Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replace pyopenssl with cryptography #977

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

replace pyopenssl with cryptography #977

wants to merge 1 commit into from
+105 −88

Conversation

prauscher
Copy link

@prauscher prauscher commented Feb 12, 2025
edited
Loading

closes #879

Description

The feature or problem addressed by this PR

This PR replaces pyopenssl whose usage is discouraged by its own developers. This is especially current since pyopenssl was forced to a version before 24.3.0 in response to #975. This inturn forces older cryptography-versions, making automated vulnerability checkers go brr.

What your changes do and why you chose this solution

The replacement of pyopenssl is quite direct, so probably cryptography could be used to a larger extend, reducing own security functions. On the other hand, cryptography is currently quite fixed to client/server authentification, enforcing stricter regulations on Certificate extensions etc, which might not be suitable here.

I ran the test suite on my machine which looked good, however while pyopenssl usually accepts strings or bytes, cryptography is usually fixed to bytes, forcing encoding to its user, so there may be dragons.

This being my first PR here, I'd highly value feedback and be happy to assist.

Checklist

  • Checked that no other issues or pull requests exist for the same issue/change
  • Added tests covering the new functionality
  • Updated documentation OR the change is too minor to be documented
  • Updated CHANGELOG.md OR changes are insignificant

@GaetanLepage GaetanLepage mentioned this pull request Feb 13, 2025
Open
13 tasks
@prauscher
Copy link
Author

@c00kiemon5ter Is there anything you need or I could help you with to bring this forward?

miettal added a commit to girasolenergy/pysaml2 that referenced this pull request Mar 13, 2025
@miettal
feat: bump pyopenssl 24.3.x
cc7ad29 
This PR upgrade pyopenssl dependency. Current constraints is
`<24.3.0`(up to 24.2.x). New constratints is `<24.4.0`(up to 24.3.x).
This PR is for addressing security alert `GHSA-79v4-65xg-pq4g`.

GHSA-79v4-65xg-pq4g

// I guess this constratints is for pyopenssl->cryptography migration.
IdentityPython#977
IdentityPython@735bfa5
@miettal miettal mentioned this pull request Mar 13, 2025
Open
1 task
@e1mo e1mo mentioned this pull request Mar 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

usage of pyopenssl library
1 participant
@prauscher