pyOpenSSL 23.2.0

Backward-incompatible changes:

• Removed X509StoreFlags.NOTIFY_POLICY. #1213.

Deprecations:

Changes:

• cryptography maximum version has been increased to 41.0.x.

• Invalid versions are now rejected in OpenSSL.crypto.X509Req.set_version.

• Added X509VerificationCodes to OpenSSL.SSL. #1202.

Backward-incompatible changes:

Deprecations:

Changes:

• Worked around an issue in OpenSSL 3.1.0 which caused X509Extension.get_short_name to raise an exception when no short name was known to OpenSSL. #1204.

Backward-incompatible changes:

Deprecations:

Changes:

• cryptography maximum version has been increased to 40.0.x.

• Add OpenSSL.SSL.Connection.DTLSv1_get_timeout and OpenSSL.SSL.Connection.DTLSv1_handle_timeout to support DTLS timeouts #1180.

Backward-incompatible changes:

Deprecations:

Changes:

• Add OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN constant to allow for users to perform certificate verification on partial certificate chains. #1166

• cryptography maximum version has been increased to 39.0.x.

Backward-incompatible changes:

• Remove support for SSLv2 and SSLv3.

• The minimum cryptography version is now 38.0.x (and we now pin releases against cryptography major versions to prevent future breakage)

• The OpenSSL.crypto.X509StoreContextError exception has been refactored, changing its internal attributes. #1133

Deprecations:

• OpenSSL.SSL.SSLeay_version is deprecated in favor of OpenSSL.SSL.OpenSSL_version. The constants OpenSSL.SSL.SSLEAY_* are deprecated in favor of OpenSSL.SSL.OPENSSL_*.

Changes:

• Add OpenSSL.SSL.Connection.set_verify and OpenSSL.SSL.Connection.get_verify_mode to override the context object’s verification flags. #1073

• Add OpenSSL.SSL.Connection.use_certificate and OpenSSL.SSL.Connection.use_privatekey to set a certificate per connection (and not just per context) #1121.

Backward-incompatible changes:

• Drop support for Python 2.7. #1047

• The minimum cryptography version is now 35.0.

Deprecations:

Changes:

• Expose wrappers for some DTLS primitives. #1026

Backward-incompatible changes:

• The minimum cryptography version is now 3.3.

• Drop support for Python 3.5

Deprecations:

Changes:

• Raise an error when an invalid ALPN value is set. #993

• Added OpenSSL.SSL.Context.set_min_proto_version and OpenSSL.SSL.Context.set_max_proto_version to set the minimum and maximum supported TLS version #985.

• Updated to_cryptography and from_cryptography methods to support an upcoming release of cryptography without raising deprecation warnings. #1030

Backward-incompatible changes:

Deprecations:

Changes:

• Fixed compatibility with OpenSSL 1.1.0.

Backward-incompatible changes:

• The minimum cryptography version is now 3.2.

• Remove deprecated OpenSSL.tsafe module.

• Removed deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.

• Drop support for Python 3.4

• Drop support for OpenSSL 1.0.1 and 1.0.2

Deprecations:

• Deprecated OpenSSL.crypto.loads_pkcs7 and OpenSSL.crypto.loads_pkcs12.

Changes:

• Added a new optional chain parameter to OpenSSL.crypto.X509StoreContext() where additional untrusted certificates can be specified to help chain building. #948

• Added OpenSSL.crypto.X509Store.load_locations to set trusted certificate file bundles and/or directories for verification. #943

• Added Context.set_keylog_callback to log key material. #910

• Added OpenSSL.SSL.Connection.get_verified_chain to retrieve the verified certificate chain of the peer. #894.

• Make verification callback optional in Context.set_verify. If omitted, OpenSSL’s default verification is used. #933

• Fixed a bug that could truncate or cause a zero-length key error due to a null byte in private key passphrase in OpenSSL.crypto.load_privatekey and OpenSSL.crypto.dump_privatekey. #947

Backward-incompatible changes:

• Removed deprecated ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases. Use the classes without the Type suffix instead. #814

• The minimum cryptography version is now 2.8 due to issues on macOS with a transitive dependency. #875

Deprecations:

• Deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated. ALPN should be used instead. #820

Changes:

• Support bytearray in SSL.Connection.send() by using cffi’s from_buffer. #852

• The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value to allow a TLS handshake to complete without an application protocol.

Full changelog.