Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 7970508cb9753e864386ebc2fbdd1a9c657cce4f / . / CHANGELOG.rst
blob: 414dac3ff6c6f66ceaf528165bcf863b14df99a0 [file] [log] [blame]
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]1Changelog
2=========
3
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]4Versions are year-based with a strict backward-compatibility policy.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]5The third digit is only for regressions.
6
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200[diff] [blame]7
Hynek Schlawack79705082017-04-20 13:32:49 +0200[diff] [blame^]817.0.0 (2017-04-20)
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200[diff] [blame]9-------------------
10
11Backward-incompatible changes:
12^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
13
14*none*
15
16
17Deprecations:
18^^^^^^^^^^^^^
19
20*none*
21
22
23Changes:
24^^^^^^^^
25
Thomas Sileoe15e60a2016-11-22 18:13:30 +0100[diff] [blame]26- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
27 `#567 <https://github.com/pyca/pyopenssl/pull/567>`_
Cory Benfield496652a2017-01-24 11:42:56 +0000[diff] [blame]28- Added a collection of functions for working with OCSP stapling.
29 None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
30 Users will need to write their own code to handle OCSP assertions.
31 We specifically added: ``Context.set_ocsp_server_callback``, ``Context.set_ocsp_client_callback``, and ``Connection.request_ocsp``.
Cory Benfield685483b2017-01-24 14:00:45 +0000[diff] [blame]32 `#580 <https://github.com/pyca/pyopenssl/pull/580>`_
Cory Benfielde62840e2016-11-28 12:17:08 +0000[diff] [blame]33- Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary.
34 This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
35 For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
36 `#578 <https://github.com/pyca/pyopenssl/pull/578>`_
Paul Kehrer6c6bf862016-12-19 06:03:48 -0600[diff] [blame]37- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
38 `#575 <https://github.com/pyca/pyopenssl/pull/575>`_
Greg Bowser36eb2de2017-01-24 11:38:55 -0500[diff] [blame]39- Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
40 `#581 <https://github.com/pyca/pyopenssl/pull/581>`_
Hynek Schlawack29add1d2016-10-16 11:20:04 +0200[diff] [blame]41
42
43----
44
45
Hynek Schlawackc3b38e52016-10-15 14:56:14 +0200[diff] [blame]4616.2.0 (2016-10-15)
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800[diff] [blame]47-------------------
48
49Backward-incompatible changes:
50^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
51
52*none*
53
54
55Deprecations:
56^^^^^^^^^^^^^
57
58*none*
59
60
61Changes:
62^^^^^^^^
63
Alex Gaynor0cc56372016-09-24 11:15:55 -0400[diff] [blame]64- Fixed compatibility errors with OpenSSL 1.1.0.
Paul Kehrerfe2a0a12016-10-06 12:00:54 +0200[diff] [blame]65- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
66 `#552 <https://github.com/pyca/pyopenssl/pull/552>`_
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800[diff] [blame]67
Hynek Schlawackc3b38e52016-10-15 14:56:14 +0200[diff] [blame]68
Paul Kehrer8e99fef2016-08-26 19:36:46 +0800[diff] [blame]69----
70
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]71
Paul Kehrerd0513ab2016-08-26 16:33:23 +0800[diff] [blame]7216.1.0 (2016-08-26)
Hynek Schlawack156f1742016-03-19 12:37:12 +0100[diff] [blame]73-------------------
74
75Backward-incompatible changes:
76^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
77
78*none*
79
80
81Deprecations:
82^^^^^^^^^^^^^
83
Alex Gaynor2a522852016-08-31 12:17:55 -0400[diff] [blame]84- Dropped support for OpenSSL 0.9.8.
Hynek Schlawack156f1742016-03-19 12:37:12 +0100[diff] [blame]85
86
87Changes:
88^^^^^^^^
89
Hynek Schlawack11e43ad2016-07-03 14:40:20 +0200[diff] [blame]90- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
91 `#496 <https://github.com/pyca/pyopenssl/pull/496>`_
Dan Sully44e767a2016-06-04 18:05:27 -0700[diff] [blame]92- Enable use of CRL (and more) in verify context.
93 `#483 <https://github.com/pyca/pyopenssl/pull/483>`_
Paul Kehrer72d968b2016-07-29 15:31:04 +0800[diff] [blame]94- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
95 `#439 <https://github.com/pyca/pyopenssl/pull/439>`_
Paul Kehrerd0513ab2016-08-26 16:33:23 +0800[diff] [blame]96- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
Hynek Schlawack156f1742016-03-19 12:37:12 +0100[diff] [blame]97
98
99----
100
101
Hynek Schlawackb62041b2016-03-19 10:00:09 +0100[diff] [blame]10216.0.0 (2016-03-19)
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]103-------------------
104
105This is the first release under full stewardship of PyCA.
106We have made *many* changes to make local development more pleasing.
107The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2.
Hynek Schlawackf6c96af2017-04-20 12:34:58 +0200[diff] [blame]108It has been moved to `pytest <https://docs.pytest.org/>`_, all CI test runs are part of `tox <https://tox.readthedocs.io/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]109
Cory Benfield0820ac22015-10-28 17:39:28 +0900[diff] [blame]110We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]111
112
113Backward-incompatible changes:
114^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
115
116- Python 3.2 support has been dropped.
117 It never had significant real world usage and has been dropped by our main dependency ``cryptography``.
118 Affected users should upgrade to Python 3.3 or later.
119
120
121Deprecations:
122^^^^^^^^^^^^^
123
124- The support for EGD has been removed.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]125 The only affected function ``OpenSSL.rand.egd()`` now uses ``os.urandom()`` to seed the internal PRNG instead.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]126 Please see `pyca/cryptography#1636 <https://github.com/pyca/cryptography/pull/1636>`_ for more background information on this decision.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]127 In accordance with our backward compatibility policy ``OpenSSL.rand.egd()`` will be *removed* no sooner than a year from the release of 16.0.0.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]128
Hynek Schlawackc3b38e52016-10-15 14:56:14 +0200[diff] [blame]129 Please note that you should `use urandom <https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ for all your secure random number needs.
Hynek Schlawack046d3f42016-03-13 08:33:04 +0100[diff] [blame]130- Python 2.6 support has been deprecated.
131 Our main dependency ``cryptography`` deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it.
132 pyOpenSSL will drop Python 2.6 support once ``cryptography`` does.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]133
134
135Changes:
136^^^^^^^^
137
Hynek Schlawackb875d512016-03-16 13:56:33 +0100[diff] [blame]138- Fixed ``OpenSSL.SSL.Context.set_session_id``, ``OpenSSL.SSL.Connection.renegotiate``, ``OpenSSL.SSL.Connection.renegotiate_pending``, and ``OpenSSL.SSL.Context.load_client_ca``.
Hynek Schlawackb1f3ca82016-02-13 09:10:04 +0100[diff] [blame]139 They were lacking an implementation since 0.14.
Hynek Schlawackb875d512016-03-16 13:56:33 +0100[diff] [blame]140 `#422 <https://github.com/pyca/pyopenssl/pull/422>`_
Paul Kehrer8fc6ec02016-03-02 13:20:58 -0600[diff] [blame]141- Fixed segmentation fault when using keys larger than 4096-bit to sign data.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]142 `#428 <https://github.com/pyca/pyopenssl/pull/428>`_
143- Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()`` was called before setting any app data.
144 `#304 <https://github.com/pyca/pyopenssl/pull/304>`_
145- Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey`` objects that represent public keys, and ``OpenSSL.crypto.load_publickey()`` to load such objects from serialized representations.
146 `#382 <https://github.com/pyca/pyopenssl/pull/382>`_
147- Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation list out to a string buffer.
148 `#368 <https://github.com/pyca/pyopenssl/pull/368>`_
Hynek Schlawackea94f2b2016-03-13 16:17:53 +0100[diff] [blame]149- Added ``OpenSSL.SSL.Connection.get_state_string()`` using the OpenSSL binding ``state_string_long``.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]150 `#358 <https://github.com/pyca/pyopenssl/pull/358>`_
151- Added support for the ``socket.MSG_PEEK`` flag to ``OpenSSL.SSL.Connection.recv()`` and ``OpenSSL.SSL.Connection.recv_into()``.
152 `#294 <https://github.com/pyca/pyopenssl/pull/294>`_
153- Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and ``OpenSSL.SSL.Connection.get_protocol_version_name()``.
154 `#244 <https://github.com/pyca/pyopenssl/pull/244>`_
155- Switched to ``utf8string`` mask by default.
156 OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8 characters present.
157 This was changed to default to ``UTF8String`` in the config around 2005, but the actual code didn't change it until late last year.
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]158 This will default us to the setting that actually works.
159 To revert this you can call ``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``.
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]160 `#234 <https://github.com/pyca/pyopenssl/pull/234>`_
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]161
162
Hynek Schlawack65e4def2016-03-13 15:07:52 +0100[diff] [blame]163----
164
Hynek Schlawack682443f2015-10-25 16:15:12 +0100[diff] [blame]165
166Older Changelog Entries
167-----------------------
168
Hynek Schlawack0cc61542016-01-19 14:09:32 +0100[diff] [blame]169The changes from before release 16.0.0 are preserved in the `repository <https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt>`_.