Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 5a54f1aec2d9b739c95ed862661efe7b8ff75d31^! / .
commit5a54f1aec2d9b739c95ed862661efe7b8ff75d31[log] [tgz]
authorAlex Gaynor <alex.gaynor@gmail.com>Fri Aug 31 10:46:20 2018 -0400
committerPaul Kehrer <paul.l.kehrer@gmail.com>Fri Aug 31 10:46:20 2018 -0400
treecbfab3f6ee84fd0185f9f42b02820db52011846c
parent9a53a4b9aadb4522d9354d722c3dbdfcb5bbf0bc [diff]
Fixes #3460 -- deprecate OpenSSL 1.0.1 (#4427)

* Fixes #3460 -- deprecate OpenSSL 1.0.1

* We need to import warnings

* flake8

* words are hard

* rephrase

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c6d0d93..a614df8 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst

@@ -8,6 +8,10 @@
 
 .. note:: This version is not yet released and is under active development.
 
+* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
+  the OpenSSL project. At this time there is no time table for dropping
+  support, however we strongly encourage all users to upgrade or install
+  ``cryptography`` from a wheel.
 * Added initial :doc:`OCSP </x509/ocsp>` support.
 
 .. _v2-3-1:

diff --git a/docs/installation.rst b/docs/installation.rst
index d665dbc..2d9db66 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst

@@ -30,6 +30,10 @@
 * ``OpenSSL 1.1.0-latest``
 * ``OpenSSL 1.1.1-latest``
 
+.. warning::
+    Cryptography 2.4 has deprecated support for OpenSSL 1.0.1.
+
+
 Building cryptography on Windows
 --------------------------------
 

diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index ec74d4c..d52619d 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py

@@ -7,6 +7,7 @@
 import collections
 import threading
 import types
+import warnings
 
 from cryptography import utils
 from cryptography.exceptions import InternalError
@@ -150,9 +151,24 @@
             _openssl_assert(cls.lib, res == 1)
 
 
+def _verify_openssl_version(lib):
+    if (
+        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+        not lib.CRYPTOGRAPHY_IS_LIBRESSL
+    ):
+        warnings.warn(
+            "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
+            "project, please upgrade. A future version of cryptography will "
+            "drop support for it.",
+            DeprecationWarning
+        )
+
+
 # OpenSSL is not thread safe until the locks are initialized. We call this
 # method in module scope so that it executes with the import lock. On
 # Pythons < 3.4 this import lock is a global lock, which can prevent a race
 # condition registering the OpenSSL locks. On Python 3.4+ the import lock
 # is per module so this approach will not work.
 Binding.init_static_locks()
+
+_verify_openssl_version(Binding.lib)