eGenix pyOpenSSL Distribution GA

eGenix pyOpenSSL Distribution GA

eGenix is pleased to announce the eGenix pyOpenSSL Distribution for Python 2.4 - 2.7, with support for Windows, Linux and Mac OS X.


The pyOpenSSL Distribution includes everything you need to get started with SSL in Python. It comes with an easy to use installer that includes the most recent OpenSSL library versions in pre-compiled
form, making your application independent of OS provided OpenSSL libraries:

>>>   eGenix pyOpenSSL Distribution Page

pyOpenSSL is an open-source Python add-on that allows writing SSL-aware networking applications as as certificate managment tools. It uses the OpenSSL library as performant and robust SSL engine.

OpenSSL is an open-source implementation of the SSL/TLS protocol.


This new release of the pyOpenSSL Distribution includes a set of updates related to security problems reported by Christian Heimes:

New in the eGenix pyOpenSSL Distribution

  • Added a patch by Christian Heimes to pyOpenSSL: This addresses the CVE-2013-4238 related problem with embedded NUL bytes in subjectAltNames and also fixes a memory leak in the X509 .get_extension() method.
  • Christian Heimes also pointed us to a problem with the included CA root bundle, which turns out to be rather wide-spread. Mozilla's certificate bundle includes more than just the trusted CA root certificates. It also includes several explicitly untrusted root certificates and even single untrusted server certificates.

    Our investigation showed that while OpenSSL does handle trust parameters in the certificates, it doesn't use this information during certificate verification, if the certificate is passed in together with other trusted certificates. Future OpenSSL versions may add this support, but at least versions up to and including 1.0.1e don't have it.

    To work around this problem, we have split the bundle file into separate bundles, each with different trust settings included. The explicitly untrusted certificates are no longer included in the lists to avoid potentially trusting these untrusted (root) certificates.

    Many thanks to Christian Heimes for these reports.
  • Added new TRUST_* constants to the OpenSSL.ca_bundle module and new purpose parameters to various bundle query functions.
  • Fixed a missing import in the example.

As always, we provide binaries that include both pyOpenSSL and the necessary OpenSSL libraries/binaries for all supported platforms: Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64.

We have also added .egg-file distribution versions of our pyOpenSSL Distribution for Windows, Linux and Mac OS X to the available download options. These make setups using e.g. zc.buildout and other egg-file based installers a lot easier.


Please visit the eGenix pyOpenSSL Distribution page for downloads, instructions on installation and documentation of the package.


Before installing this version of pyOpenSSL, please make sure that you uninstall any previously installed pyOpenSSL version. Otherwise, you could end up not using the included OpenSSL libs.

More Information

For more information on the eGenix pyOpenSSL Distribution, licensing and download instructions, please write to

Enjoy !

Marc-Andre Lemburg,

Published: 2013-09-04