pyopenssl
Advanced tools
.. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs
.. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography_
where possible. If you are using pyOpenSSL for anything other than making a TLS connection
you should move to cryptography and drop your pyOpenSSL dependency.
High-level wrapper around a subset of the OpenSSL library. Includes
SSL.Connection objects, wrapping the methods of Python's portable sockets... and much more.
You can find more information in the documentation_. Development takes place on GitHub_.
If you run into bugs, you can file them in our issue tracker_.
We maintain a cryptography-dev_ mailing list for both user and development discussions.
You can also join #pyca on irc.libera.chat to ask questions or get involved.
.. _documentation: https://pyopenssl.org/
.. _issue tracker: https://github.com/pyca/pyopenssl/issues
.. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _GitHub: https://github.com/pyca/pyopenssl
.. _pyca/cryptography: https://github.com/pyca/cryptography
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography version is now 46.x.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography version is now 45.0.7.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER on connections by default, matching CPython's behavior.OpenSSL.SSL.Context.clear_mode.OpenSSL.SSL.Context.set_tls13_ciphersuites to set the allowed TLS 1.3 ciphers.OpenSSL.SSL.Connection.set_info_callbackBackward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.Context after it
has been used to create an OpenSSL.SSL.Connection will emit a warning. In
a future release, this will raise an exception.Changes: ^^^^^^^^
cryptography maximum version has been increased to 45.0.x.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Context.set_alpn_select_callback, Context.set_session_cache_mode, Context.set_options, Context.set_mode, X509.subject_name_hash, and X509Store.load_locations.warnings.deprecated. mypy will emit deprecation notices for them when used with --enable-error-code deprecated.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl, and OpenSSL.crypto.load_crl. cryptography.x509's CRL functionality should be used instead.OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead.Deprecations: ^^^^^^^^^^^^^
OpenSSL.rand - callers should use os.urandom() instead.add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead.OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve, as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh, users should instead pass curves from cryptography.X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate, OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL's X509 entirely.PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey, users should instead pass cryptography priate key instances. This is in preparation for deprecating pyOpenSSL's PKey entirely.Changes: ^^^^^^^^
cryptography maximum version has been increased to 44.0.x.OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate, OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain now take an as_cryptography keyword-argument. When True is passed then cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509. In the future, passing False (the default) will be deprecated.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.X509Req, OpenSSL.crypto.load_certificate_request, OpenSSL.crypto.dump_certificate_request. Instead, cryptography.x509.CertificateSigningRequest, cryptography.x509.CertificateSigningRequestBuilder, cryptography.x509.load_der_x509_csr, or cryptography.x509.load_pem_x509_csr should be used.Changes: ^^^^^^^^
SSL module.
#1308 <https://github.com/pyca/pyopenssl/pull/1308>_.OpenSSL.crypto.PKey.from_cryptography_key to accept public and private EC, ED25519, ED448 keys.
#1310 <https://github.com/pyca/pyopenssl/pull/1310>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OpenSSL.crypto.PKCS12 and
OpenSSL.crypto.NetscapeSPKI. OpenSSL.crypto.PKCS12 may be replaced
by the PKCS#12 APIs in the cryptography package.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
OpenSSL.SSL.Connection.get_selected_srtp_profile to determine which SRTP profile was negotiated.
#1279 <https://github.com/pyca/pyopenssl/pull/1279>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography version is now 41.0.5.OpenSSL.crypto.load_pkcs7 and OpenSSL.crypto.load_pkcs12 which had been deprecated for 3 years.OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT to allow legacy insecure renegotiation between OpenSSL and unpatched servers.
#1234 <https://github.com/pyca/pyopenssl/pull/1234>_.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.PKCS12 (which was intended to have been deprecated at the same time as OpenSSL.crypto.load_pkcs12).OpenSSL.crypto.NetscapeSPKI.OpenSSL.crypto.CRLOpenSSL.crypto.RevokedOpenSSL.crypto.load_crl and OpenSSL.crypto.dump_crlOpenSSL.crypto.sign and OpenSSL.crypto.verifyOpenSSL.crypto.X509ExtensionChanges: ^^^^^^^^
OpenSSL.crypto.X509Store.add_crl to also accept
cryptography's x509.CertificateRevocationList arguments in addition
to the now deprecated OpenSSL.crypto.CRL arguments.test_set_default_verify_paths test so that it is skipped if no
network connection is available.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
X509StoreFlags.NOTIFY_POLICY.
#1213 <https://github.com/pyca/pyopenssl/pull/1213>_.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography maximum version has been increased to 41.0.x.OpenSSL.crypto.X509Req.set_version.X509VerificationCodes to OpenSSL.SSL.
#1202 <https://github.com/pyca/pyopenssl/pull/1202>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
X509Extension.get_short_name to raise an exception when no short name was known to OpenSSL.
#1204 <https://github.com/pyca/pyopenssl/pull/1204>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography maximum version has been increased to 40.0.x.OpenSSL.SSL.Connection.DTLSv1_get_timeout and OpenSSL.SSL.Connection.DTLSv1_handle_timeout
to support DTLS timeouts #1180 <https://github.com/pyca/pyopenssl/pull/1180>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN constant to allow for users
to perform certificate verification on partial certificate chains.
#1166 <https://github.com/pyca/pyopenssl/pull/1166>_cryptography maximum version has been increased to 39.0.x.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography version is now 38.0.x (and we now pin releases
against cryptography major versions to prevent future breakage)OpenSSL.crypto.X509StoreContextError exception has been refactored,
changing its internal attributes.
#1133 <https://github.com/pyca/pyopenssl/pull/1133>_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.SSLeay_version is deprecated in favor of
OpenSSL.SSL.OpenSSL_version. The constants OpenSSL.SSL.SSLEAY_* are
deprecated in favor of OpenSSL.SSL.OPENSSL_*.Changes: ^^^^^^^^
OpenSSL.SSL.Connection.set_verify and OpenSSL.SSL.Connection.get_verify_mode
to override the context object's verification flags.
#1073 <https://github.com/pyca/pyopenssl/pull/1073>_OpenSSL.SSL.Connection.use_certificate and OpenSSL.SSL.Connection.use_privatekey
to set a certificate per connection (and not just per context) #1121 <https://github.com/pyca/pyopenssl/pull/1121>_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#1047 <https://github.com/pyca/pyopenssl/pull/1047>_cryptography version is now 35.0.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
DTLS <https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>_
primitives. #1026 <https://github.com/pyca/pyopenssl/pull/1026>_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography version is now 3.3.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
#993 <https://github.com/pyca/pyopenssl/pull/993>_OpenSSL.SSL.Context.set_min_proto_version and OpenSSL.SSL.Context.set_max_proto_version
to set the minimum and maximum supported TLS version #985 <https://github.com/pyca/pyopenssl/pull/985>_.to_cryptography and from_cryptography methods to support an upcoming release of cryptography without raising deprecation warnings.
#1030 <https://github.com/pyca/pyopenssl/pull/1030>_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography version is now 3.2.OpenSSL.tsafe module.OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.load_pkcs7 and OpenSSL.crypto.load_pkcs12.Changes: ^^^^^^^^
chain parameter to OpenSSL.crypto.X509StoreContext()
where additional untrusted certificates can be specified to help chain building.
#948 <https://github.com/pyca/pyopenssl/pull/948>_OpenSSL.crypto.X509Store.load_locations to set trusted
certificate file bundles and/or directories for verification.
#943 <https://github.com/pyca/pyopenssl/pull/943>_Context.set_keylog_callback to log key material.
#910 <https://github.com/pyca/pyopenssl/pull/910>_OpenSSL.SSL.Connection.get_verified_chain to retrieve the
verified certificate chain of the peer.
#894 <https://github.com/pyca/pyopenssl/pull/894>_.Context.set_verify.
If omitted, OpenSSL's default verification is used.
#933 <https://github.com/pyca/pyopenssl/pull/933>_OpenSSL.crypto.load_privatekey
and OpenSSL.crypto.dump_privatekey.
#947 <https://github.com/pyca/pyopenssl/pull/947>_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases.
Use the classes without the Type suffix instead.
#814 <https://github.com/pyca/pyopenssl/pull/814>_cryptography version is now 2.8 due to issues on macOS with a transitive dependency.
#875 <https://github.com/pyca/pyopenssl/pull/875>_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.
ALPN should be used instead.
#820 <https://github.com/pyca/pyopenssl/pull/820>_Changes: ^^^^^^^^
bytearray in SSL.Connection.send() by using cffi's from_buffer.
#852 <https://github.com/pyca/pyopenssl/pull/852>_OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value
to allow a TLS handshake to complete without an application protocol.Full changelog <https://pyopenssl.org/en/stable/changelog.html>_.
FAQs
Python wrapper module around the OpenSSL library
We found that pyopenssl demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
OpenVSX releases of Aqua Trivy 1.8.12 and 1.8.13 contained injected natural-language prompts that abuse local AI coding agents for system inspection and potential data exfiltration.
Security News
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.
Research
/Security News
Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from the adversary's C2.