Pyopenssl

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Dropped support for Python 3.6.
- The minimum ``cryptography`` version is now 41.0.5.
- Removed ``OpenSSL.crypto.load_pkcs7`` and ``OpenSSL.crypto.load_pkcs12`` which had been deprecated for 3 years.
- Added ``OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT`` to allow legacy insecure renegotiation between OpenSSL and unpatched servers.
`1234 <https://github.com/pyca/pyopenssl/pull/1234>`_.

Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.crypto.PKCS12`` (which was intended to have been deprecated at the same time as ``OpenSSL.crypto.load_pkcs12``).
- Deprecated ``OpenSSL.crypto.NetscapeSPKI``.
- Deprecated ``OpenSSL.crypto.CRL``
- Deprecated ``OpenSSL.crypto.Revoked``
- Deprecated ``OpenSSL.crypto.load_crl`` and ``OpenSSL.crypto.dump_crl``
- Deprecated ``OpenSSL.crypto.sign`` and ``OpenSSL.crypto.verify``
- Deprecated ``OpenSSL.crypto.X509Extension``

Changes:
^^^^^^^^

- Changed ``OpenSSL.crypto.X509Store.add_crl`` to also accept
``cryptography``'s ``x509.CertificateRevocationList`` arguments in addition
to the now deprecated ``OpenSSL.crypto.CRL`` arguments.
- Fixed ``test_set_default_verify_paths`` test so that it is skipped if no
network connection is available.

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Removed ``X509StoreFlags.NOTIFY_POLICY``.
`1213 <https://github.com/pyca/pyopenssl/pull/1213>`_.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

- ``cryptography`` maximum version has been increased to 41.0.x.
- Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
- Added ``X509VerificationCodes`` to ``OpenSSL.SSL``.
`1202 <https://github.com/pyca/pyopenssl/pull/1202>`_.

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

- Worked around an issue in OpenSSL 3.1.0 which caused `X509Extension.get_short_name` to raise an exception when no short name was known to OpenSSL.
`1204 <https://github.com/pyca/pyopenssl/pull/1204>`_.

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

- ``cryptography`` maximum version has been increased to 40.0.x.
- Add ``OpenSSL.SSL.Connection.DTLSv1_get_timeout`` and ``OpenSSL.SSL.Connection.DTLSv1_handle_timeout``
to support DTLS timeouts `1180 <https://github.com/pyca/pyopenssl/pull/1180>`_.

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

- Add ``OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN`` constant to allow for users
to perform certificate verification on partial certificate chains.
`1166 <https://github.com/pyca/pyopenssl/pull/1166>`_
- ``cryptography`` maximum version has been increased to 39.0.x.

-------------------

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Remove support for SSLv2 and SSLv3.
- The minimum ``cryptography`` version is now 38.0.x (and we now pin releases
against ``cryptography`` major versions to prevent future breakage)
- The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored,
changing its internal attributes.
`1133 <https://github.com/pyca/pyopenssl/pull/1133>`_

Deprecations:
^^^^^^^^^^^^^

- ``OpenSSL.SSL.SSLeay_version`` is deprecated in favor of
``OpenSSL.SSL.OpenSSL_version``. The constants ``OpenSSL.SSL.SSLEAY_*`` are
deprecated in favor of ``OpenSSL.SSL.OPENSSL_*``.

Changes:
^^^^^^^^

- Add ``OpenSSL.SSL.Connection.set_verify`` and ``OpenSSL.SSL.Connection.get_verify_mode``
to override the context object's verification flags.
`1073 <https://github.com/pyca/pyopenssl/pull/1073>`_
- Add ``OpenSSL.SSL.Connection.use_certificate`` and ``OpenSSL.SSL.Connection.use_privatekey``
to set a certificate per connection (and not just per context) `1121 <https://github.com/pyca/pyopenssl/pull/1121>`_.