diff options
| -rw-r--r-- | CHANGELOG.rst | 4 | ||||
| -rw-r--r-- | docs/installation.rst | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 16 |
3 files changed, 24 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c6d0d93c..a614df84 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,10 @@ Changelog .. note:: This version is not yet released and is under active development. +* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by + the OpenSSL project. At this time there is no time table for dropping + support, however we strongly encourage all users to upgrade or install + ``cryptography`` from a wheel. * Added initial :doc:`OCSP </x509/ocsp>` support. .. _v2-3-1: diff --git a/docs/installation.rst b/docs/installation.rst index d665dbc5..2d9db667 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -30,6 +30,10 @@ OpenSSL releases: * ``OpenSSL 1.1.0-latest`` * ``OpenSSL 1.1.1-latest`` +.. warning:: + Cryptography 2.4 has deprecated support for OpenSSL 1.0.1. + + Building cryptography on Windows -------------------------------- diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index ec74d4cf..d52619dc 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -7,6 +7,7 @@ from __future__ import absolute_import, division, print_function import collections import threading import types +import warnings from cryptography import utils from cryptography.exceptions import InternalError @@ -150,9 +151,24 @@ class Binding(object): _openssl_assert(cls.lib, res == 1) +def _verify_openssl_version(lib): + if ( + lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and + not lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + warnings.warn( + "OpenSSL version 1.0.1 is no longer supported by the OpenSSL " + "project, please upgrade. A future version of cryptography will " + "drop support for it.", + DeprecationWarning + ) + + # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race # condition registering the OpenSSL locks. On Python 3.4+ the import lock # is per module so this approach will not work. Binding.init_static_locks() + +_verify_openssl_version(Binding.lib) |