From 29b2ebc480a7be6b2da69e2e74ea86d4e5e816da Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 22 Nov 2016 09:25:17 -0500 Subject: Error out on OpenSSL 1.0.0 by default (#3276) * Error out on OpenSSL 1.0.0 by default * what the heck --- CHANGELOG.rst | 2 ++ docs/faq.rst | 17 +++++++++++++---- docs/installation.rst | 4 ++-- src/cryptography/hazmat/bindings/openssl/binding.py | 19 +++++++++++++------ tests/hazmat/bindings/test_openssl.py | 8 +++++++- tox.ini | 2 ++ 6 files changed, 39 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c99a58ad..1a51c42e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL + will need to upgrade. 1.6 - 2016-11-22 ~~~~~~~~~~~~~~~~ diff --git a/docs/faq.rst b/docs/faq.rst index 2ddc5db8..76117a91 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -40,6 +40,19 @@ If you have no other libraries using OpenSSL in your process, or they do not appear to be at fault, it's possible that this is a bug in ``cryptography``. Please file an `issue`_ with instructions on how to reproduce it. +Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.0 +-------------------------------------------------------------------- + +The OpenSSL project has dropped support for the 1.0.0 release series. Since it +is no longer receiving security patches from upstream, ``cryptography`` is also +dropping support for it. To fix this issue you should upgrade to a newer +version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer +operating system. + +For the 1.7 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_100`` +environment variable. Please note that this is *temporary* and will be removed +in ``cryptography`` 1.8. + Installing cryptography with OpenSSL 0.9.8 fails ------------------------------------------------ @@ -49,10 +62,6 @@ dropping support for it. To fix this issue you should upgrade to a newer version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer operating system. -In ``cryptography`` 1.4, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098`` -environment variable. Please note that this is *temporary* and is removed in -``cryptography`` 1.5. - .. _`NaCl`: https://nacl.cr.yp.to/ .. _`PyNaCl`: https://pynacl.readthedocs.io .. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html diff --git a/docs/installation.rst b/docs/installation.rst index 724c63d0..e1818d36 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -37,8 +37,8 @@ OpenSSL releases: * ``OpenSSL 1.1.0`` .. warning:: - OpenSSL 1.0.0 is no longer supported by the OpenSSL project. Cryptography - will drop support for it in the next release. + Cryptography 1.7 has dropped support for OpenSSL 1.0.0, see the + :doc:`FAQ ` for more details Building cryptography on Windows -------------------------------- diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 25849bf3..19151b0e 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -191,12 +191,19 @@ class Binding(object): def _verify_openssl_version(version): if version < 0x10001000: - warnings.warn( - "OpenSSL version 1.0.0 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography will " - "drop support for it.", - DeprecationWarning - ) + if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"): + warnings.warn( + "OpenSSL version 1.0.0 is no longer supported by the OpenSSL " + "project, please upgrade. The next version of cryptography " + "will completely remove support for it.", + DeprecationWarning + ) + else: + raise RuntimeError( + "You are linking against OpenSSL 1.0.0, which is no longer " + "support by the OpenSSL project. You need to upgrade to a " + "newer version of OpenSSL." + ) # OpenSSL is not thread safe until the locks are initialized. We call this diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index bbdd87ca..3e01717c 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert + Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version ) @@ -107,3 +107,9 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] + + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False) + with pytest.raises(RuntimeError): + # OpenSSL 1.0.0 + _verify_openssl_version(0x100000F) diff --git a/tox.ini b/tox.ini index 944ef852..ce80b184 100644 --- a/tox.ini +++ b/tox.ini @@ -8,6 +8,8 @@ deps = coverage ./vectors passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME +setenv = + CRYPTOGRAPHY_ALLOW_OPENSSL_100=1 commands = pip list # We use parallel mode and then combine here so that coverage.py will take -- cgit v1.2.3