CVE-2016-0800 (DROWN attack) A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.
As additional result of this attack, the default OpenSSL configuration
no longer includes the SSLv2 protocol support starting with 1.0.1s.
Several low priority issues related to memory leaks.
Disabled SSLv2 support in all our OpenSSL library builds (no-ssl2).
Disabled TLS compression in all our OpenSSL library builds
(no-comp). This may lead to problems with other libraries that still
expect to find these APIs. pyOpenSSL itself does not use them.
Updated the Mozilla CA root bundle to version 2016-03-01. Nothing much changed, except the date of the bundle file.
CVE-2015-3194 The signature verification routines will crash with a NULL pointer dereference,
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. This can be exploited in as DoS attack in applications which
performs certificate verification.
CVE-2015-3195: When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
CVE-2015-3196: If PSK identity hints are received by a multi-threaded client, then
the values are wrongly updated in the parent SSL_CTX structure. This can
potentially lead to a double free of the
identify hint data, leading to a segfault.
Updated the Mozilla CA root bundle to version 2015-10-27.
Added support to allow building wheels from source or prebuilt packages.
Fixed a bug in the build process which resulted in the CA bundle files not get installed in the OpenSSL/ package dir.
Added a work-around for recent pip versions not showing the installer
output, causing an apparently hanging installation process. The
installer will now use a timeout when entering the crypto confirmation
and report how to fix the problem (by using an environment variable
EGENIX_CRYPTO_CONFIRM for confirmation).
Updated the Mozilla CA root bundle to version 2015-04-22.
Logjam attack: OpenSSL 1.0.1n includes DHE man-in-the-middle downgrade protection.
CVE-2015-1788: Possible infinite loop during client authentication, which can be used for Denial of Service (DoS) attacks.
CVE-2015-1789: X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds, which can lead to a segmentation fault.
CVE-2015-1790: The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly, which can lead to a NULL pointer dereference on parsing.
CVE-2015-1792:When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID.
CVE-2015-1791:If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
Various minor fixes to the web installer to make
installations on Linux and FreeBSD more robust, having pip uninstall not
remove the .pyc/.pyo files, intermittent error causing a source
installation in some rare cases.
Updated the Mozilla CA root bundle to version 2015-02-19.
Updated included OpenSSL libraries from OpenSSL 1.0.1k to
1.0.1m. We had skipped OpenSSL 1.0.1l, since the 1.0.1l release only
contained a patch for Windows we had already included in our release.
See https://www.openssl.org/news/secadv_20150319.txt for a complete list of changes. The following fixes are relevant for pyOpenSSL applications:
CVE-2015-0292:A vulnerability existed in previous versions of OpenSSL
related to the
processing of base64 encoded data. Any code path that reads base64 data
untrusted source could be affected (such as the PEM processing
routines). Already fixed in OpenSSL 1.0.1h, but wasn't listed, so
repeated here for completeness.
CVE-2015-0293:Denial-of-Service (DoS) via reachable assert in SSLv2 servers.
CVE-2015-0209:Use After Free following d2i_ECPrivatekey error.
A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition.
CVE-2014-8275:OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.
CVE-2014-3572:An OpenSSL client will accept a handshake using an ephemeral ECDH
ciphersuite using an ECDSA certificate if the server key exchange message
is omitted. This effectively removes forward secrecy from the ciphersuite.
CVE-2015-0204:An OpenSSL client will accept the use of an RSA temporary key in a
non-export RSA key exchange ciphersuite. A server could present a weak
temporary key and downgrade the security of the session. This is also known as FREAK Attack.
CVE-2014-3570:Bignum squaring (BN_sqr) may produce incorrect results on some platforms,
including x86_64. This bug occurs at random with a very low probability,
and is not known to be exploitable in any way, though its exact impact is
difficult to determine.
CVE-2015-0205:An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects
servers which trust a client certificate authority which issues
certificates containing DH keys: these are extremely rare and hardly ever
Reenabled the SSLv2 support in the bundled OpenSSL libraries which we
had removed in 0.13.5, since
removing the SSLv2 symbols resulted in too many compatibility problems
existing code such as e.g.
>>> import OpenSSL
>>> import ssl
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "ssl.py", line 60, in <module>
ImportError: _ssl.so: undefined symbol: SSLv2_method
The ImportError is the result of using the 0.13.5 version of the OpenSSL
libs with an ssl module which was compiled against a system version
with SSLv2 support, effectively making the ssl module unusable.
To protect against SSLv2 and SSLv3 downgrade attacks,
please make sure you setup the SSL context to disallow using SSLv2 and
OpenSSL.__version__ is now updated to the distribution version rather than left at "0.13" as it was in previous releases. It now shows "0.13.6" for this release.
Emphasized on the need to "import OpenSSL" early to prevent Python from
loading the system OpenSSL libraries instead of the embedded ones.
Be sure to read the section Loading the embedded OpenSSL Libraries of the documentation for details on how to make sure that the embedded libraries are loaded.
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade, e.g. to enable a POODLE (CVE-2014-3566) attack by forcing a downgrade to SSLv3. This is enabled automatically for servers.
CVE-2014-3568: OpenSSL configured with "no-ssl3" would still allow a complete SSL 3.0 handshake to run.
Dropped zlib support from OpenSSL builds to more easily prevent the
CRIME attack without having to use special SSL context options.
Disabled the SSLv2 support in OpenSSL builds. SSLv2 has long been broken and this simplifies writing secure servers/clients.
Updated the included CA root certificate bundles to Mozilla's 2014-08-26 update.
Improved cipher list in https_client.py example which prefers the newer AES128-GCM and elliptic curve DH over over ciphers.
Added new context flag MODE_SEND_FALLBACK_SCSV. Documented previously
undocumented MODE_RELEASE_BUFFERS and removed non-existing
MODE_NO_COMPRESSION from the documentation.
Added web installer package to the Python Package Index (PyPI) which simplifies installation.
In addition to the usual ways of installing eGenix pyOpenSSL, we have
uploaded a web installer to PyPI, so that it is now also possible to
use one of these installation methods on all supported platforms
(Windows, Linux, Mac OS X):
easy_install egenix-pyopenssl via PyPI
pip install egenix-pyopenssl via PyPI
egg reference in zc.buildout via PyPI
running "python setup.py install" in the unzipped web installer archive directory
The web installer will automatically detect the platform and choose
the right binary download package for you. All downloads are verified
Resolved a problem with a pyOpenSSL test for certificate extensions:
OpenSSL 1.0.1i+ wants a signature algorithm to be defined when loading
Moved eGenix additions to pyOpenSSL to a new extras/ dir in the source distribution.
In previous releases, we also added the OpenSSL version number to the
package version. Since this causes very long version numbers, we have
dropped the OpenSSL version starting with 0.13.5 and will only
increase the main version number from now on. In the future, we
plan to switch to a new version scheme that is compatible with our
normal version number scheme for products.
Updated included OpenSSL libraries from OpenSSL 1.0.1h to 1.0.1i. See https://www.openssl.org/news/secadv_20140806.txt
for a complete list of changes. Most fixes apply to the OpenSSL DTLS
implementation, which pyOpenSSL currently does not support. The
following fix is relevant for pyOpenSSL applications:
CVE-2014-3511:A flaw in the OpenSSL TLS server code allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0.
Compiled pyOpenSSL with OPENSSL_LOAD_CONF to have the OpenSSL libs automatically load the openssl.cnf configuration file.
This allows easy configuration of additional OpenSSL parameters and
defaults, locations of certificate files, hardware engines, etc. without
having to change the application code. Please see the documentation for details.
Updated the included CA root certificate bundles to Mozilla's 2014-07-15 update.
CVE-2014-0224: An attacker can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers. This can be exploited by a
Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack. Only
applications using OpenSSL as a DTLS client are affected.
CVE-2014-3470: OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a DoS attack.
Added the following new options for context.set_options(): OP_TLSEXT_PADDING, OP_SAFARI_ECDHE_ECDSA_BUG, OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
Documented all supported context.set_options() options (to the extent possible using the OpenSSL documentation itself).
Updated the included CA root certificate bundles to Mozilla's 2014-04-22 update.
CVE-2014-0160 ("Heartbleed Bug"): A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64kB of memory to a connected client or server. This
issue did not affect versions of OpenSSL prior to 1.0.1. For information, also have a look at the Heartbeet Bug website.
Added a patch by Christian Heimes to pyOpenSSL: This addresses the CVE-2013-4238 related problem with embedded NUL bytes in subjectAltNames and also fixes a memory leak in the X509 .get_extension() method.
Christian Heimes also pointed us to a problem with the included CA root bundle,
which turns out to be rather wide-spread. Mozilla's certificate bundle
includes more than just the trusted CA root certificates. It also
includes several explicitly untrusted root certificates and even single
untrusted server certificates.
Our investigation showed that while OpenSSL does handle trust parameters
in the certificates, it doesn't use this information during certificate
verification, if the certificate is passed in together with other
trusted certificates. Future OpenSSL versions may add this support, but
at least versions up to and including 1.0.1e don't have it.
To work around this problem, we have split the bundle file into separate bundles, each with different trust settings included. The explicitly untrusted certificates are no longer included in the lists to avoid potentially trusting these untrusted (root) certificates.
Many thanks to Christian Heimes for these reports.
Added new TRUST_* constants to the OpenSSL.ca_bundle module and new purpose parameters to various bundle query functions.
Updated the documentation to reflect the changes and document the new set of CRT certificate files and trust settings.
Fixed a missing import in the https_client.py example.
Changed the package version scheme to be PEP 386 compatible. The new scheme no longer contains underscores or patch level letters.
Added a CA root certificate bundle file ca-bundle.crt, which is created from the current Mozilla root CA certificate list. This allows verifying server certificates without having to rely on the system root CA certificate list.
The bundle file will be updated with each new release of eGenix
pyOpenSSL. We also make the file available as separate download. Please
see the product page for details.
Added pyOpenSSL examples/ directory to the source distribution.
Added a new OpenSSL.ca_bundle module which provides easy to use access to the embedded ca-bundle.crt file.
Added new example https_client.py to the examples/ directory, which demonstrates setting up an SSL connection and using the new OpenSSL.ca_bundle module.
Windows x64 builds now have assembler code turned back on again, after a problem with OpenSSL 1.0.1c.
Upgraded the included pyOpenSSL library from version 0.9 to version 0.10. See the announcement for a summary of changes.
Added a new default certificate search path. The embedded OpenSSL libs will now look for certificates in /etc/ssl on Unix platforms and /System/Library/OpenSSL on Mac OS X
Note that it's still better to explicitly tell OpenSSL where to look for
trusted certificates via .load_verify_locations(None, certs_dir) than
to rely on the above defaults using context.set_default_verify_paths()
Added support for Win64 and precompiled Python 2.6 compatible
binaries for that platform (you can find the OpenSSL libs in
Added support for Mac OS X 10.6 on Intel x64.
Added .egg Distributions for Python 2.4 as well (in order to support Plone 3).
work-around chosen by the OpenSSL team is to disable SSL session
renegotiations altogether. This can cause applications relying on this
feature on the client or server side to fail. You can still download
the previous version of our pyOpenSSL distribution if you run into such problems.
Upgraded the included pyOpenSSL library to version 0.9, which includes a new fix for the threading problems of version 0.8 and several new features.
Upgraded the included OpenSSL libraries to version 0.9.8k, which includes a number of important bug fixes related to SSL.
Changes from 0.8.1_0.9.8j_1 to 0.8.1_0.9.8j_2:
Added support for Mac OS X and pre-built archives for this platform.
Changes from 0.8.0_0.9.8j_1 to 0.8.1_0.9.8j_1:
a serious problem with pyOpenSSL 0.8.0 and multi-threaded applications:
the new threading fixes cause invalid thread states in the Python
interpreter which resulted in random core dumps and seg faults. The patch was provided by Maxim Sobolev on SourceForge. Note that this patch has not yet been integrated into upstream pyOpenSSL.
pre-built archives for Windows upon request from the Plone people: this
makes it easier to integrate the archives into buildout scripts.
Changes from 0.8.0_0.9.8i_1 to 0.8.0_0.9.8j_1:
Upgraded the included OpenSSL libs to version 0.9.8j, which fixes a vulnerability found in earlier OpenSSL releases of the 0.9.8 branch: CVE-2008-5077.
Enabled zlib compression support
in OpenSSL for both the Linux and Windows builds, so OpenSSL
client/servers can now negotiate on-the-fly zlib compression for SSL