Product
Introducing License Enforcement in Socket
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
.. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs
.. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
.. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage
Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography
_
where possible. If you are using pyOpenSSL for anything other than making a TLS connection
you should move to cryptography and drop your pyOpenSSL dependency.
High-level wrapper around a subset of the OpenSSL library. Includes
SSL.Connection
objects, wrapping the methods of Python's portable sockets... and much more.
You can find more information in the documentation_. Development takes place on GitHub_.
If you run into bugs, you can file them in our issue tracker
_.
We maintain a cryptography-dev_ mailing list for both user and development discussions.
You can also join #pyca
on irc.libera.chat
to ask questions or get involved.
.. _documentation: https://pyopenssl.org/
.. _issue tracker
: https://github.com/pyca/pyopenssl/issues
.. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _GitHub: https://github.com/pyca/pyopenssl
.. _pyca/cryptography
: https://github.com/pyca/cryptography
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.X509Req
, OpenSSL.crypto.load_certificate_request
, OpenSSL.crypto.dump_certificate_request
. Instead, cryptography.x509.CertificateSigningRequest
, cryptography.x509.CertificateSigningRequestBuilder
, cryptography.x509.load_der_x509_csr
, or cryptography.x509.load_pem_x509_csr
should be used.Changes: ^^^^^^^^
SSL
module.
#1308 <https://github.com/pyca/pyopenssl/pull/1308>
_.OpenSSL.crypto.PKey.from_cryptography_key
to accept public and private EC, ED25519, ED448 keys.
#1310 <https://github.com/pyca/pyopenssl/pull/1310>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OpenSSL.crypto.PKCS12
and
OpenSSL.crypto.NetscapeSPKI
. OpenSSL.crypto.PKCS12
may be replaced
by the PKCS#12 APIs in the cryptography
package.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
OpenSSL.SSL.Connection.get_selected_srtp_profile
to determine which SRTP profile was negotiated.
#1279 <https://github.com/pyca/pyopenssl/pull/1279>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 41.0.5.OpenSSL.crypto.load_pkcs7
and OpenSSL.crypto.load_pkcs12
which had been deprecated for 3 years.OpenSSL.SSL.OP_LEGACY_SERVER_CONNECT
to allow legacy insecure renegotiation between OpenSSL and unpatched servers.
#1234 <https://github.com/pyca/pyopenssl/pull/1234>
_.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.PKCS12
(which was intended to have been deprecated at the same time as OpenSSL.crypto.load_pkcs12
).OpenSSL.crypto.NetscapeSPKI
.OpenSSL.crypto.CRL
OpenSSL.crypto.Revoked
OpenSSL.crypto.load_crl
and OpenSSL.crypto.dump_crl
OpenSSL.crypto.sign
and OpenSSL.crypto.verify
OpenSSL.crypto.X509Extension
Changes: ^^^^^^^^
OpenSSL.crypto.X509Store.add_crl
to also accept
cryptography
's x509.CertificateRevocationList
arguments in addition
to the now deprecated OpenSSL.crypto.CRL
arguments.test_set_default_verify_paths
test so that it is skipped if no
network connection is available.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
X509StoreFlags.NOTIFY_POLICY
.
#1213 <https://github.com/pyca/pyopenssl/pull/1213>
_.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography
maximum version has been increased to 41.0.x.OpenSSL.crypto.X509Req.set_version
.X509VerificationCodes
to OpenSSL.SSL
.
#1202 <https://github.com/pyca/pyopenssl/pull/1202>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
X509Extension.get_short_name
to raise an exception when no short name was known to OpenSSL.
#1204 <https://github.com/pyca/pyopenssl/pull/1204>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
cryptography
maximum version has been increased to 40.0.x.OpenSSL.SSL.Connection.DTLSv1_get_timeout
and OpenSSL.SSL.Connection.DTLSv1_handle_timeout
to support DTLS timeouts #1180 <https://github.com/pyca/pyopenssl/pull/1180>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
OpenSSL.SSL.X509StoreFlags.PARTIAL_CHAIN
constant to allow for users
to perform certificate verification on partial certificate chains.
#1166 <https://github.com/pyca/pyopenssl/pull/1166>
_cryptography
maximum version has been increased to 39.0.x.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 38.0.x (and we now pin releases
against cryptography
major versions to prevent future breakage)OpenSSL.crypto.X509StoreContextError
exception has been refactored,
changing its internal attributes.
#1133 <https://github.com/pyca/pyopenssl/pull/1133>
_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.SSLeay_version
is deprecated in favor of
OpenSSL.SSL.OpenSSL_version
. The constants OpenSSL.SSL.SSLEAY_*
are
deprecated in favor of OpenSSL.SSL.OPENSSL_*
.Changes: ^^^^^^^^
OpenSSL.SSL.Connection.set_verify
and OpenSSL.SSL.Connection.get_verify_mode
to override the context object's verification flags.
#1073 <https://github.com/pyca/pyopenssl/pull/1073>
_OpenSSL.SSL.Connection.use_certificate
and OpenSSL.SSL.Connection.use_privatekey
to set a certificate per connection (and not just per context) #1121 <https://github.com/pyca/pyopenssl/pull/1121>
_.Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#1047 <https://github.com/pyca/pyopenssl/pull/1047>
_cryptography
version is now 35.0.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
DTLS <https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>
_
primitives. #1026 <https://github.com/pyca/pyopenssl/pull/1026>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 3.3.Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
#993 <https://github.com/pyca/pyopenssl/pull/993>
_OpenSSL.SSL.Context.set_min_proto_version
and OpenSSL.SSL.Context.set_max_proto_version
to set the minimum and maximum supported TLS version #985 <https://github.com/pyca/pyopenssl/pull/985>
_.to_cryptography
and from_cryptography
methods to support an upcoming release of cryptography
without raising deprecation warnings.
#1030 <https://github.com/pyca/pyopenssl/pull/1030>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations: ^^^^^^^^^^^^^
Changes: ^^^^^^^^
Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography
version is now 3.2.OpenSSL.tsafe
module.OpenSSL.SSL.Context.set_npn_advertise_callback
, OpenSSL.SSL.Context.set_npn_select_callback
, and OpenSSL.SSL.Connection.get_next_proto_negotiated
.Deprecations: ^^^^^^^^^^^^^
OpenSSL.crypto.load_pkcs7
and OpenSSL.crypto.load_pkcs12
.Changes: ^^^^^^^^
chain
parameter to OpenSSL.crypto.X509StoreContext()
where additional untrusted certificates can be specified to help chain building.
#948 <https://github.com/pyca/pyopenssl/pull/948>
_OpenSSL.crypto.X509Store.load_locations
to set trusted
certificate file bundles and/or directories for verification.
#943 <https://github.com/pyca/pyopenssl/pull/943>
_Context.set_keylog_callback
to log key material.
#910 <https://github.com/pyca/pyopenssl/pull/910>
_OpenSSL.SSL.Connection.get_verified_chain
to retrieve the
verified certificate chain of the peer.
#894 <https://github.com/pyca/pyopenssl/pull/894>
_.Context.set_verify
.
If omitted, OpenSSL's default verification is used.
#933 <https://github.com/pyca/pyopenssl/pull/933>
_OpenSSL.crypto.load_privatekey
and OpenSSL.crypto.dump_privatekey
.
#947 <https://github.com/pyca/pyopenssl/pull/947>
_Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ContextType
, ConnectionType
, PKeyType
, X509NameType
, X509ReqType
, X509Type
, X509StoreType
, CRLType
, PKCS7Type
, PKCS12Type
, and NetscapeSPKIType
aliases.
Use the classes without the Type
suffix instead.
#814 <https://github.com/pyca/pyopenssl/pull/814>
_cryptography
version is now 2.8 due to issues on macOS with a transitive dependency.
#875 <https://github.com/pyca/pyopenssl/pull/875>
_Deprecations: ^^^^^^^^^^^^^
OpenSSL.SSL.Context.set_npn_advertise_callback
, OpenSSL.SSL.Context.set_npn_select_callback
, and OpenSSL.SSL.Connection.get_next_proto_negotiated
.
ALPN should be used instead.
#820 <https://github.com/pyca/pyopenssl/pull/820>
_Changes: ^^^^^^^^
bytearray
in SSL.Connection.send()
by using cffi's from_buffer.
#852 <https://github.com/pyca/pyopenssl/pull/852>
_OpenSSL.SSL.Context.set_alpn_select_callback
can return a new NO_OVERLAPPING_PROTOCOLS
sentinel value
to allow a TLS handshake to complete without an application protocol.Full changelog <https://pyopenssl.org/en/stable/changelog.html>
_.
FAQs
Python wrapper module around the OpenSSL library
We found that pyOpenSSL demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Product
We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.
Product
We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.