Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 1 | Changelog |
| 2 | ========= |
| 3 | |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 4 | Versions are year-based with a strict backward-compatibility policy. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 5 | The third digit is only for regressions. |
| 6 | |
Alex Gaynor | 4211b90 | 2020-12-15 10:30:35 -0500 | [diff] [blame] | 7 | 20.0.1 (2020-12-15) |
Paul Kehrer | 1eb6766 | 2020-11-27 16:28:02 -0600 | [diff] [blame] | 8 | ------------------- |
| 9 | |
| 10 | Backward-incompatible changes: |
| 11 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 12 | |
| 13 | Deprecations: |
| 14 | ^^^^^^^^^^^^^ |
| 15 | |
| 16 | Changes: |
| 17 | ^^^^^^^^ |
| 18 | |
Alex Gaynor | 4211b90 | 2020-12-15 10:30:35 -0500 | [diff] [blame] | 19 | - Fixed compatibility with OpenSSL 1.1.0. |
| 20 | |
Paul Kehrer | de2dbf7 | 2020-11-27 15:47:04 -0600 | [diff] [blame] | 21 | 20.0.0 (2020-11-27) |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 22 | ------------------- |
| 23 | |
| 24 | |
| 25 | Backward-incompatible changes: |
| 26 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 27 | |
Alex Gaynor | 124a013 | 2020-10-27 00:15:17 -0400 | [diff] [blame] | 28 | - The minimum ``cryptography`` version is now 3.2. |
Benjamin Peterson | 2dca7a7 | 2020-05-22 11:32:07 -0500 | [diff] [blame] | 29 | - Remove deprecated ``OpenSSL.tsafe`` module. |
Paul Kehrer | 9a80576 | 2020-08-03 22:47:37 -0500 | [diff] [blame] | 30 | - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. |
Alex Gaynor | 1ede584 | 2019-12-14 11:15:47 -0500 | [diff] [blame] | 31 | - Drop support for Python 3.4 |
Alex Gaynor | 124a013 | 2020-10-27 00:15:17 -0400 | [diff] [blame] | 32 | - Drop support for OpenSSL 1.0.1 and 1.0.2 |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 33 | |
| 34 | Deprecations: |
| 35 | ^^^^^^^^^^^^^ |
| 36 | |
Alex Gaynor | bb971ae | 2020-08-05 01:14:16 -0400 | [diff] [blame] | 37 | - Deprecated ``OpenSSL.crypto.loads_pkcs7`` and ``OpenSSL.crypto.loads_pkcs12``. |
| 38 | |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 39 | Changes: |
| 40 | ^^^^^^^^ |
| 41 | |
Sándor Oroszi | 83ef230 | 2020-10-12 15:42:23 +0200 | [diff] [blame] | 42 | - Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()`` |
| 43 | where additional untrusted certificates can be specified to help chain building. |
| 44 | `#948 <https://github.com/pyca/pyopenssl/pull/948>`_ |
Sándor Oroszi | 43c9776 | 2020-09-11 17:17:31 +0200 | [diff] [blame] | 45 | - Added ``OpenSSL.crypto.X509Store.load_locations`` to set trusted |
| 46 | certificate file bundles and/or directories for verification. |
| 47 | `#943 <https://github.com/pyca/pyopenssl/pull/943>`_ |
Maximilian Hils | b2bca41 | 2020-07-28 16:31:22 +0200 | [diff] [blame] | 48 | - Added ``Context.set_keylog_callback`` to log key material. |
| 49 | `#910 <https://github.com/pyca/pyopenssl/pull/910>`_ |
Shane Harvey | 33c5499 | 2020-08-05 16:48:51 -0700 | [diff] [blame] | 50 | - Added ``OpenSSL.SSL.Connection.get_verified_chain`` to retrieve the |
| 51 | verified certificate chain of the peer. |
| 52 | `#894 <https://github.com/pyca/pyopenssl/pull/894>`_. |
Maximilian Hils | 79b9c79 | 2020-08-08 03:08:17 +0200 | [diff] [blame] | 53 | - Make verification callback optional in ``Context.set_verify``. |
| 54 | If omitted, OpenSSL's default verification is used. |
| 55 | `#933 <https://github.com/pyca/pyopenssl/pull/933>`_ |
Huw Jones | cdd6696 | 2020-10-13 05:14:19 +0100 | [diff] [blame] | 56 | - Fixed a bug that could truncate or cause a zero-length key error due to a |
| 57 | null byte in private key passphrase in ``OpenSSL.crypto.load_privatekey`` |
| 58 | and ``OpenSSL.crypto.dump_privatekey``. |
| 59 | `#947 <https://github.com/pyca/pyopenssl/pull/947>`_ |
Paul Kehrer | daf6f00 | 2019-11-18 13:10:12 +0800 | [diff] [blame] | 60 | |
Paul Kehrer | da402f4 | 2019-11-18 12:47:22 +0800 | [diff] [blame] | 61 | 19.1.0 (2019-11-18) |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 62 | ------------------- |
| 63 | |
| 64 | |
| 65 | Backward-incompatible changes: |
| 66 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 67 | |
Alex Gaynor | 01f90a1 | 2019-02-07 09:14:48 -0500 | [diff] [blame] | 68 | - Removed deprecated ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, and ``NetscapeSPKIType`` aliases. |
| 69 | Use the classes without the ``Type`` suffix instead. |
| 70 | `#814 <https://github.com/pyca/pyopenssl/pull/814>`_ |
Paul Kehrer | 8543286 | 2019-11-18 09:20:29 +0800 | [diff] [blame] | 71 | - The minimum ``cryptography`` version is now 2.8 due to issues on macOS with a transitive dependency. |
| 72 | `#875 <https://github.com/pyca/pyopenssl/pull/875>`_ |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 73 | |
| 74 | Deprecations: |
| 75 | ^^^^^^^^^^^^^ |
| 76 | |
Alex Gaynor | be2bd54 | 2019-02-21 21:41:22 -0500 | [diff] [blame] | 77 | - Deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. |
| 78 | ALPN should be used instead. |
| 79 | `#820 <https://github.com/pyca/pyopenssl/pull/820>`_ |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 80 | |
| 81 | |
| 82 | Changes: |
| 83 | ^^^^^^^^ |
| 84 | |
Daniel Holth | 079c963 | 2019-11-17 22:45:52 -0500 | [diff] [blame] | 85 | - Support ``bytearray`` in ``SSL.Connection.send()`` by using cffi's from_buffer. |
| 86 | `#852 <https://github.com/pyca/pyopenssl/pull/852>`_ |
Mark Williams | 5d890a0 | 2019-11-17 19:56:26 -0800 | [diff] [blame] | 87 | - The ``OpenSSL.SSL.Context.set_alpn_select_callback`` can return a new ``NO_OVERLAPPING_PROTOCOLS`` sentinel value |
| 88 | to allow a TLS handshake to complete without an application protocol. |
Alex Gaynor | f0a59cd | 2019-01-21 14:53:36 -0500 | [diff] [blame] | 89 | |
| 90 | |
| 91 | ---- |
| 92 | |
Paul Kehrer | c9a71e1 | 2019-01-21 13:22:19 -0600 | [diff] [blame] | 93 | 19.0.0 (2019-01-21) |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 94 | ------------------- |
| 95 | |
| 96 | |
| 97 | Backward-incompatible changes: |
| 98 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 99 | |
Paul Kehrer | 0e6c553 | 2018-08-23 10:52:15 -0500 | [diff] [blame] | 100 | - ``X509Store.add_cert`` no longer raises an error if you add a duplicate cert. |
| 101 | `#787 <https://github.com/pyca/pyopenssl/pull/787>`_ |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 102 | |
| 103 | |
| 104 | Deprecations: |
| 105 | ^^^^^^^^^^^^^ |
| 106 | |
| 107 | *none* |
| 108 | |
| 109 | |
| 110 | Changes: |
| 111 | ^^^^^^^^ |
| 112 | |
Paul Kehrer | fd70632 | 2019-01-21 12:58:35 -0600 | [diff] [blame] | 113 | - pyOpenSSL now works with OpenSSL 1.1.1. |
| 114 | `#805 <https://github.com/pyca/pyopenssl/pull/805>`_ |
| 115 | - pyOpenSSL now handles NUL bytes in ``X509Name.get_components()`` |
| 116 | `#804 <https://github.com/pyca/pyopenssl/pull/804>`_ |
| 117 | |
Paul Kehrer | a40e861 | 2018-05-16 17:23:50 -0400 | [diff] [blame] | 118 | |
| 119 | |
| 120 | ---- |
| 121 | |
Paul Kehrer | 74de8a1 | 2018-05-16 15:12:28 -0400 | [diff] [blame] | 122 | 18.0.0 (2018-05-16) |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 123 | ------------------- |
| 124 | |
| 125 | |
| 126 | Backward-incompatible changes: |
| 127 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 128 | |
Alex Gaynor | 4f9b706 | 2018-05-14 13:25:05 -0400 | [diff] [blame] | 129 | - The minimum ``cryptography`` version is now 2.2.1. |
| 130 | - Support for Python 2.6 has been dropped. |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 131 | |
| 132 | |
| 133 | Deprecations: |
| 134 | ^^^^^^^^^^^^^ |
| 135 | |
| 136 | *none* |
| 137 | |
| 138 | |
| 139 | Changes: |
| 140 | ^^^^^^^^ |
| 141 | |
Jeremy Lainé | 460a19d | 2018-05-16 19:44:19 +0200 | [diff] [blame] | 142 | - Added ``Connection.get_certificate`` to retrieve the local certificate. |
| 143 | `#733 <https://github.com/pyca/pyopenssl/pull/733>`_ |
Paul Kehrer | 15c2935 | 2018-05-14 13:31:27 -0400 | [diff] [blame] | 144 | - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. |
| 145 | `#753 <https://github.com/pyca/pyopenssl/pull/753>`_ |
Jeremy Lainé | 02261ad | 2018-05-16 18:33:25 +0200 | [diff] [blame] | 146 | - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. |
| 147 | `#734 <https://github.com/pyca/pyopenssl/pull/734>`_ |
Paul Kehrer | 3d231f0 | 2017-12-01 20:31:06 +0800 | [diff] [blame] | 148 | |
| 149 | |
| 150 | ---- |
| 151 | |
Paul Kehrer | d21fcd8 | 2017-12-01 10:13:50 +0800 | [diff] [blame] | 152 | 17.5.0 (2017-11-30) |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 153 | ------------------- |
| 154 | |
| 155 | |
| 156 | Backward-incompatible changes: |
| 157 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 158 | |
Alex Gaynor | 4f9b706 | 2018-05-14 13:25:05 -0400 | [diff] [blame] | 159 | - The minimum ``cryptography`` version is now 2.1.4. |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 160 | |
| 161 | |
| 162 | Deprecations: |
| 163 | ^^^^^^^^^^^^^ |
| 164 | |
| 165 | *none* |
| 166 | |
| 167 | |
| 168 | Changes: |
| 169 | ^^^^^^^^ |
| 170 | |
Paul Kehrer | e738186 | 2017-11-30 20:55:25 +0800 | [diff] [blame] | 171 | - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. |
| 172 | `#723 <https://github.com/pyca/pyopenssl/pull/723>`_ |
Paul Kehrer | bdb7639 | 2017-12-01 04:54:32 +0800 | [diff] [blame] | 173 | - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. |
| 174 | `#725 <https://github.com/pyca/pyopenssl/pull/725>`_ |
Paul Kehrer | 57051a5 | 2017-11-22 11:40:12 +0800 | [diff] [blame] | 175 | |
| 176 | ---- |
| 177 | |
| 178 | |
| 179 | |
Paul Kehrer | 5a3fb40 | 2017-11-22 02:20:14 +0800 | [diff] [blame] | 180 | 17.4.0 (2017-11-21) |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 181 | ------------------- |
| 182 | |
| 183 | |
| 184 | Backward-incompatible changes: |
| 185 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 186 | |
| 187 | *none* |
| 188 | |
| 189 | |
| 190 | Deprecations: |
| 191 | ^^^^^^^^^^^^^ |
| 192 | |
| 193 | *none* |
| 194 | |
| 195 | |
| 196 | Changes: |
| 197 | ^^^^^^^^ |
| 198 | |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 199 | |
Paul Kehrer | acbd662 | 2017-11-20 22:25:18 +0800 | [diff] [blame] | 200 | - Re-added a subset of the ``OpenSSL.rand`` module. |
| 201 | This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. |
| 202 | `#708 <https://github.com/pyca/pyopenssl/pull/708>`_ |
Alex Gaynor | 4aa52c3 | 2017-11-20 09:04:08 -0500 | [diff] [blame] | 203 | - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. |
| 204 | `#709 <https://github.com/pyca/pyopenssl/pull/709>`_ |
Paul Kehrer | 1eac0e8 | 2017-09-14 11:28:15 +0800 | [diff] [blame] | 205 | |
| 206 | ---- |
| 207 | |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 208 | |
Paul Kehrer | 9bd33dc | 2017-09-14 10:53:56 +0800 | [diff] [blame] | 209 | 17.3.0 (2017-09-14) |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 210 | ------------------- |
| 211 | |
| 212 | |
| 213 | Backward-incompatible changes: |
| 214 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 215 | |
Alex Gaynor | 209de94 | 2017-07-25 09:08:05 -0400 | [diff] [blame] | 216 | - Dropped support for Python 3.3. |
| 217 | `#677 <https://github.com/pyca/pyopenssl/pull/677>`_ |
Alex Gaynor | 23c965e | 2017-07-25 10:33:17 -0400 | [diff] [blame] | 218 | - Removed the deprecated ``OpenSSL.rand`` module. |
| 219 | This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. |
| 220 | ``os.urandom()`` should be used instead. |
| 221 | `#675 <https://github.com/pyca/pyopenssl/pull/675>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 222 | |
| 223 | |
| 224 | Deprecations: |
| 225 | ^^^^^^^^^^^^^ |
| 226 | |
Alex Gaynor | a079213 | 2017-07-22 09:13:57 -0400 | [diff] [blame] | 227 | - Deprecated ``OpenSSL.tsafe``. |
| 228 | `#673 <https://github.com/pyca/pyopenssl/pull/673>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 229 | |
| 230 | Changes: |
| 231 | ^^^^^^^^ |
| 232 | |
Paul Kehrer | 9bd33dc | 2017-09-14 10:53:56 +0800 | [diff] [blame] | 233 | - Fixed a memory leak in ``OpenSSL.crypto.CRL``. |
| 234 | `#690 <https://github.com/pyca/pyopenssl/pull/690>`_ |
| 235 | - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. |
| 236 | `#691 <https://github.com/pyca/pyopenssl/pull/691>`_ |
Hynek Schlawack | a723ba2 | 2017-07-20 12:22:01 +0200 | [diff] [blame] | 237 | |
| 238 | |
| 239 | ---- |
| 240 | |
| 241 | |
Hynek Schlawack | dd44662 | 2017-07-20 11:39:51 +0200 | [diff] [blame] | 242 | 17.2.0 (2017-07-20) |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 243 | ------------------- |
| 244 | |
| 245 | |
| 246 | Backward-incompatible changes: |
| 247 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 248 | |
| 249 | *none* |
| 250 | |
| 251 | |
| 252 | Deprecations: |
| 253 | ^^^^^^^^^^^^^ |
| 254 | |
Alex Gaynor | 8a1de8d | 2017-07-06 22:40:07 -0400 | [diff] [blame] | 255 | - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead. |
| 256 | `#658 <https://github.com/pyca/pyopenssl/pull/658>`_ |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 257 | |
| 258 | |
| 259 | Changes: |
| 260 | ^^^^^^^^ |
| 261 | |
Hynek Schlawack | 8102128 | 2017-07-20 10:32:37 +0200 | [diff] [blame] | 262 | - Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x. |
Paul Kehrer | a92a1a7 | 2017-07-19 15:53:23 +0200 | [diff] [blame] | 263 | `#665 <https://github.com/pyca/pyopenssl/pull/665>`_ |
Paul Kehrer | 59d2625 | 2017-07-20 10:45:54 +0200 | [diff] [blame] | 264 | - Fixed a crash with (EC)DSA signatures in some cases. |
| 265 | `#670 <https://github.com/pyca/pyopenssl/pull/670>`_ |
Paul Kehrer | a92a1a7 | 2017-07-19 15:53:23 +0200 | [diff] [blame] | 266 | |
Hynek Schlawack | a421276 | 2017-06-30 18:28:08 +0200 | [diff] [blame] | 267 | |
| 268 | ---- |
| 269 | |
| 270 | |
Hynek Schlawack | a46d234 | 2017-06-30 17:33:08 +0200 | [diff] [blame] | 271 | 17.1.0 (2017-06-30) |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 272 | ------------------- |
| 273 | |
| 274 | |
| 275 | Backward-incompatible changes: |
| 276 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 277 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 278 | - Removed the deprecated ``OpenSSL.rand.egd()`` function. |
Alex Gaynor | 3ed6273 | 2017-05-31 05:03:27 -0400 | [diff] [blame] | 279 | Applications should prefer ``os.urandom()`` for random number generation. |
| 280 | `#630 <https://github.com/pyca/pyopenssl/pull/630>`_ |
Alex Gaynor | 173e4ba | 2017-06-30 08:01:12 -0700 | [diff] [blame] | 281 | - Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``. |
| 282 | Callers must now always pass an explicit ``digest``. |
| 283 | `#652 <https://github.com/pyca/pyopenssl/pull/652>`_ |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 284 | - Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``, |
| 285 | ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``, |
| 286 | and ``Revoked.set_lastUpdate()``. You must now pass times in the form |
Paul Kehrer | ce98ee6 | 2017-06-21 06:59:58 -1000 | [diff] [blame] | 287 | ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm`` |
| 288 | will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_ |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 289 | |
| 290 | |
| 291 | Deprecations: |
| 292 | ^^^^^^^^^^^^^ |
| 293 | |
Alex Gaynor | 10d3083 | 2017-06-29 15:31:39 -0700 | [diff] [blame] | 294 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 295 | - Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``. |
| 296 | The names without the "Type"-suffix should be used instead. |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 297 | |
| 298 | |
| 299 | Changes: |
| 300 | ^^^^^^^^ |
| 301 | |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 302 | - Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects. |
| 303 | `#640 <https://github.com/pyca/pyopenssl/pull/640>`_ |
| 304 | - Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. |
| 305 | `#645 <https://github.com/pyca/pyopenssl/pull/645>`_ |
Hynek Schlawack | d52975c | 2017-05-13 17:44:27 +0200 | [diff] [blame] | 306 | - Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``. |
| 307 | `#620 <https://github.com/pyca/pyopenssl/pull/620>`_ |
Hynek Schlawack | a46d234 | 2017-06-30 17:33:08 +0200 | [diff] [blame] | 308 | - Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels. |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 309 | `#633 <https://github.com/pyca/pyopenssl/pull/633>`_ |
Hynek Schlawack | 7706e14 | 2017-04-20 14:54:05 +0200 | [diff] [blame] | 310 | |
| 311 | |
| 312 | ---- |
| 313 | |
| 314 | |
Hynek Schlawack | 7970508 | 2017-04-20 13:32:49 +0200 | [diff] [blame] | 315 | 17.0.0 (2017-04-20) |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 316 | ------------------- |
| 317 | |
| 318 | Backward-incompatible changes: |
| 319 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 320 | |
| 321 | *none* |
| 322 | |
| 323 | |
| 324 | Deprecations: |
| 325 | ^^^^^^^^^^^^^ |
| 326 | |
| 327 | *none* |
| 328 | |
| 329 | |
| 330 | Changes: |
| 331 | ^^^^^^^^ |
| 332 | |
Thomas Sileo | e15e60a | 2016-11-22 18:13:30 +0100 | [diff] [blame] | 333 | - Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains. |
| 334 | `#567 <https://github.com/pyca/pyopenssl/pull/567>`_ |
Cory Benfield | 496652a | 2017-01-24 11:42:56 +0000 | [diff] [blame] | 335 | - Added a collection of functions for working with OCSP stapling. |
| 336 | None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided. |
| 337 | Users will need to write their own code to handle OCSP assertions. |
Hynek Schlawack | 941f903 | 2017-06-30 16:20:00 +0200 | [diff] [blame] | 338 | We specifically added: ``Context.set_ocsp_server_callback()``, ``Context.set_ocsp_client_callback()``, and ``Connection.request_ocsp()``. |
Cory Benfield | 685483b | 2017-01-24 14:00:45 +0000 | [diff] [blame] | 339 | `#580 <https://github.com/pyca/pyopenssl/pull/580>`_ |
Cory Benfield | e62840e | 2016-11-28 12:17:08 +0000 | [diff] [blame] | 340 | - Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary. |
| 341 | This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation. |
| 342 | For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements. |
| 343 | `#578 <https://github.com/pyca/pyopenssl/pull/578>`_ |
Paul Kehrer | 6c6bf86 | 2016-12-19 06:03:48 -0600 | [diff] [blame] | 344 | - Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``. |
| 345 | `#575 <https://github.com/pyca/pyopenssl/pull/575>`_ |
Greg Bowser | 36eb2de | 2017-01-24 11:38:55 -0500 | [diff] [blame] | 346 | - Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``. |
| 347 | `#581 <https://github.com/pyca/pyopenssl/pull/581>`_ |
Hynek Schlawack | 29add1d | 2016-10-16 11:20:04 +0200 | [diff] [blame] | 348 | |
| 349 | |
| 350 | ---- |
| 351 | |
| 352 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 353 | 16.2.0 (2016-10-15) |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 354 | ------------------- |
| 355 | |
| 356 | Backward-incompatible changes: |
| 357 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 358 | |
| 359 | *none* |
| 360 | |
| 361 | |
| 362 | Deprecations: |
| 363 | ^^^^^^^^^^^^^ |
| 364 | |
| 365 | *none* |
| 366 | |
| 367 | |
| 368 | Changes: |
| 369 | ^^^^^^^^ |
| 370 | |
Alex Gaynor | 0cc5637 | 2016-09-24 11:15:55 -0400 | [diff] [blame] | 371 | - Fixed compatibility errors with OpenSSL 1.1.0. |
Paul Kehrer | fe2a0a1 | 2016-10-06 12:00:54 +0200 | [diff] [blame] | 372 | - Fixed an issue that caused failures with subinterpreters and embedded Pythons. |
| 373 | `#552 <https://github.com/pyca/pyopenssl/pull/552>`_ |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 374 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 375 | |
Paul Kehrer | 8e99fef | 2016-08-26 19:36:46 +0800 | [diff] [blame] | 376 | ---- |
| 377 | |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 378 | |
Paul Kehrer | d0513ab | 2016-08-26 16:33:23 +0800 | [diff] [blame] | 379 | 16.1.0 (2016-08-26) |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 380 | ------------------- |
| 381 | |
| 382 | Backward-incompatible changes: |
| 383 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 384 | |
| 385 | *none* |
| 386 | |
| 387 | |
| 388 | Deprecations: |
| 389 | ^^^^^^^^^^^^^ |
| 390 | |
Alex Gaynor | 2a52285 | 2016-08-31 12:17:55 -0400 | [diff] [blame] | 391 | - Dropped support for OpenSSL 0.9.8. |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 392 | |
| 393 | |
| 394 | Changes: |
| 395 | ^^^^^^^^ |
| 396 | |
Hynek Schlawack | 11e43ad | 2016-07-03 14:40:20 +0200 | [diff] [blame] | 397 | - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. |
| 398 | `#496 <https://github.com/pyca/pyopenssl/pull/496>`_ |
Dan Sully | 44e767a | 2016-06-04 18:05:27 -0700 | [diff] [blame] | 399 | - Enable use of CRL (and more) in verify context. |
| 400 | `#483 <https://github.com/pyca/pyopenssl/pull/483>`_ |
Paul Kehrer | 72d968b | 2016-07-29 15:31:04 +0800 | [diff] [blame] | 401 | - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. |
| 402 | `#439 <https://github.com/pyca/pyopenssl/pull/439>`_ |
Paul Kehrer | d0513ab | 2016-08-26 16:33:23 +0800 | [diff] [blame] | 403 | - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility. |
Hynek Schlawack | 156f174 | 2016-03-19 12:37:12 +0100 | [diff] [blame] | 404 | |
| 405 | |
| 406 | ---- |
| 407 | |
| 408 | |
Hynek Schlawack | b62041b | 2016-03-19 10:00:09 +0100 | [diff] [blame] | 409 | 16.0.0 (2016-03-19) |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 410 | ------------------- |
| 411 | |
| 412 | This is the first release under full stewardship of PyCA. |
| 413 | We have made *many* changes to make local development more pleasing. |
| 414 | The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. |
Hynek Schlawack | f6c96af | 2017-04-20 12:34:58 +0200 | [diff] [blame] | 415 | It has been moved to `pytest <https://docs.pytest.org/>`_, all CI test runs are part of `tox <https://tox.readthedocs.io/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 416 | |
Cory Benfield | 0820ac2 | 2015-10-28 17:39:28 +0900 | [diff] [blame] | 417 | We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 418 | |
| 419 | |
| 420 | Backward-incompatible changes: |
| 421 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 422 | |
| 423 | - Python 3.2 support has been dropped. |
| 424 | It never had significant real world usage and has been dropped by our main dependency ``cryptography``. |
| 425 | Affected users should upgrade to Python 3.3 or later. |
| 426 | |
| 427 | |
| 428 | Deprecations: |
| 429 | ^^^^^^^^^^^^^ |
| 430 | |
| 431 | - The support for EGD has been removed. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 432 | The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 433 | Please see `pyca/cryptography#1636 <https://github.com/pyca/cryptography/pull/1636>`_ for more background information on this decision. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 434 | In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 435 | |
Hynek Schlawack | c3b38e5 | 2016-10-15 14:56:14 +0200 | [diff] [blame] | 436 | Please note that you should `use urandom <https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ for all your secure random number needs. |
Hynek Schlawack | 046d3f4 | 2016-03-13 08:33:04 +0100 | [diff] [blame] | 437 | - Python 2.6 support has been deprecated. |
| 438 | Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. |
| 439 | pyOpenSSL will drop Python 2.6 support once ``cryptography`` does. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 440 | |
| 441 | |
| 442 | Changes: |
| 443 | ^^^^^^^^ |
| 444 | |
Hynek Schlawack | b875d51 | 2016-03-16 13:56:33 +0100 | [diff] [blame] | 445 | - Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``. |
Hynek Schlawack | b1f3ca8 | 2016-02-13 09:10:04 +0100 | [diff] [blame] | 446 | They were lacking an implementation since 0.14. |
Hynek Schlawack | b875d51 | 2016-03-16 13:56:33 +0100 | [diff] [blame] | 447 | `#422 <https://github.com/pyca/pyopenssl/pull/422>`_ |
Paul Kehrer | 8fc6ec0 | 2016-03-02 13:20:58 -0600 | [diff] [blame] | 448 | - Fixed segmentation fault when using keys larger than 4096-bit to sign data. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 449 | `#428 <https://github.com/pyca/pyopenssl/pull/428>`_ |
| 450 | - Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data. |
| 451 | `#304 <https://github.com/pyca/pyopenssl/pull/304>`_ |
| 452 | - Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations. |
| 453 | `#382 <https://github.com/pyca/pyopenssl/pull/382>`_ |
| 454 | - Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer. |
| 455 | `#368 <https://github.com/pyca/pyopenssl/pull/368>`_ |
Hynek Schlawack | ea94f2b | 2016-03-13 16:17:53 +0100 | [diff] [blame] | 456 | - Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 457 | `#358 <https://github.com/pyca/pyopenssl/pull/358>`_ |
| 458 | - Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``. |
| 459 | `#294 <https://github.com/pyca/pyopenssl/pull/294>`_ |
| 460 | - Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``. |
| 461 | `#244 <https://github.com/pyca/pyopenssl/pull/244>`_ |
| 462 | - Switched to ``utf8string`` mask by default. |
| 463 | OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present. |
| 464 | This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year. |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 465 | This will default us to the setting that actually works. |
| 466 | To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``. |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 467 | `#234 <https://github.com/pyca/pyopenssl/pull/234>`_ |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 468 | |
| 469 | |
Hynek Schlawack | 65e4def | 2016-03-13 15:07:52 +0100 | [diff] [blame] | 470 | ---- |
| 471 | |
Hynek Schlawack | 682443f | 2015-10-25 16:15:12 +0100 | [diff] [blame] | 472 | |
| 473 | Older Changelog Entries |
| 474 | ----------------------- |
| 475 | |
Hynek Schlawack | 0cc6154 | 2016-01-19 14:09:32 +0100 | [diff] [blame] | 476 | The changes from before release 16.0.0 are preserved in the `repository <https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt>`_. |