16 files changed, 106 insertions, 29 deletions

diff --git a/.mention-bot b/.mention-bot
index 3c998c98..d87cb33a 100644
--- a/.mention-bot
+++ b/.mention-bot
@@ -1,3 +1,3 @@
 {
-    "userBlacklist": ["dreid"]
+    "userBlacklist": ["dreid", "exarkun"]
 }
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 74749062..717c9e71 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -17,6 +17,10 @@ Changelog
   * :class:`~cryptography.x509.CertificateIssuer`
   * :class:`~cryptography.x509.CRLReason`
   * :class:`~cryptography.x509.InvalidityDate`
+* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
+  table for actually dropping support, however we strongly encourage all users
+  to upgrade, as those versions no longer receives support from the OpenSSL
+  project.
 * The :class:`~cryptography.x509.Certificate` class now has
   :attr:`~cryptography.x509.Certificate.signature` and
   :attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes.
@@ -45,6 +49,8 @@ Changelog
 * Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and
   :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of
   CRLs.
+* Unrecognized non-critical X.509 extensions are now parsed into an
+  :class:`~cryptography.x509.UnrecognizedExtension` object.
 
 1.1.2 - 2015-12-10
 ~~~~~~~~~~~~~~~~~~
diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst
index 66105843..563bc81f 100644
--- a/docs/development/submitting-patches.rst
+++ b/docs/development/submitting-patches.rst
@@ -151,6 +151,6 @@ So, specifically:
 
 .. _`Write comments as complete sentences.`: http://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
 .. _`syntax`: http://sphinx-doc.org/domains.html#info-field-lists
-.. _`Studies have shown`: https://smartbear.com/smartbear/media/pdfs/wp-cc-11-best-practices-of-peer-code-review.pdf
+.. _`Studies have shown`: https://smartbear.com/SmartBear/media/pdfs/11_Best_Practices_for_Peer_Code_Review.pdf
 .. _`our mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
-.. _`doc8`: https://github.com/stackforge/doc8
+.. _`doc8`: https://github.com/openstack/doc8
diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst
index 0ec0a3d6..99cd7a48 100644
--- a/docs/hazmat/bindings/openssl.rst
+++ b/docs/hazmat/bindings/openssl.rst
@@ -46,4 +46,4 @@ OpenSSL.
 
 .. _`CFFI`: https://cffi.readthedocs.org/
 .. _`OpenSSL`: https://www.openssl.org/
-.. _`thread safety facilities`: https://www.openssl.org/docs/crypto/threads.html
+.. _`thread safety facilities`: https://www.openssl.org/docs/manmaster/crypto/threads.html
diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst
index 89028c8e..b94c0e10 100644
--- a/docs/hazmat/primitives/asymmetric/serialization.rst
+++ b/docs/hazmat/primitives/asymmetric/serialization.rst
@@ -141,7 +141,8 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END
     .. versionadded:: 0.6
 
     Deserialize a public key from PEM encoded data to one of the supported
-    asymmetric public key types.
+    asymmetric public key types. The PEM encoded data is typically a
+    ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`.
 
     .. doctest::
 
@@ -226,7 +227,8 @@ the rest.
     .. versionadded:: 0.8
 
     Deserialize a public key from DER encoded data to one of the supported
-    asymmetric public key types.
+    asymmetric public key types. The DER encoded data is typically a
+    ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`.
 
     :param bytes data: The DER encoded key data.
 
diff --git a/docs/installation.rst b/docs/installation.rst
index 16c42d2d..f9d2261a 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -21,6 +21,10 @@ Currently we test ``cryptography`` on Python 2.6, 2.7, 3.3, 3.4, 3.5, and PyPy
 * x86-64 Debian Wheezy (7.x), Jessie (8.x), and Debian Sid (unstable)
 * 32-bit and 64-bit Python on 64-bit Windows Server 2012
 
+.. warning::
+    Python 2.6 is no longer supported by the Python core team. A future version
+    of cryptography will drop support for this version.
+
 We test compiling with ``clang`` as well as ``gcc`` and use the following
 OpenSSL releases:
 
@@ -33,6 +37,11 @@ OpenSSL releases:
 * ``OpenSSL 1.0.1f``
 * ``OpenSSL 1.0.2-latest``
 
+.. warning::
+    OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL
+    project. A future version of cryptography will drop support for these
+    releases.
+
 On Windows
 ----------
 
@@ -58,6 +67,8 @@ to include the proper locations. For example:
     C:\> set INCLUDE=C:\OpenSSL-win64\include;%INCLUDE%
     C:\> pip install cryptography
 
+If you need to rebuild ``cryptography`` for any reason be sure to clear the
+local `wheel cache`_.
 
 .. _build-on-linux:
 
@@ -173,7 +184,7 @@ Building cryptography on OS X
 -----------------------------
 
 The wheel package on OS X is a statically linked build (as of 1.0.1) so for
-users on 10.10 (Yosemite) and above you only need one step:
+users with pip 1.5 or above you only need one step:
 
 .. code-block:: console
 
@@ -182,8 +193,8 @@ users on 10.10 (Yosemite) and above you only need one step:
 If you want to build cryptography yourself or are on an older OS X version
 cryptography requires the presence of a C compiler, development headers, and
 the proper libraries. On OS X much of this is provided by Apple's Xcode
-development tools.  To install the Xcode command line tools open a terminal
-window and run:
+development tools.  To install the Xcode command line tools (on OS X 10.9+)
+open a terminal window and run:
 
 .. code-block:: console
 
@@ -227,6 +238,9 @@ You can also build cryptography statically:
     $ sudo port install openssl
     $ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="/opt/local/lib/libssl.a /opt/local/lib/libcrypto.a" CFLAGS="-I/opt/local/include" pip install cryptography
 
+If you need to rebuild ``cryptography`` for any reason be sure to clear the
+local `wheel cache`_.
+
 Building cryptography with conda
 --------------------------------
 
@@ -257,3 +271,4 @@ information, consult `Greg Wilson's blog post`_ on the subject.
 .. _`Greg Wilson's blog post`: http://software-carpentry.org/blog/2014/04/mr-biczo-was-right.html
 .. _virtualenv: https://virtualenv.pypa.io/en/latest/
 .. _openssl.org: https://openssl.org/source/
+.. _`wheel cache`: https://pip.pypa.io/en/stable/reference/pip_install/#caching
diff --git a/docs/limitations.rst b/docs/limitations.rst
index 0dfc49ca..503bdfe4 100644
--- a/docs/limitations.rst
+++ b/docs/limitations.rst
@@ -15,5 +15,5 @@ software in Python is potentially vulnerable to this attack. The
 Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
 consider this a high risk for most users.
 
-.. _`Memory wiping`:  http://blogs.msdn.com/b/oldnewthing/archive/2013/05/29/10421912.aspx
+.. _`Memory wiping`:  https://blogs.msdn.microsoft.com/oldnewthing/20130529-00/?p=4223/
 .. _`CERT secure coding guidelines`: https://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index df17f954..8bb3f40d 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -2435,7 +2435,8 @@ Exceptions
 
 .. class:: UnsupportedExtension
 
-    This is raised when a certificate contains an unsupported extension type.
+    This is raised when a certificate contains an unsupported extension type
+    that is marked ``critical``.
 
     .. attribute:: oid
 
diff --git a/src/_cffi_src/build_constant_time.py b/src/_cffi_src/build_constant_time.py
index 6d9a8f54..7a11f7b5 100644
--- a/src/_cffi_src/build_constant_time.py
+++ b/src/_cffi_src/build_constant_time.py
@@ -5,9 +5,8 @@
 from __future__ import absolute_import, division, print_function
 
 import os
-import sys
 
-from _cffi_src.utils import build_ffi, extra_link_args
+from _cffi_src.utils import build_ffi, compiler_type, extra_link_args
 
 
 with open(os.path.join(
@@ -24,5 +23,5 @@ ffi = build_ffi(
     module_name="_constant_time",
     cdef_source=types,
     verify_source=functions,
-    extra_link_args=extra_link_args(sys.platform),
+    extra_link_args=extra_link_args(compiler_type()),
 )
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index c856e3d9..c47b3082 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -7,7 +7,9 @@ from __future__ import absolute_import, division, print_function
 import os
 import sys
 
-from _cffi_src.utils import build_ffi_for_binding, extra_link_args
+from _cffi_src.utils import (
+    build_ffi_for_binding, compiler_type, extra_link_args
+)
 
 
 def _get_openssl_libraries(platform):
@@ -92,5 +94,5 @@ ffi = build_ffi_for_binding(
     pre_include=_OSX_PRE_INCLUDE,
     post_include=_OSX_POST_INCLUDE,
     libraries=_get_openssl_libraries(sys.platform),
-    extra_link_args=extra_link_args(sys.platform),
+    extra_link_args=extra_link_args(compiler_type()),
 )
diff --git a/src/_cffi_src/build_padding.py b/src/_cffi_src/build_padding.py
index 5df93d80..4c5096a1 100644
--- a/src/_cffi_src/build_padding.py
+++ b/src/_cffi_src/build_padding.py
@@ -5,9 +5,8 @@
 from __future__ import absolute_import, division, print_function
 
 import os
-import sys
 
-from _cffi_src.utils import build_ffi, extra_link_args
+from _cffi_src.utils import build_ffi, compiler_type, extra_link_args
 
 
 with open(os.path.join(
@@ -24,5 +23,5 @@ ffi = build_ffi(
     module_name="_padding",
     cdef_source=types,
     verify_source=functions,
-    extra_link_args=extra_link_args(sys.platform),
+    extra_link_args=extra_link_args(compiler_type()),
 )
diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py
index 0b00353e..bdce2f3b 100644
--- a/src/_cffi_src/utils.py
+++ b/src/_cffi_src/utils.py
@@ -5,6 +5,8 @@
 from __future__ import absolute_import, division, print_function
 
 import sys
+from distutils.ccompiler import new_compiler
+from distutils.dist import Distribution
 
 from cffi import FFI
 
@@ -79,10 +81,23 @@ def build_ffi(module_name, cdef_source, verify_source, libraries=[],
     return ffi
 
 
-def extra_link_args(platform):
-    if platform != "win32":
-        return []
+def extra_link_args(compiler_type):
+    if compiler_type == 'msvc':
+        # Enable NX and ASLR for Windows builds on MSVC. These are enabled by
+        # default on Python 3.3+ but not on 2.x.
+        return ['/NXCOMPAT', '/DYNAMICBASE']
     else:
-        # Enable NX and ASLR for Windows builds. These are enabled by default
-        # on Python 3.3+ but not on 2.x.
-        return ["/NXCOMPAT", "/DYNAMICBASE"]
+        return []
+
+
+def compiler_type():
+    """
+    Gets the compiler type from distutils. On Windows with MSVC it will be
+    "msvc". On OS X and linux it is "unix".
+    """
+    dist = Distribution()
+    dist.parse_config_files()
+    cmd = dist.get_command_obj('build')
+    cmd.ensure_finalized()
+    compiler = new_compiler(compiler=cmd.compiler)
+    return compiler.compiler_type
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 293c6288..b8614e0b 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -213,6 +213,15 @@ class _X509ExtensionParser(object):
                         "Critical extension {0} is not currently supported"
                         .format(oid), oid
                     )
+                else:
+                    # Dump the DER payload into an UnrecognizedExtension object
+                    data = backend._lib.X509_EXTENSION_get_data(ext)
+                    backend.openssl_assert(data != backend._ffi.NULL)
+                    der = backend._ffi.buffer(data.data, data.length)[:]
+                    unrecognized = x509.UnrecognizedExtension(oid, der)
+                    extensions.append(
+                        x509.Extension(oid, critical, unrecognized)
+                    )
             else:
                 # For extensions which are not supported by OpenSSL we pass the
                 # extension object directly to the parsing routine so it can
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 07b6b9ac..8e419439 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -8,6 +8,7 @@ import collections
 import os
 import threading
 import types
+import warnings
 
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings._openssl import ffi, lib
@@ -180,3 +181,11 @@ class Binding(object):
 # condition registering the OpenSSL locks. On Python 3.4+ the import lock
 # is per module so this approach will not work.
 Binding.init_static_locks()
+
+if Binding.lib.SSLeay() < 0x10001000:
+    warnings.warn(
+        "OpenSSL versions less than 1.0.1 are no longer supported by the "
+        "OpenSSL project, please upgrade. A future version of cryptography "
+        "will drop support for these versions.",
+        DeprecationWarning
+    )
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 578015ec..6145edb1 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1093,7 +1093,11 @@ class TestRSACertificateRequest(object):
             backend
         )
         extensions = request.extensions
-        assert len(extensions) == 0
+        assert len(extensions) == 1
+        assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4")
+        assert extensions[0].value == x509.UnrecognizedExtension(
+            x509.ObjectIdentifier("1.2.3.4"), b"value"
+        )
 
     def test_request_basic_constraints(self, backend):
         request = _load_cert(
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index df796e0a..03a3730a 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -1032,17 +1032,33 @@ class TestExtensions(object):
 
         assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
 
+    @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     def test_unsupported_extension(self, backend):
-        # TODO: this will raise an exception when all extensions are complete
         cert = _load_cert(
             os.path.join(
-                "x509", "custom", "unsupported_extension.pem"
+                "x509", "custom", "unsupported_extension_2.pem"
             ),
             x509.load_pem_x509_certificate,
             backend
         )
         extensions = cert.extensions
-        assert len(extensions) == 0
+        assert len(extensions) == 2
+        assert extensions[0].critical is False
+        assert extensions[0].oid == x509.ObjectIdentifier(
+            "1.3.6.1.4.1.41482.2"
+        )
+        assert extensions[0].value == x509.UnrecognizedExtension(
+            x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"),
+            b"1.3.6.1.4.1.41482.1.2"
+        )
+        assert extensions[1].critical is False
+        assert extensions[1].oid == x509.ObjectIdentifier(
+            "1.3.6.1.4.1.45724.2.1.1"
+        )
+        assert extensions[1].value == x509.UnrecognizedExtension(
+            x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"),
+            b"\x03\x02\x040"
+        )
 
     def test_no_extensions_get_for_class(self, backend):
         cert = _load_cert(