From 1c186772f6fd64180bd3387de2e1ef1a6d1ba58e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 18 Oct 2019 08:47:15 -0400 Subject: Fixes #5018 -- break users on OpenSSL 1.0.1 (#5022) * Fixes #5018 -- break users on OpenSSL 1.0.1 * Grammar * Syntax error * Missing import * Missing import --- CHANGELOG.rst | 3 +++ docs/faq.rst | 13 +++++++++++++ docs/installation.rst | 4 ++-- src/cryptography/hazmat/bindings/openssl/binding.py | 20 ++++++++++++++------ tests/hazmat/bindings/test_openssl.py | 14 +++++++++++++- tox.ini | 2 ++ 6 files changed, 47 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 228c5f43..607f67b8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,9 @@ Changelog .. note:: This version is not yet released and is under active development. +* Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL + will need to upgrade. + .. _v2-8: 2.8 - 2019-10-16 diff --git a/docs/faq.rst b/docs/faq.rst index 6d876610..235da672 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -82,6 +82,19 @@ Your ``pip`` and/or ``setuptools`` are outdated. Please upgrade to the latest versions with ``pip install -U pip setuptools`` (or on Windows ``python -m pip install -U pip setuptools``). +Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.1 +-------------------------------------------------------------------- + +The OpenSSL project has dropped support for the 1.0.1 release series. Since it +is no longer receiving security patches from upstream, ``cryptography`` is also +dropping support for it. To fix this issue you should upgrade to a newer +version of OpenSSL (1.0.2 or later). This may require you to upgrade to a newer +operating system. + +For the 2.9 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_101`` +environment variable. Please note that this is *temporary* and will be removed +in ``cryptography`` 3.0. + Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails --------------------------------------------------------- diff --git a/docs/installation.rst b/docs/installation.rst index 2c83f33a..fc3fa894 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -32,8 +32,8 @@ OpenSSL releases: * ``OpenSSL 1.1.1-latest`` .. warning:: - OpenSSL 1.0.1 is no longer supported by the OpenSSL project. Cryptography - will drop support for it in the next release. + Cryptography 2.9 has dropped support for OpenSSL 1.0.1, see the + :doc:`FAQ ` for more details Building cryptography on Windows -------------------------------- diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 97405162..1e0f34c9 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -5,6 +5,7 @@ from __future__ import absolute_import, division, print_function import collections +import os import threading import types import warnings @@ -156,12 +157,19 @@ def _verify_openssl_version(lib): lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and not lib.CRYPTOGRAPHY_IS_LIBRESSL ): - warnings.warn( - "OpenSSL version 1.0.1 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography will " - "drop support for it.", - utils.CryptographyDeprecationWarning - ) + if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_101"): + warnings.warn( + "OpenSSL version 1.0.1 is no longer supported by the OpenSSL " + "project, please upgrade. The next version of cryptography " + "will completely remove support for it.", + utils.CryptographyDeprecationWarning + ) + else: + raise RuntimeError( + "You are linking against OpenSSL 1.0.1, which is no longer " + "supported by the OpenSSL project. You need to upgrade to a " + "newer version of OpenSSL." + ) def _verify_package_version(version): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 29a1c459..e9bcc18e 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -4,11 +4,14 @@ from __future__ import absolute_import, division, print_function +import pretend + import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _consume_errors, _openssl_assert, _verify_package_version + Binding, _consume_errors, _openssl_assert, _verify_openssl_version, + _verify_package_version ) @@ -122,3 +125,12 @@ class TestOpenSSL(object): def test_version_mismatch(self): with pytest.raises(ImportError): _verify_package_version("nottherightversion") + + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_101", raising=False) + lib = pretend.stub( + CRYPTOGRAPHY_OPENSSL_LESS_THAN_102=True, + CRYPTOGRAPHY_IS_LIBRESSL=False + ) + with pytest.raises(RuntimeError): + _verify_openssl_version(lib) diff --git a/tox.ini b/tox.ini index 7de764f7..6c414973 100644 --- a/tox.ini +++ b/tox.ini @@ -13,6 +13,8 @@ deps = ./vectors randomorder: pytest-randomly passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME PYTHONIOENCODING +setenv = + CRYPTOGRAPHY_ALLOW_OPENSSL_101=1 commands = pip list # We use parallel mode and then combine here so that coverage.py will take -- cgit v1.2.3