Python wrapper module around the OpenSSL library
.. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs
.. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
.. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage
Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography
_
where possible. If you are using pyOpenSSL for anything other than making a TLS connection
you should move to cryptography and drop your pyOpenSSL dependency.
High-level wrapper around a subset of the OpenSSL library. Includes
SSL.Connection
objects, wrapping the methods of Python's portable sockets... and much more.
You can find more information in the documentation_. Development takes place on GitHub_.
If you run into bugs, you can file them in our issue tracker
_.
We maintain a cryptography-dev_ mailing list for both user and development discussions.
You can also join #pyca
on irc.libera.chat
to ask questions or get involved.
.. _documentation: https://pyopenssl.org/
.. _issue tracker
: https://github.com/pyca/pyopenssl/issues
.. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _GitHub: https://github.com/pyca/pyopenssl
.. _pyca/cryptography
: https://github.com/pyca/cryptography
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 41.0.5.OpenSSL.crypto.loads_pkcs7
and OpenSSL.crypto.loads_pkcs12
which had been deprecated for 3 years.OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT
to allow legacy insecure renegotiation between OpenSSL and unpatched servers.
#1234 <https://github.com/pyca/pyopenssl/pull/1234>
_.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.PKCS12
(which was intended to have been deprecated at the same time as OpenSSL.crypto.load_pkcs12
).OpenSSL.crypto.NetscapeSPKI
.OpenSSL.crypto.CRL
OpenSSL.crypto.Revoked
OpenSSL.crypto.load_crl
and OpenSSL.crypto.dump_crl
OpenSSL.crypto.sign
and OpenSSL.crypto.verify
OpenSSL.crypto.X509Extension
Changes: ^^^^^^^^
OpenSSL.crypto.X509Store.add_crl
to also accept
cryptography
's x509.CertificateRevocationList
arguments in addition
to the now deprecated OpenSSL.crypto.CRL
arguments.test_set_default_verify_paths
test so that it is skipped if no
network connection is available.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
X509StoreFlags.NOTIFY_POLICY
.
#1213 <https://github.com/pyca/pyopenssl/pull/1213>
_.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography
maximum version has been increased to 41.0.x.OpenSSL.crypto.X509Req.set_version
.X509VerificationCodes
to OpenSSL.SSL
.
#1202 <https://github.com/pyca/pyopenssl/pull/1202>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
X509Extension.get_short_name
to raise an exception when no short name was known to OpenSSL.
#1204 <https://github.com/pyca/pyopenssl/pull/1204>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography
maximum version has been increased to 40.0.x.OpenSSL.SSL.Connection.DTLSv1_get_timeout
and OpenSSL.SSL.Connection.DTLSv1_handle_timeout
to support DTLS timeouts #1180 <https://github.com/pyca/pyopenssl/pull/1180>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN
constant to allow for users
to perform certificate verification on partial certificate chains.
#1166 <https://github.com/pyca/pyopenssl/pull/1166>
_cryptography
maximum version has been increased to 39.0.x.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 38.0.x (and we now pin releases
against cryptography
major versions to prevent future breakage)OpenSSL.crypto.X509StoreContextError
exception has been refactored,
changing its internal attributes.
#1133 <https://github.com/pyca/pyopenssl/pull/1133>
_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.SSLeay_version
is deprecated in favor of
OpenSSL.SSL.OpenSSL_version
. The constants OpenSSL.SSL.SSLEAY_*
are
deprecated in favor of OpenSSL.SSL.OPENSSL_*
.Changes: ^^^^^^^^
OpenSSL.SSL.Connection.set_verify
and OpenSSL.SSL.Connection.get_verify_mode
to override the context object's verification flags.
#1073 <https://github.com/pyca/pyopenssl/pull/1073>
_OpenSSL.SSL.Connection.use_certificate
and OpenSSL.SSL.Connection.use_privatekey
to set a certificate per connection (and not just per context) #1121 <https://github.com/pyca/pyopenssl/pull/1121>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#1047 <https://github.com/pyca/pyopenssl/pull/1047>
_cryptography
version is now 35.0.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
DTLS <https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>
_
primitives. #1026 <https://github.com/pyca/pyopenssl/pull/1026>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 3.3.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
#993 <https://github.com/pyca/pyopenssl/pull/993>
_OpenSSL.SSL.Context.set_min_proto_version
and OpenSSL.SSL.Context.set_max_proto_version
to set the minimum and maximum supported TLS version #985 <https://github.com/pyca/pyopenssl/pull/985>
_.to_cryptography
and from_cryptography
methods to support an upcoming release of cryptography
without raising deprecation warnings.
#1030 <https://github.com/pyca/pyopenssl/pull/1030>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 3.2.OpenSSL.tsafe
module.OpenSSL.SSL.Context.set_npn_advertise_callback
, OpenSSL.SSL.Context.set_npn_select_callback
, and OpenSSL.SSL.Connection.get_next_proto_negotiated
.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.loads_pkcs7
and OpenSSL.crypto.loads_pkcs12
.Changes: ^^^^^^^^
chain
parameter to OpenSSL.crypto.X509StoreContext()
where additional untrusted certificates can be specified to help chain building.
#948 <https://github.com/pyca/pyopenssl/pull/948>
_OpenSSL.crypto.X509Store.load_locations
to set trusted
certificate file bundles and/or directories for verification.
#943 <https://github.com/pyca/pyopenssl/pull/943>
_Context.set_keylog_callback
to log key material.
#910 <https://github.com/pyca/pyopenssl/pull/910>
_OpenSSL.SSL.Connection.get_verified_chain
to retrieve the
verified certificate chain of the peer.
#894 <https://github.com/pyca/pyopenssl/pull/894>
_.Context.set_verify
.
If omitted, OpenSSL's default verification is used.
#933 <https://github.com/pyca/pyopenssl/pull/933>
_OpenSSL.crypto.load_privatekey
and OpenSSL.crypto.dump_privatekey
.
#947 <https://github.com/pyca/pyopenssl/pull/947>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ContextType
, ConnectionType
, PKeyType
, X509NameType
, X509ReqType
, X509Type
, X509StoreType
, CRLType
, PKCS7Type
, PKCS12Type
, and NetscapeSPKIType
aliases.
Use the classes without the Type
suffix instead.
#814 <https://github.com/pyca/pyopenssl/pull/814>
_cryptography
version is now 2.8 due to issues on macOS with a transitive dependency.
#875 <https://github.com/pyca/pyopenssl/pull/875>
_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.Context.set_npn_advertise_callback
, OpenSSL.SSL.Context.set_npn_select_callback
, and OpenSSL.SSL.Connection.get_next_proto_negotiated
.
ALPN should be used instead.
#820 <https://github.com/pyca/pyopenssl/pull/820>
_Changes: ^^^^^^^^
bytearray
in SSL.Connection.send()
by using cffi's from_buffer.
#852 <https://github.com/pyca/pyopenssl/pull/852>
_OpenSSL.SSL.Context.set_alpn_select_callback
can return a new NO_OVERLAPPING_PROTOCOLS
sentinel value
to allow a TLS handshake to complete without an application protocol.Full changelog <https://pyopenssl.org/en/stable/changelog.html>
_.