0200 | [diff] [blame] | 233 | - Fixed a crash with (EC)DSA signatures in some cases. |
| 234 | `#670 <https://github.com/pyca/pyopenssl/pull/670>`_ |
Paul Kehrer | a92a1a7 | 2017-07-19 15:53:23 +0200 | [diff] [blame] | 235 | |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 236 | |
| 237 | ---- |
| 238 | |
| 239 | |
Hynek Schlawack | a46d234 | 2017-06-30 17:33:08 +0200 | [diff] [blame] | 240 | 17.1.0 (2017-06-30) |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 241 | ------------------- |
| 242 | |
| 243 | |
| 244 | Backward-incompatible changes: |
| 245 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 246 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 247 | - Removed the deprecated ``OpenSSL.rand.egd()`` function. |
Alex Gaynor | 3ed6273 | 2017-05-31 05:03:27 -0400 | [diff] [blame] | 248 | Applications should prefer ``os.urandom()`` for random number generation. |
| 249 | `#630 <https://github.com/pyca/pyopenssl/pull/630>`_ |
Alex Gaynor | 173e4ba | 2017-06-30 08:01:12 -0700 | [diff] [blame] | 250 | - Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``. |
| 251 | Callers must now always pass an explicit ``digest``. |
| 252 | `#652 <https://github.com/pyca/pyopenssl/pull/652>`_ |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 253 | - Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``, |
| 254 | ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``, |
| 255 | and ``Revoked.set_lastUpdate()``. You must now pass times in the form |
Paul Kehrer | ce98ee6 | 2017-06-21 06:59:58 -1000 | [diff] [blame] | 256 | ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm`` |
| 257 | will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_ |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 258 | |
| 259 | |
| 260 | Deprecations: |
| 261 | ^^^^^^^^^^^^^ |
| 262 | |
Alex Gaynor | 10d3083 | 2017-06-29 15:31:39 -0700 | [diff] [blame] | 263 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 264 | - Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``. |
| 265 | The names without the "Type"-suffix should be used instead. |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 266 | |
| 267 | |
| 268 | Changes: |
| 269 | ^^^^^^^^ |
| 270 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 271 | - Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects. |
| 272 | `#640 <https://github.com/pyca/pyopenssl/pull/640>`_ |
| 273 | - Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. |
| 274 | `#645 <https://github.com/pyca/pyopenssl/pull/645>`_ |
Hynek Schlawack | d52975c | 2017-05-13 17:44:27 +0200 | [diff] [blame] | 275 | - Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``. |
| 276 | `#620 <https://github.com/pyca/pyopenssl/pull/620>`_ |
Hynek Schlawack | a46d234 | 2017-06-30 17:33:08 +0200 | [diff] [blame] | 277 | - Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels. |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 278 | `#633 <https://github.com/pyca/pyopenssl/pull/633>`_ |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 279 | |
| 280 | |
| 281 | ---- |
| 282 | |
| 283 | |
Hynek Schlawack | 7970508 | 2017-04-20 13:32:49 +0200 | [diff] [blame] | 284 | 17.0.0 (2017-04-20) |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 285 | ------------------- |
| 286 | |
| 287 | Backward-incompatible changes: |
| 288 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 289 | |
| 290 | *none* |
| 291 | |
| 292 | |
| 293 | Deprecations: |
| 294 | ^^^^^^^^^^^^^ |
| 295 | |
| 296 | *none* |
| 297 | |
| 298 | |
| 299 | Changes: |
| 300 | ^^^^^^^^ |
| 301 | |
Thomas Sileo | e15e60a | 2016-11-22 18:13:30 +0100 | [diff] [blame] | 302 | - Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains. |
| 303 | `#567 <https://github.com/pyca/pyopenssl/pull/567>`_ |
Cory Benfield | 496652a | 2017-01-24 11:42:56 +0000 | [diff] [blame] | 304 | - Added a collection of functions for working with OCSP stapling. |
| 305 | None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided. |
| 306 | Users will need to write their own code to handle OCSP assertions. |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 307 | We specifically added: ``Context.set_ocsp_server_callback()``, ``Context.set_ocsp_client_callback()``, and ``Connection.request_ocsp()``. |
Cory Benfield | 685483b | 2017-01-24 14:00:45 +0000 | [diff] [blame] | 308 | `#580 <https://github.com/pyca/pyopenssl/pull/580>`_ |
Cory Benfield | e62840e | 2016-11-28 12:17:08 +0000 | [diff] [blame] | 309 | - Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary. |
| 310 | This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. |
| 311 | For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. |
| 312 | `#578 <https://github.com/pyca/pyopenssl/pull/578>`_ |
Paul Kehrer | 6c6bf86 | 2016-12-19 06:03:48 -0600 | [diff] [blame] | 313 | - Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``. |
| 314 | `#575 <https://github.com/pyca/pyopenssl/pull/575>`_ |
Greg Bowser | 36eb2de | 2017-01-24 11:38:55 -0500 | [diff] [blame] | 315 | - Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``. |
| 316 | `#581 <https://github.com/pyca/pyopenssl/pull/581>`_ |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 317 | |
| 318 | |
| 319 | ---- |
| 320 | |
| 321 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 322 | 16.2.0 (2016-10-15) |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 323 | ------------------- |
| 324 | |
| 325 | Backward-incompatible changes: |
| 326 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 327 | |
| 328 | *none* |
| 329 | |
| 330 | |
| 331 | Deprecations: |
| 332 | ^^^^^^^^^^^^^ |
| 333 | |
| 334 | *none* |
| 335 | |
| 336 | |
| 337 | Changes: |
| 338 | ^^^^^^^^ |
| 339 | |
Alex Gaynor | 0cc5637 | 2016-09-24 11:15:55 -0400 | [diff] [blame] | 340 | - Fixed compatibility errors with OpenSSL 1.1.0. |
Paul Kehrer | fe2a0a1 | 2016-10-06 12:00:54 +0200 | [diff] [blame] | 341 | - Fixed an issue that caused failures with subinterpreters and embedded Pythons. |
| 342 | `#552 <https://github.com/pyca/pyopenssl/pull/552>`_ |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 343 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 344 | |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 345 | ---- |
| 346 | |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 347 | |
Paul Kehrer | d0513ab | 2016-08-26 16:33:23 +0800 | [diff] [blame] | 348 | 16.1.0 (2016-08-26) |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 349 | ------------------- |
| 350 | |
| 351 | Backward-incompatible changes: |
| 352 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 353 | |
| 354 | *none* |
| 355 | |
| 356 | |
| 357 | Deprecations: |
| 358 | ^^^^^^^^^^^^^ |
| 359 | |
Alex Gaynor | 2a52285 | 2016-08-31 12:17:55 -0400 | [diff] [blame] | 360 | - Dropped support for OpenSSL 0.9.8. |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 361 | |
| 362 | |
| 363 | Changes: |
| 364 | ^^^^^^^^ |
| 365 | |
Hynek Schlawack | 11e43ad | 2016-07-03 14:40:20 +0200 | [diff] [blame] | 366 | - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. |
| 367 | `#496 <https://github.com/pyca/pyopenssl/pull/496>`_ |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 368 | - Enable use of CRL (and more) in verify context. |
| 369 | `#483 <https://github.com/pyca/pyopenssl/pull/483>`_ |
Paul Kehrer | 72d968b | 2016-07-29 15:31:04 +0800 | [diff] [blame] | 370 | - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. |
| 371 | `#439 <https://github.com/pyca/pyopenssl/pull/439>`_ |
Paul Kehrer | d0513ab | 2016-08-26 16:33:23 +0800 | [diff] [blame] | 372 | - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility. |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 373 | |
| 374 | |
| 375 | ---- |
| 376 | |
| 377 | |
Hynek Schlawack | b62041b | 2016-03-19 10:00:09 +0100 | [diff] [blame] | 378 | 16.0.0 (2016-03-19) |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 379 | ------------------- |
| 380 | |
| 381 | This is the first release under full stewardship of PyCA. |
| 382 | We have made *many* changes to make local development more pleasing. |
| 383 | The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. |
Hynek Schlawack | f6c96af | 2017-04-20 12:34:58 +0200 | [diff] [blame] | 384 | It has been moved to `pytest <https://docs.pytest.org/>`_, all CI test runs are part of `tox <https://tox.readthedocs.io/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 385 | |
Cory Benfield | 0820ac2 | 2015-10-28 17:39:28 +0900 | [diff] [blame] | 386 | We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 387 | |
| 388 | |
| 389 | Backward-incompatible changes: |
| 390 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 391 | |
| 392 | - Python 3.2 support has been dropped. |
| 393 | It never had significant real world usage and has been dropped by our main dependency ``cryptography``. |
| 394 | Affected users should upgrade to Python 3.3 or later. |
| 395 | |
| 396 | |
| 397 | Deprecations: |
| 398 | ^^^^^^^^^^^^^ |
| 399 | |
| 400 | - The support for EGD has been removed. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 401 | The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 402 | Please see `pyca/cryptography#1636 <https://github.com/pyca/cryptography/pull/1636>`_ for more background information on this decision. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 403 | In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 404 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 405 | Please note that you should `use urandom <https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ for all your secure random number needs. |
Hynek Schlawack | 046d3f4 | 2016-03-13 08:33:04 +0100 | [diff] [blame] | 406 | - Python 2.6 support has been deprecated. |
| 407 | Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. |
| 408 | pyOpenSSL will drop Python 2.6 support once ``cryptography`` does. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 409 | |
| 410 | |
| 411 | Changes: |
| 412 | ^^^^^^^^ |
| 413 | |
Hynek Schlawack | b875d51 | 2016-03-16 13:56:33 +0100 | [diff] [blame] | 414 | - Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``. |
Hynek Schlawack | b1f3ca8 | 2016-02-13 09:10:04 +0100 | [diff] [blame] | 415 | They were lacking an implementation since 0.14. |
Hynek Schlawack | b875d51 | 2016-03-16 13:56:33 +0100 | [diff] [blame] | 416 | `#422 <https://github.com/pyca/pyopenssl/pull/422>`_ |
Paul Kehrer | 8fc6ec0 | 2016-03-02 13:20:58 -0600 | [diff] [blame] | 417 | - Fixed segmentation fault when using keys larger than 4096-bit to sign data. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 418 | `#428 <https://github.com/pyca/pyopenssl/pull/428>`_ |
| 419 | - Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data. |
| 420 | `#304 <https://github.com/pyca/pyopenssl/pull/304>`_ |
| 421 | - Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations. |
| 422 | `#382 <https://github.com/pyca/pyopenssl/pull/382>`_ |
| 423 | - Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer. |
| 424 | `#368 <https://github.com/pyca/pyopenssl/pull/368>`_ |
Hynek Schlawack | ea94f2b | 2016-03-13 16:17:53 +0100 | [diff] [blame] | 425 | - Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 426 | `#358 <https://github.com/pyca/pyopenssl/pull/358>`_ |
| 427 | - Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``. |
| 428 | `#294 <https://github.com/pyca/pyopenssl/pull/294>`_ |
| 429 | - Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``. |
| 430 | `#244 <https://github.com/pyca/pyopenssl/pull/244>`_ |
| 431 | - Switched to ``utf8string`` mask by default. |
| 432 | OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present. |
| 433 | This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 434 | This will default us to the setting that actually works. |
| 435 | To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 436 | `#234 <https://github.com/pyca/pyopenssl/pull/234>`_ |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 437 | |
| 438 | |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 439 | ---- |
| 440 | |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 441 | |
| 442 | Older Changelog Entries |
| 443 | ----------------------- |
| 444 | |
Hynek Schlawack | 0cc6154 | 2016-01-19 14:09:32 +0100 | [diff] [blame] | 445 | The changes from before release 16.0.0 are preserved in the `repository <https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt>`_. |