diff options
| -rw-r--r-- | CHANGELOG.rst | 2 | ||||
| -rw-r--r-- | docs/faq.rst | 13 | ||||
| -rw-r--r-- | docs/installation.rst | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 40 | ||||
| -rw-r--r-- | tests/hazmat/bindings/test_openssl.py | 8 | ||||
| -rw-r--r-- | tox.ini | 2 |
6 files changed, 51 insertions, 18 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 00ca808b..6b7126c7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Support for OpenSSL 0.9.8 has been removed. Users on older version of OpenSSL + will need to upgrade. 1.3 - 2016-03-18 ~~~~~~~~~~~~~~~~ diff --git a/docs/faq.rst b/docs/faq.rst index 3456ba97..f00974b4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -40,6 +40,19 @@ If you have no other libraries using OpenSSL in your process, or they do not appear to be at fault, it's possible that this is a bug in ``cryptography``. Please file an `issue`_ with instructions on how to reproduce it. +Importing cryptography causes a ``RuntimeError`` about OpenSSL 0.9.8 +-------------------------------------------------------------------- + +The OpenSSL project has dropped support for the 0.9.8 release series. Since it +is no longer receiving security patches from upstream, ``cryptography`` is also +dropping support for it. To fix this issue you should upgrade to a newer +version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer +operating system. + +For the 1.4 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098`` +environment variable. Please note that this is *temporary* and will be removed +in ``cryptography`` 1.5. + .. _`NaCl`: https://nacl.cr.yp.to/ .. _`PyNaCl`: https://pynacl.readthedocs.org .. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIApplicationGroup.html diff --git a/docs/installation.rst b/docs/installation.rst index 8c3c436b..38dc4863 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -39,8 +39,8 @@ OpenSSL releases: .. warning:: OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL - project. Support for OpenSSL 0.9.8 will be removed in the next - ``cryptography`` release. + project. Cryptography 1.4 has dropped support for OpenSSL 0.9.8, see the + :doc:`FAQ </faq>` for more details. On Windows ---------- diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 5d7466f9..7727ad8d 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -10,7 +10,6 @@ import threading import types import warnings -from cryptography import utils from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES @@ -217,6 +216,30 @@ class Binding(object): ) +def _verify_openssl_version(version): + if version < 0x10000000: + if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_098"): + warnings.warn( + "OpenSSL version 0.9.8 is no longer supported by the OpenSSL " + "project, please upgrade. The next version of cryptography " + "will completely remove support for it.", + DeprecationWarning + ) + else: + raise RuntimeError( + "You are linking against OpenSSL 0.9.8, which is no longer " + "support by the OpenSSL project. You need to upgrade to a " + "newer version of OpenSSL." + ) + elif version < 0x10001000: + warnings.warn( + "OpenSSL versions less than 1.0.1 are no longer supported by the " + "OpenSSL project, please upgrade. A future version of " + "cryptography will drop support for these versions of OpenSSL.", + DeprecationWarning + ) + + # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race @@ -224,17 +247,4 @@ class Binding(object): # is per module so this approach will not work. Binding.init_static_locks() -if Binding.lib.SSLeay() < 0x10000000: - warnings.warn( - "OpenSSL version 0.9.8 is no longer supported by the OpenSSL project, " - "please upgrade. The next version of cryptography will drop support " - "for it.", - utils.DeprecatedIn12 - ) -elif Binding.lib.SSLeay() < 0x10001000: - warnings.warn( - "OpenSSL versions less than 1.0.1 are no longer supported by the " - "OpenSSL project, please upgrade. A future version of cryptography " - "will drop support for these versions.", - DeprecationWarning - ) +_verify_openssl_version(Binding.lib.SSLeay()) diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 457799d3..34c23ab2 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert + Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version ) @@ -175,3 +175,9 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] + + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_098", raising=False) + with pytest.raises(RuntimeError): + # OpenSSL 0.9.8zg + _verify_openssl_version(0x9081DF) @@ -7,6 +7,8 @@ deps = .[test] ./vectors passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME +setenv = + CRYPTOGRAPHY_ALLOW_OPENSSL_098=1 commands = pip list # We use parallel mode and then combine here so that coverage.py will take |