Merge pull request #2840 from alex/error-on-098
Fixed #2836 -- error out on OpenSSL 0.9.8 by default
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 00ca808..6b7126c 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,8 @@
.. note:: This version is not yet released and is under active development.
+* Support for OpenSSL 0.9.8 has been removed. Users on older version of OpenSSL
+ will need to upgrade.
1.3 - 2016-03-18
~~~~~~~~~~~~~~~~
diff --git a/docs/faq.rst b/docs/faq.rst
index 3456ba9..f00974b 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -40,6 +40,19 @@
appear to be at fault, it's possible that this is a bug in ``cryptography``.
Please file an `issue`_ with instructions on how to reproduce it.
+Importing cryptography causes a ``RuntimeError`` about OpenSSL 0.9.8
+--------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 0.9.8 release series. Since it
+is no longer receiving security patches from upstream, ``cryptography`` is also
+dropping support for it. To fix this issue you should upgrade to a newer
+version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
+operating system.
+
+For the 1.4 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098``
+environment variable. Please note that this is *temporary* and will be removed
+in ``cryptography`` 1.5.
+
.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.org
.. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIApplicationGroup.html
diff --git a/docs/installation.rst b/docs/installation.rst
index 8c3c436..38dc486 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -39,8 +39,8 @@
.. warning::
OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL
- project. Support for OpenSSL 0.9.8 will be removed in the next
- ``cryptography`` release.
+ project. Cryptography 1.4 has dropped support for OpenSSL 0.9.8, see the
+ :doc:`FAQ </faq>` for more details.
On Windows
----------
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 5d7466f..7727ad8 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -10,7 +10,6 @@
import types
import warnings
-from cryptography import utils
from cryptography.exceptions import InternalError
from cryptography.hazmat.bindings._openssl import ffi, lib
from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
@@ -217,6 +216,30 @@
)
+def _verify_openssl_version(version):
+ if version < 0x10000000:
+ if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_098"):
+ warnings.warn(
+ "OpenSSL version 0.9.8 is no longer supported by the OpenSSL "
+ "project, please upgrade. The next version of cryptography "
+ "will completely remove support for it.",
+ DeprecationWarning
+ )
+ else:
+ raise RuntimeError(
+ "You are linking against OpenSSL 0.9.8, which is no longer "
+ "support by the OpenSSL project. You need to upgrade to a "
+ "newer version of OpenSSL."
+ )
+ elif version < 0x10001000:
+ warnings.warn(
+ "OpenSSL versions less than 1.0.1 are no longer supported by the "
+ "OpenSSL project, please upgrade. A future version of "
+ "cryptography will drop support for these versions of OpenSSL.",
+ DeprecationWarning
+ )
+
+
# OpenSSL is not thread safe until the locks are initialized. We call this
# method in module scope so that it executes with the import lock. On
# Pythons < 3.4 this import lock is a global lock, which can prevent a race
@@ -224,17 +247,4 @@
# is per module so this approach will not work.
Binding.init_static_locks()
-if Binding.lib.SSLeay() < 0x10000000:
- warnings.warn(
- "OpenSSL version 0.9.8 is no longer supported by the OpenSSL project, "
- "please upgrade. The next version of cryptography will drop support "
- "for it.",
- utils.DeprecatedIn12
- )
-elif Binding.lib.SSLeay() < 0x10001000:
- warnings.warn(
- "OpenSSL versions less than 1.0.1 are no longer supported by the "
- "OpenSSL project, please upgrade. A future version of cryptography "
- "will drop support for these versions.",
- DeprecationWarning
- )
+_verify_openssl_version(Binding.lib.SSLeay())
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 457799d..34c23ab 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -8,7 +8,7 @@
from cryptography.exceptions import InternalError
from cryptography.hazmat.bindings.openssl.binding import (
- Binding, _OpenSSLErrorWithText, _openssl_assert
+ Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version
)
@@ -175,3 +175,9 @@
b'ex:data not multiple of block length'
)
)]
+
+ def test_verify_openssl_version(self, monkeypatch):
+ monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_098", raising=False)
+ with pytest.raises(RuntimeError):
+ # OpenSSL 0.9.8zg
+ _verify_openssl_version(0x9081DF)
diff --git a/tox.ini b/tox.ini
index 4db19b8..e5efefc 100644
--- a/tox.ini
+++ b/tox.ini
@@ -7,6 +7,8 @@
.[test]
./vectors
passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME
+setenv =
+ CRYPTOGRAPHY_ALLOW_OPENSSL_098=1
commands =
pip list
# We use parallel mode and then combine here so that coverage.py will take