| Alex Stapleton | c5fffd3 | 2014-03-18 15:29:00 +0000 | [diff] [blame] | 1 | Frequently asked questions |
| Alex Gaynor | de06b29 | 2014-02-18 16:40:09 -0800 | [diff] [blame] | 2 | ========================== |
| 3 | |
| Paul Kehrer | c38e550 | 2017-06-19 00:54:12 -1000 | [diff] [blame] | 4 | ``cryptography`` failed to install! |
| 5 | ----------------------------------- |
| 6 | |
| 7 | If you are having issues installing ``cryptography`` the first troubleshooting |
| 8 | step is to upgrade ``pip`` and then try to install again. For most users this will |
| 9 | take the form of ``pip install -U pip``, but on Windows you should do |
| 10 | ``python -m pip install -U pip``. If you are still seeing errors after upgrading |
| 11 | and trying ``pip install cryptography`` again, please see the :doc:`/installation` |
| 12 | documentation. |
| 13 | |
| Alex Gaynor | 59a6bc6 | 2014-02-18 18:13:48 -0800 | [diff] [blame] | 14 | How does ``cryptography`` compare to NaCl (Networking and Cryptography Library)? |
| Alex Gaynor | de06b29 | 2014-02-18 16:40:09 -0800 | [diff] [blame] | 15 | -------------------------------------------------------------------------------- |
| 16 | |
| 17 | While ``cryptography`` and `NaCl`_ both share the goal of making cryptography |
| 18 | easier, and safer, to use for developers, ``cryptography`` is designed to be a |
| Alex Gaynor | c37adab | 2014-02-18 16:46:58 -0800 | [diff] [blame] | 19 | general purpose library, interoperable with existing systems, while NaCl |
| 20 | features a collection of hand selected algorithms. |
| Alex Gaynor | de06b29 | 2014-02-18 16:40:09 -0800 | [diff] [blame] | 21 | |
| Alex Gaynor | 5809d48 | 2014-02-19 13:33:18 -0800 | [diff] [blame] | 22 | ``cryptography``'s :ref:`recipes <cryptography-layout>` layer has similar goals |
| 23 | to NaCl. |
| Alex Gaynor | de06b29 | 2014-02-18 16:40:09 -0800 | [diff] [blame] | 24 | |
| Alex Gaynor | 3e73724 | 2018-08-29 22:27:36 -0400 | [diff] [blame] | 25 | If you prefer NaCl's design, we highly recommend `PyNaCl`_, which is also |
| 26 | maintained by the PyCA team. |
| Alex Gaynor | de06b29 | 2014-02-18 16:40:09 -0800 | [diff] [blame] | 27 | |
| Paul Kehrer | f916dfc | 2017-05-27 14:24:28 -0500 | [diff] [blame] | 28 | Why use ``cryptography``? |
| 29 | ------------------------- |
| 30 | |
| 31 | If you've done cryptographic work in Python before you have likely encountered |
| 32 | other libraries in Python such as *M2Crypto*, *PyCrypto*, or *PyOpenSSL*. In |
| 33 | building ``cryptography`` we wanted to address a few issues we observed in the |
| 34 | legacy libraries: |
| 35 | |
| 36 | * Extremely error prone APIs and insecure defaults. |
| 37 | * Use of poor implementations of algorithms (i.e. ones with known side-channel |
| 38 | attacks). |
| 39 | * Lack of maintenance. |
| 40 | * Lack of high level APIs. |
| 41 | * Lack of PyPy and Python 3 support. |
| Paul Kehrer | f916dfc | 2017-05-27 14:24:28 -0500 | [diff] [blame] | 42 | * Absence of algorithms such as |
| 43 | :class:`AES-GCM <cryptography.hazmat.primitives.ciphers.modes.GCM>` and |
| 44 | :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. |
| 45 | |
| Alex Gaynor | 0604944 | 2017-03-15 12:21:45 -0400 | [diff] [blame] | 46 | Compiling ``cryptography`` on macOS produces a ``fatal error: 'openssl/aes.h' file not found`` error |
| 47 | ---------------------------------------------------------------------------------------------------- |
| Alex Gaynor | c77db59 | 2016-03-09 07:12:06 -0500 | [diff] [blame] | 48 | |
| Alex Gaynor | 0604944 | 2017-03-15 12:21:45 -0400 | [diff] [blame] | 49 | This happens because macOS 10.11 no longer includes a copy of OpenSSL. |
| Alex Gaynor | c77db59 | 2016-03-09 07:12:06 -0500 | [diff] [blame] | 50 | ``cryptography`` now provides wheels which include a statically linked copy of |
| 51 | OpenSSL. You're seeing this error because your copy of pip is too old to find |
| 52 | our wheel files. Upgrade your copy of pip with ``pip install -U pip`` and then |
| 53 | try install ``cryptography`` again. |
| Alex Gaynor | 0fa997b | 2016-03-09 07:13:04 -0500 | [diff] [blame] | 54 | |
| Alex Gaynor | e660ffe | 2017-04-09 09:19:02 -0400 | [diff] [blame] | 55 | If you are using PyPy, we do not currently ship ``cryptography`` wheels for |
| 56 | PyPy. You will need to install your own copy of OpenSSL -- we recommend using |
| 57 | Homebrew. |
| 58 | |
| Paul Kehrer | fcf6fca | 2016-03-12 16:21:24 -0400 | [diff] [blame] | 59 | ``cryptography`` raised an ``InternalError`` and I'm not sure what to do? |
| 60 | ------------------------------------------------------------------------- |
| 61 | |
| 62 | Frequently ``InternalError`` is raised when there are errors on the OpenSSL |
| 63 | error stack that were placed there by other libraries that are also using |
| 64 | OpenSSL. Try removing the other libraries and see if the problem persists. |
| Paul Kehrer | 4e9bd8c | 2016-03-12 16:33:39 -0400 | [diff] [blame] | 65 | If you have no other libraries using OpenSSL in your process, or they do not |
| 66 | appear to be at fault, it's possible that this is a bug in ``cryptography``. |
| 67 | Please file an `issue`_ with instructions on how to reproduce it. |
| Paul Kehrer | fcf6fca | 2016-03-12 16:21:24 -0400 | [diff] [blame] | 68 | |
| Paul Kehrer | c7ecb45 | 2017-09-12 10:26:33 +0800 | [diff] [blame] | 69 | error: ``-Werror=sign-conversion``: No option ``-Wsign-conversion`` during installation |
| 70 | --------------------------------------------------------------------------------------- |
| 71 | |
| 72 | The compiler you are using is too old and not supported by ``cryptography``. |
| 73 | Please upgrade to a more recent version. If you are running OpenBSD 6.1 or |
| 74 | earlier the default compiler is extremely old. Use ``pkg_add`` to install a |
| 75 | newer ``gcc`` and then install ``cryptography`` using |
| 76 | ``CC=/path/to/newer/gcc pip install cryptography``. |
| 77 | |
| Paul Kehrer | d0db04c | 2017-10-12 12:38:06 +0800 | [diff] [blame] | 78 | Installing ``cryptography`` fails with ``Invalid environment marker: python_version < '3'`` |
| 79 | ------------------------------------------------------------------------------------------- |
| 80 | |
| 81 | Your ``pip`` and/or ``setuptools`` are outdated. Please upgrade to the latest |
| 82 | versions with ``pip install -U pip setuptools`` (or on Windows |
| 83 | ``python -m pip install -U pip setuptools``). |
| 84 | |
| Alex Gaynor | 0e8cdf1 | 2016-12-13 21:05:35 -0500 | [diff] [blame] | 85 | Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails |
| 86 | --------------------------------------------------------- |
| Alex Gaynor | 29b2ebc | 2016-11-22 09:25:17 -0500 | [diff] [blame] | 87 | |
| Alex Gaynor | 0e8cdf1 | 2016-12-13 21:05:35 -0500 | [diff] [blame] | 88 | The OpenSSL project has dropped support for the 0.9.8 and 1.0.0 release series. |
| 89 | Since they are no longer receiving security patches from upstream, |
| 90 | ``cryptography`` is also dropping support for them. To fix this issue you |
| Alex Gaynor | 6534706 | 2018-08-29 22:15:49 -0400 | [diff] [blame] | 91 | should upgrade to a newer version of OpenSSL (1.0.2 or later). This may require |
| Alex Gaynor | 0e8cdf1 | 2016-12-13 21:05:35 -0500 | [diff] [blame] | 92 | you to upgrade to a newer operating system. |
| Alex Gaynor | 5d38206 | 2016-03-19 12:02:14 -0400 | [diff] [blame] | 93 | |
| Alex Gaynor | 0fa997b | 2016-03-09 07:13:04 -0500 | [diff] [blame] | 94 | .. _`NaCl`: https://nacl.cr.yp.to/ |
| Alex Gaynor | 988df9b | 2016-04-28 10:57:16 -0400 | [diff] [blame] | 95 | .. _`PyNaCl`: https://pynacl.readthedocs.io |
| 96 | .. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html |
| Paul Kehrer | 4e9bd8c | 2016-03-12 16:33:39 -0400 | [diff] [blame] | 97 | .. _`issue`: https://github.com/pyca/cryptography/issues |