blob: 2dda0d2cefbf66c9f13caf8f2d461bb61f95a45f [file] [log] [blame]
Hynek Schlawack682443f2015-10-25 16:15:12 +01001Changelog
2=========
3
Hynek Schlawack65e4def2016-03-13 15:07:52 +01004Versions are year-based with a strict backward-compatibility policy.
Hynek Schlawack682443f2015-10-25 16:15:12 +01005The third digit is only for regressions.
6
Paul Kehrerc9a71e12019-01-21 13:22:19 -0600719.0.0 (2019-01-21)
Paul Kehrera40e8612018-05-16 17:23:50 -04008-------------------
9
10
11Backward-incompatible changes:
12^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
13
Paul Kehrer0e6c5532018-08-23 10:52:15 -050014- ``X509Store.add_cert`` no longer raises an error if you add a duplicate cert.
15 `#787 <https://github.com/pyca/pyopenssl/pull/787>`_
Paul Kehrera40e8612018-05-16 17:23:50 -040016
17
18Deprecations:
19^^^^^^^^^^^^^
20
21*none*
22
23
24Changes:
25^^^^^^^^
26
Paul Kehrerfd706322019-01-21 12:58:35 -060027- pyOpenSSL now works with OpenSSL 1.1.1.
28 `#805 <https://github.com/pyca/pyopenssl/pull/805>`_
29- pyOpenSSL now handles NUL bytes in ``X509Name.get_components()``
30 `#804 <https://github.com/pyca/pyopenssl/pull/804>`_
31
Paul Kehrera40e8612018-05-16 17:23:50 -040032
33
34----
35
Paul Kehrer74de8a12018-05-16 15:12:28 -04003618.0.0 (2018-05-16)
Paul Kehrer3d231f02017-12-01 20:31:06 +080037-------------------
38
39
40Backward-incompatible changes:
41^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
42
Alex Gaynor4f9b7062018-05-14 13:25:05 -040043- The minimum ``cryptography`` version is now 2.2.1.
44- Support for Python 2.6 has been dropped.
Paul Kehrer3d231f02017-12-01 20:31:06 +080045
46
47Deprecations:
48^^^^^^^^^^^^^
49
50*none*
51
52
53Changes:
54^^^^^^^^
55
Jeremy Lainé460a19d2018-05-16 19:44:19 +020056- Added ``Connection.get_certificate`` to retrieve the local certificate.
57 `#733 <https://github.com/pyca/pyopenssl/pull/733>`_
Paul Kehrer15c29352018-05-14 13:31:27 -040058- ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default.
59 `#753 <https://github.com/pyca/pyopenssl/pull/753>`_
Jeremy Lainé02261ad2018-05-16 18:33:25 +020060- Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material.
61 `#734 <https://github.com/pyca/pyopenssl/pull/734>`_
Paul Kehrer3d231f02017-12-01 20:31:06 +080062
63
64----
65
Paul Kehrerd21fcd82017-12-01 10:13:50 +08006617.5.0 (2017-11-30)
Paul Kehrer57051a52017-11-22 11:40:12 +080067-------------------
68
69
70Backward-incompatible changes:
71^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
72
Alex Gaynor4f9b7062018-05-14 13:25:05 -040073- The minimum ``cryptography`` version is now 2.1.4.
Paul Kehrer57051a52017-11-22 11:40:12 +080074
75
76Deprecations:
77^^^^^^^^^^^^^
78
79*none*
80
81
82Changes:
83^^^^^^^^
84
Paul Kehrere7381862017-11-30 20:55:25 +080085- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``.
86 `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
Paul Kehrerbdb76392017-12-01 04:54:32 +080087- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material.
88 `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
Paul Kehrer57051a52017-11-22 11:40:12 +080089
90----
91
92
93
Paul Kehrer5a3fb402017-11-22 02:20:14 +08009417.4.0 (2017-11-21)
Paul Kehrer1eac0e82017-09-14 11:28:15 +080095-------------------
96
97
98Backward-incompatible changes:
99^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
100
101*none*
102
103
104Deprecations:
105^^^^^^^^^^^^^
106
107*none*
108
109
110Changes:
111^^^^^^^^
112
Paul Kehrer1eac0e82017-09-14 11:28:15 +0800113
Paul Kehreracbd6622017-11-20 22:25:18 +0800114- Re-added a subset of the ``OpenSSL.rand`` module.
115 This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork.
116 `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
Alex Gaynor4aa52c32017-11-20 09:04:08 -0500117- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated.
118 `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
Paul Kehrer1eac0e82017-09-14 11:28:15 +0800119
120----
121
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200122
Paul Kehrer9bd33dc2017-09-14 10:53:56 +080012317.3.0 (2017-09-14)
Hynek Schlawacka723ba22017-07-20 12:22:01 +0200124-------------------
125
126
127Backward-incompatible changes:
128^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
129
Alex Gaynor209de942017-07-25 09:08:05 -0400130- Dropped support for Python 3.3.
131 `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
Alex Gaynor23c965e2017-07-25 10:33:17 -0400132- Removed the deprecated ``OpenSSL.rand`` module.
133 This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
134 ``os.urandom()`` should be used instead.
135 `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
Hynek Schlawacka723ba22017-07-20 12:22:01 +0200136
137
138Deprecations:
139^^^^^^^^^^^^^
140
Alex Gaynora0792132017-07-22 09:13:57 -0400141- Deprecated ``OpenSSL.tsafe``.
142 `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
Hynek Schlawacka723ba22017-07-20 12:22:01 +0200143
144Changes:
145^^^^^^^^
146
Paul Kehrer9bd33dc2017-09-14 10:53:56 +0800147- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
148 `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
149- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
150 `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
Hynek Schlawacka723ba22017-07-20 12:22:01 +0200151
152
153----
154
155
Hynek Schlawackdd446622017-07-20 11:39:51 +020015617.2.0 (2017-07-20)
Hynek Schlawacka4212762017-06-30 18:28:08 +0200157-------------------
158
159
160Backward-incompatible changes:
161^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
162
163*none*
164
165
166Deprecations:
167^^^^^^^^^^^^^
168
Alex Gaynor8a1de8d2017-07-06 22:40:07 -0400169- Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead.
170 `#658 <https://github.com/pyca/pyopenssl/pull/658>`_
Hynek Schlawacka4212762017-06-30 18:28:08 +0200171
172
173Changes:
174^^^^^^^^
175
Hynek Schlawack81021282017-07-20 10:32:37 +0200176- Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x.
Paul Kehrera92a1a72017-07-19 15:53:23 +0200177 `#665 <https://github.com/pyca/pyopenssl/pull/665>`_
Paul Kehrer59d26252017-07-20 10:45:54 +0200178- Fixed a crash with (EC)DSA signatures in some cases.
179 `#670 <https://github.com/pyca/pyopenssl/pull/670>`_
Paul Kehrera92a1a72017-07-19 15:53:23 +0200180
Hynek Schlawacka4212762017-06-30 18:28:08 +0200181
182----
183
184
Hynek Schlawacka46d2342017-06-30 17:33:08 +020018517.1.0 (2017-06-30)
Hynek Schlawack7706e142017-04-20 14:54:05 +0200186-------------------
187
188
189Backward-incompatible changes:
190^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
191
Hynek Schlawack941f9032017-06-30 16:20:00 +0200192- Removed the deprecated ``OpenSSL.rand.egd()`` function.
Alex Gaynor3ed62732017-05-31 05:03:27 -0400193 Applications should prefer ``os.urandom()`` for random number generation.
194 `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
Alex Gaynor173e4ba2017-06-30 08:01:12 -0700195- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
196 Callers must now always pass an explicit ``digest``.
197 `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
Hynek Schlawack941f9032017-06-30 16:20:00 +0200198- Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
199 ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
200 and ``Revoked.set_lastUpdate()``. You must now pass times in the form
Paul Kehrerce98ee62017-06-21 06:59:58 -1000201 ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm``
202 will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_
Hynek Schlawack7706e142017-04-20 14:54:05 +0200203
204
205Deprecations:
206^^^^^^^^^^^^^
207
Alex Gaynor10d30832017-06-29 15:31:39 -0700208
Hynek Schlawack941f9032017-06-30 16:20:00 +0200209- Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``.
210 The names without the "Type"-suffix should be used instead.
Hynek Schlawack7706e142017-04-20 14:54:05 +0200211
212
213Changes:
214^^^^^^^^
215
Hynek Schlawack941f9032017-06-30 16:20:00 +0200216- Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects.
217 `#640 <https://github.com/pyca/pyopenssl/pull/640>`_
218- Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
219 `#645 <https://github.com/pyca/pyopenssl/pull/645>`_
Hynek Schlawackd52975c2017-05-13 17:44:27 +0200220- Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
221 `#620 <https://github.com/pyca/pyopenssl/pull/620>`_
Hynek Schlawacka46d2342017-06-30 17:33:08 +0200222- Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels.
Hynek Schlawack941f9032017-06-30 16:20:00 +0200223 `#633 <https://github.com/pyca/pyopenssl/pull/633>`_
Hynek Schlawack7706e142017-04-20 14:54:05 +0200224
225
226----
227
228
Hynek Schlawack79705082017-04-20 13:32:49 +020022917.0.0 (2017-04-20)
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200230-------------------
231
232Backward-incompatible changes:
233^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
234
235*none*
236
237
238Deprecations:
239^^^^^^^^^^^^^
240
241*none*
242
243
244Changes:
245^^^^^^^^
246
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100247- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
248 `#567 <https://github.com/pyca/pyopenssl/pull/567>`_
Cory Benfield496652a2017-01-24 11:42:56 +0000249- Added a collection of functions for working with OCSP stapling.
250 None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
251 Users will need to write their own code to handle OCSP assertions.
Hynek Schlawack941f9032017-06-30 16:20:00 +0200252 We specifically added: ``Context.set_ocsp_server_callback()``, ``Context.set_ocsp_client_callback()``, and ``Connection.request_ocsp()``.
Cory Benfield685483b2017-01-24 14:00:45 +0000253 `#580 <https://github.com/pyca/pyopenssl/pull/580>`_
Cory Benfielde62840e2016-11-28 12:17:08 +0000254- Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary.
255 This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
256 For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
257 `#578 <https://github.com/pyca/pyopenssl/pull/578>`_
Paul Kehrer6c6bf862016-12-19 06:03:48 -0600258- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
259 `#575 <https://github.com/pyca/pyopenssl/pull/575>`_
Greg Bowser36eb2de2017-01-24 11:38:55 -0500260- Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
261 `#581 <https://github.com/pyca/pyopenssl/pull/581>`_
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200262
263
264----
265
266
Hynek Schlawackc3b38e52016-10-15 14:56:14 +020026716.2.0 (2016-10-15)
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800268-------------------
269
270Backward-incompatible changes:
271^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
272
273*none*
274
275
276Deprecations:
277^^^^^^^^^^^^^
278
279*none*
280
281
282Changes:
283^^^^^^^^
284
Alex Gaynor0cc56372016-09-24 11:15:55 -0400285- Fixed compatibility errors with OpenSSL 1.1.0.
Paul Kehrerfe2a0a12016-10-06 12:00:54 +0200286- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
287 `#552 <https://github.com/pyca/pyopenssl/pull/552>`_
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800288
Hynek Schlawackc3b38e52016-10-15 14:56:14 +0200289
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800290----
291
Hynek Schlawack682443f2015-10-25 16:15:12 +0100292
Paul Kehrerd0513ab2016-08-26 16:33:23 +080029316.1.0 (2016-08-26)
Hynek Schlawack156f1742016-03-19 12:37:12 +0100294-------------------
295
296Backward-incompatible changes:
297^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
298
299*none*
300
301
302Deprecations:
303^^^^^^^^^^^^^
304
Alex Gaynor2a522852016-08-31 12:17:55 -0400305- Dropped support for OpenSSL 0.9.8.
Hynek Schlawack156f1742016-03-19 12:37:12 +0100306
307
308Changes:
309^^^^^^^^
310
Hynek Schlawack11e43ad2016-07-03 14:40:20 +0200311- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
312 `#496 <https://github.com/pyca/pyopenssl/pull/496>`_
Dan Sully44e767a2016-06-04 18:05:27 -0700313- Enable use of CRL (and more) in verify context.
314 `#483 <https://github.com/pyca/pyopenssl/pull/483>`_
Paul Kehrer72d968b2016-07-29 15:31:04 +0800315- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
316 `#439 <https://github.com/pyca/pyopenssl/pull/439>`_
Paul Kehrerd0513ab2016-08-26 16:33:23 +0800317- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
Hynek Schlawack156f1742016-03-19 12:37:12 +0100318
319
320----
321
322
Hynek Schlawackb62041b2016-03-19 10:00:09 +010032316.0.0 (2016-03-19)
Hynek Schlawack682443f2015-10-25 16:15:12 +0100324-------------------
325
326This is the first release under full stewardship of PyCA.
327We have made *many* changes to make local development more pleasing.
328The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2.
Hynek Schlawackf6c96af2017-04-20 12:34:58 +0200329It has been moved to `pytest <https://docs.pytest.org/>`_, all CI test runs are part of `tox <https://tox.readthedocs.io/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100330
Cory Benfield0820ac22015-10-28 17:39:28 +0900331We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100332
333
334Backward-incompatible changes:
335^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
336
337- Python 3.2 support has been dropped.
338 It never had significant real world usage and has been dropped by our main dependency ``cryptography``.
339 Affected users should upgrade to Python 3.3 or later.
340
341
342Deprecations:
343^^^^^^^^^^^^^
344
345- The support for EGD has been removed.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100346 The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100347 Please see `pyca/cryptography#1636 <https://github.com/pyca/cryptography/pull/1636>`_ for more background information on this decision.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100348 In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100349
Hynek Schlawackc3b38e52016-10-15 14:56:14 +0200350 Please note that you should `use urandom <https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ for all your secure random number needs.
Hynek Schlawack046d3f42016-03-13 08:33:04 +0100351- Python 2.6 support has been deprecated.
352 Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it.
353 pyOpenSSL will drop Python 2.6 support once ``cryptography`` does.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100354
355
356Changes:
357^^^^^^^^
358
Hynek Schlawackb875d512016-03-16 13:56:33 +0100359- Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``.
Hynek Schlawackb1f3ca82016-02-13 09:10:04 +0100360 They were lacking an implementation since 0.14.
Hynek Schlawackb875d512016-03-16 13:56:33 +0100361 `#422 <https://github.com/pyca/pyopenssl/pull/422>`_
Paul Kehrer8fc6ec02016-03-02 13:20:58 -0600362- Fixed segmentation fault when using keys larger than 4096-bit to sign data.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100363 `#428 <https://github.com/pyca/pyopenssl/pull/428>`_
364- Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data.
365 `#304 <https://github.com/pyca/pyopenssl/pull/304>`_
366- Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations.
367 `#382 <https://github.com/pyca/pyopenssl/pull/382>`_
368- Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer.
369 `#368 <https://github.com/pyca/pyopenssl/pull/368>`_
Hynek Schlawackea94f2b2016-03-13 16:17:53 +0100370- Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100371 `#358 <https://github.com/pyca/pyopenssl/pull/358>`_
372- Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``.
373 `#294 <https://github.com/pyca/pyopenssl/pull/294>`_
374- Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``.
375 `#244 <https://github.com/pyca/pyopenssl/pull/244>`_
376- Switched to ``utf8string`` mask by default.
377 OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present.
378 This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100379 This will default us to the setting that actually works.
380 To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100381 `#234 <https://github.com/pyca/pyopenssl/pull/234>`_
Hynek Schlawack682443f2015-10-25 16:15:12 +0100382
383
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100384----
385
Hynek Schlawack682443f2015-10-25 16:15:12 +0100386
387Older Changelog Entries
388-----------------------
389
Hynek Schlawack0cc61542016-01-19 14:09:32 +0100390The changes from before release 16.0.0 are preserved in the `repository <https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt>`_.