Pyopenssl

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- The minimum ``cryptography`` version is now 2.2.1.
- Support for Python 2.6 has been dropped.


Deprecations:
^^^^^^^^^^^^^

*none*


Changes:
^^^^^^^^

- Added ``Connection.get_certificate`` to retrieve the local certificate.
`733 <https://github.com/pyca/pyopenssl/pull/733>`_
- ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default.
`753 <https://github.com/pyca/pyopenssl/pull/753>`_
- Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material.
`734 <https://github.com/pyca/pyopenssl/pull/734>`_


----

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- The minimum ``cryptography`` version is now 2.1.4.


Deprecations:
^^^^^^^^^^^^^

*none*


Changes:
^^^^^^^^

- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``.
`723 <https://github.com/pyca/pyopenssl/pull/723>`_
- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material.
`725 <https://github.com/pyca/pyopenssl/pull/725>`_

----

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

*none*


Deprecations:
^^^^^^^^^^^^^

*none*


Changes:
^^^^^^^^


- Re-added a subset of the ``OpenSSL.rand`` module.
This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork.
`708 <https://github.com/pyca/pyopenssl/pull/708>`_
- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated.
`709 <https://github.com/pyca/pyopenssl/pull/709>`_

----

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Dropped support for Python 3.3.
`677 <https://github.com/pyca/pyopenssl/pull/677>`_
- Removed the deprecated ``OpenSSL.rand`` module.
This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
``os.urandom()`` should be used instead.
`675 <https://github.com/pyca/pyopenssl/pull/675>`_


Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.tsafe``.
`673 <https://github.com/pyca/pyopenssl/pull/673>`_

Changes:
^^^^^^^^

- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
`690 <https://github.com/pyca/pyopenssl/pull/690>`_
- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
`691 <https://github.com/pyca/pyopenssl/pull/691>`_


----

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

*none*


Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead.
`658 <https://github.com/pyca/pyopenssl/pull/658>`_


Changes:
^^^^^^^^

- Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x.
`665 <https://github.com/pyca/pyopenssl/pull/665>`_
- Fixed a crash with (EC)DSA signatures in some cases.
`670 <https://github.com/pyca/pyopenssl/pull/670>`_


----

-------------------


Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Removed the deprecated ``OpenSSL.rand.egd()`` function.
Applications should prefer ``os.urandom()`` for random number generation.
`630 <https://github.com/pyca/pyopenssl/pull/630>`_
- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
Callers must now always pass an explicit ``digest``.
`652 <https://github.com/pyca/pyopenssl/pull/652>`_
- Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
and ``Revoked.set_lastUpdate()``. You must now pass times in the form
``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm``
will no longer work. `612 <https://github.com/pyca/pyopenssl/pull/612>`_


Deprecations:
^^^^^^^^^^^^^


- Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``.
The names without the "Type"-suffix should be used instead.


Changes:
^^^^^^^^

- Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects.
`640 <https://github.com/pyca/pyopenssl/pull/640>`_
- Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
`645 <https://github.com/pyca/pyopenssl/pull/645>`_
- Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
`620 <https://github.com/pyca/pyopenssl/pull/620>`_
- Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels.
`633 <https://github.com/pyca/pyopenssl/pull/633>`_


----