• Home
• Services
  • Custom Python Development Projects
  • Python Training
  • Python Coaching
  • Python Consulting
  • Python and Product Support
• Products
  • Python
  • · mxODBC – Python Database Interface
  • · mxODBC Connect – Remote DB Interface
  •   
  • · eGenix PyRun – Tiny Python Runtime
  • · eGenix pyOpenSSL – SSL Interface
  •   
  • · eGenix mx Base
  •   · mxDateTime – Date/Time Library
  •   · mxTextTools – Fast Text Parsing
  •   · mxBeeBase – BTree+ On-disk DB
  •   · mxTools – Fast Python Helpers
  •   · mxProxy – Python Object Proxy
  •   · mxURL – URL Library
  •   · mxUID – UID Library
  •   · mxStack – Stack Data Type
  •   · mxQueue – Queue Data Type
  •   
  • · eGenix mx Experimental
  •   · mxNumber – High Precision Numbers
  •   · mxTidy – HTML Cleaner
  •   
  • Plone / Zope
  • · mxODBC Plone/Zope Database Adapter
  • · mxODBC Database Adapter for Plone
  • · eGenix ThreadLock Distribution
• Solutions
  • EMail Newsletters
  • SMS Text Alerts
• Support
  • General Python Support
  • Product Support
  • Product Updates
  • Mailing Lists
• Community
  • Talks & Videos
  • Python Meeting Düsseldorf (PyDDF)
  • All Things Python Blog
  • eGenix YouTube Channel
  • MoinMoin Library
  • Telegram Antispam Bot
• Company
  • About
  • Contact
  • News
  • Press
  • Legal
• Shop

eGenix.com · Products · Python · eGenix.com pyOpenSSL Distribution - Python OpenSSL Interface · 0.13.6 (archived version) · pyOpenSSL Distribution Change Log

pyOpenSSL Distribution Change Log

Changes from 0.13.5 to 0.13.6:

• Reenabled the SSLv2 support in the bundled OpenSSL libraries which we had removed in 0.13.5, since removing the SSLv2 symbols resulted in too many compatibility problems with existing code such as e.g.

  >>> import OpenSSL
  >>> import ssl
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "ssl.py", line 60, in <module>
      import _ssl
  ImportError: _ssl.so: undefined symbol: SSLv2_method

  The ImportError is the result of using the 0.13.5 version of the OpenSSL libs with an ssl module which was compiled against a system version with SSLv2 support, effectively making the ssl module unusable.

  To protect against SSLv2 and SSLv3 downgrade attacks, please make sure you setup the SSL context to disallow using SSLv2 and SSLv3, e.g.

  context = SSL.Context(SSL.SSLv23_METHOD)
  context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)

• OpenSSL.__version__ is now updated to the distribution version rather than left at "0.13" as it was in previous releases. It now shows "0.13.6" for this release.
  
• Emphasized on the need to "import OpenSSL" early to prevent Python from loading the system OpenSSL libraries instead of the embedded ones. Be sure to read the section Loading the embedded OpenSSL Libraries of the documentation for details on how to make sure that the embedded libraries are loaded.

Changes from 0.13.4.1.0.1.9 to 0.13.5:

• Updated included OpenSSL libraries from OpenSSL 1.0.1i to 1.0.1j. See https://www.openssl.org/news/secadv_20141015.txt for a complete list of changes. The following fixes are relevant for pyOpenSSL applications:
  • CVE-2014-3567:  Memory leak in OpenSSL session ticket management.
  • OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade, e.g. to enable a POODLE (CVE-2014-3566) attack by forcing a downgrade to SSLv3. This is enabled automatically for servers.
    
  • CVE-2014-3568: OpenSSL configured with "no-ssl3" would still allow a complete SSL 3.0 handshake to run.
    

• Dropped zlib support from OpenSSL builds to more easily prevent the CRIME attack without having to use special SSL context options.
• Disabled the SSLv2 support in OpenSSL builds. SSLv2 has long been broken and this simplifies writing secure servers/clients.
• Updated the included CA root certificate bundles to Mozilla's 2014-08-26 update.
• Improved cipher list in https_client.py example which prefers the newer AES128-GCM and elliptic curve DH over over ciphers.
• Added new context flag MODE_SEND_FALLBACK_SCSV. Documented previously undocumented MODE_RELEASE_BUFFERS and removed non-existing MODE_NO_COMPRESSION from the documentation.
• Added web installer package to the Python Package Index (PyPI) which simplifies installation.

  In addition to the usual ways of installing eGenix pyOpenSSL, we have uploaded a web installer to PyPI, so that it is now also possible to use one of these installation methods on all supported platforms (Windows, Linux, Mac OS X):

  • easy_install egenix-pyopenssl via PyPI
  • pip install egenix-pyopenssl via PyPI
  • egg reference in zc.buildout via PyPI
  • running "python setup.py install" in the unzipped web installer archive directory

  The web installer will automatically detect the platform and choose the right binary download package for you. All downloads are verified before installation.

• Resolved a problem with a pyOpenSSL test for certificate extensions: OpenSSL 1.0.1i+ wants a signature algorithm to be defined when loading PEM certificates.
• Moved eGenix additions to pyOpenSSL to a new extras/ dir in the source distribution.
• In previous releases, we also added the OpenSSL version number to the package version. Since this causes very long version numbers, we have dropped the OpenSSL version starting with 0.13.5 and will only increase the main version number from now on. In the future, we plan to switch to a new version scheme that is compatible with our normal version number scheme for products.

Changes from 0.13.3.1.0.1.8 to 0.13.4.1.0.1.9:

• Updated included OpenSSL libraries from OpenSSL 1.0.1h to 1.0.1i. See https://www.openssl.org/news/secadv_20140806.txt for a complete list of changes. Most fixes apply to the OpenSSL DTLS implementation, which pyOpenSSL currently does not support. The following fix is relevant for pyOpenSSL applications:
  
  • CVE-2014-3511: A flaw in the OpenSSL TLS server code allows a man-in-the-middle attacker to force a downgrade to TLS 1.0.

• Compiled pyOpenSSL with OPENSSL_LOAD_CONF to have the OpenSSL libs automatically load the openssl.cnf configuration file. This allows easy configuration of additional OpenSSL parameters and defaults, locations of certificate files, hardware engines, etc. without having to change the application code. Please see the documentation for details.
• Updated the included CA root certificate bundles to Mozilla's 2014-07-15 update.

Changes from 0.13.3.1.0.1.7 to 0.13.3.1.0.1.8:

• Updated included OpenSSL libraries from OpenSSL 1.0.1g to 1.0.1h. See http://www.openssl.org/news/secadv_20140605.txt for a complete list of changes, most important:
• CVE-2014-0224: An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
• CVE-2014-0221: By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
• CVE-2014-3470: OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a DoS attack.
• Added the following new options for context.set_options(): OP_TLSEXT_PADDING, OP_SAFARI_ECDHE_ECDSA_BUG, OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
• Documented all supported context.set_options() options (to the extent possible using the OpenSSL documentation itself).
• Updated the included CA root certificate bundles to Mozilla's 2014-04-22 update.

Changes from 0.13.3.1.0.1.6 to 0.13.3.1.0.1.7:

• Updated included OpenSSL libraries from OpenSSL 1.0.1f to 1.0.1g. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes, most important:
• CVE-2014-0160 ("Heartbleed Bug"): A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. For information, also have a look at the Heartbeet Bug website.

Changes from 0.13.2.1.0.1.5 to 0.13.3.1.0.1.6:

• Updated pyOpenSSL to the upstream trunk revision 171 (pyOpenSSL version 0.13.1+).
• Added work-around for compiling pyOpenSSL trunk revision 171 on Windows with OpenSSL 1.0.0 and later.
• Included support for TLS 1.1 and 1.2 in pyOpenSSL (rev 171). Please see the TLS support section in the documentation for details.
  
• Added SSL.OP_NO_COMPRESSION and SSL.OP_SINGLE_ECDH_USE context options to be able to address the CRIME attack and allow for more secure elliptic curve Diffie-Hellman key exchange setups.
  
• Added HTML Sphinx documentation from the pyOpenSSL trunk version to the package. An online version is available from our website.
  
• Updated the included CA bundles to the latest Mozilla 2014-01-28 version.
• Included ca-bundle*.crt files now have the same modification date as the Mozilla certdata.txt file from which they were generated.
  
• Restored compatibility of the ca_bundle module with Python 2.4.
• Enhanced the included https_client.py example to show case OpenSSL best practices:
• server name parsing (RFC 2818 support will follow in one of the next releases)
  
• SNI (support for TLS extension to support multiple SSL sites on a single host)
• setup secure default SSL options
• setup secure default SSL cipher suite
• use TLS 1.0 - 1.2 only
• disable SSL compression negotiation (prevent CRIME attack)

• Updated included OpenSSL libraries from OpenSSL 1.0.1e to 1.0.1f. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes, most important:
• CVE-2013-4353: A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client.
• CVE-2013-6450: A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash.
• CVE-2013-6449: A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.

Changes from 0.13.1.1.0.1.5 to 0.13.2.1.0.1.5:

• Added a patch by Christian Heimes to pyOpenSSL: This addresses the CVE-2013-4238 related problem with embedded NUL bytes in subjectAltNames and also fixes a memory leak in the X509 .get_extension() method.
• Christian Heimes also pointed us to a problem with the included CA root bundle, which turns out to be rather wide-spread. Mozilla's certificate bundle includes more than just the trusted CA root certificates. It also includes several explicitly untrusted root certificates and even single untrusted server certificates.
  
  Our investigation showed that while OpenSSL does handle trust parameters in the certificates, it doesn't use this information during certificate verification, if the certificate is passed in together with other trusted certificates. Future OpenSSL versions may add this support, but at least versions up to and including 1.0.1e don't have it.
  
  To work around this problem, we have split the bundle file into separate bundles, each with different trust settings included. The explicitly untrusted certificates are no longer included in the lists to avoid potentially trusting these untrusted (root) certificates.
  
  Many thanks to Christian Heimes for these reports.
  
• Added new TRUST_* constants to the OpenSSL.ca_bundle module and new purpose parameters to various bundle query functions.
• Updated the documentation to reflect the changes and document the new set of CRT certificate files and trust settings.
  
• Fixed a missing import in the https_client.py example.
  

Changes from 0.13.0_1.0.1c_1 to 0.13.1.1.0.1.5:

• Upgraded the included OpenSSL library from version 1.0.1c to version 1.0.1e. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes, most important:
• OpenSSL security advisory: ​http://www.openssl.org/news/secadv_20130204.txt - also known as "Lucky 13" (​http://www.h-online.com/security/news/item/TLS-tripped-up-by-Lucky-13-1798423.html)
• OpenSSL security advisory: ​http://www.openssl.org/news/secadv_20130205.txt
• corrected fix for CVE-2013-0169 in 1.0.1e: ​http://www.mail-archive.com/openssl-users@openssl.org/msg70100.html
• 1.0.1d fixes the SSL3_GET_RECORD:wrong version number problem: http://openssl.6102.n7.nabble.com/error-1408F10B-SSL-routines-SSL3-GET-RECORD-wrong-version-number-td22477.html
  
• Changed the package version scheme to be PEP 386 compatible. The new scheme no longer contains underscores or patch level letters.
  
• Added a CA root certificate bundle file ca-bundle.crt, which is created from the current Mozilla root CA certificate list. This allows verifying server certificates without having to rely on the system root CA certificate list. The bundle file will be updated with each new release of eGenix pyOpenSSL. We also make the file available as separate download. Please see the product page for details.
  
• Added pyOpenSSL examples/ directory to the source distribution.
• Added a new OpenSSL.ca_bundle module which provides easy to use access to the embedded ca-bundle.crt file.
  
• Added new example https_client.py to the examples/ directory, which demonstrates setting up an SSL connection and using the new OpenSSL.ca_bundle module.
• Windows x64 builds now have assembler code turned back on again, after a problem with OpenSSL 1.0.1c.

Changes from 0.13.0_1.0.0j_1 to 0.13.0_1.0.1c_1:

• Upgraded the included OpenSSL library from version 1.0.0j to version 1.0.1c. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes.
• Added the openssl binary to the OpenSSL package directory. This can be used to access OpenSSL functionality not exposed by pyOpenSSL.
• Changed the Windows OPENSSLDIR default to c:\openssl\ to simplify OpenSSL configuration.
  
• Fixed OpenSSL assembler build issues on Windows x64 and Mac OS X PPC/x86.

Changes from 0.13.0_1.0.0g_1 to 0.13.0_1.0.0j_1:

• Upgraded the included OpenSSL library from version 1.0.0g to version 1.0.0j. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes.
• Fixed a compatibility problem with Python 2.7's distutils that was introduced in Python 2.7.3

Changes from 0.10.0_1.0.0a_1 to 0.13.0_1.0.0g_1:

• Upgraded the included OpenSSL library from version 1.0.0a to version 1.0.0g. See http://www.openssl.org/news/news.html and http://www.openssl.org/news/vulnerabilities.html for a complete list of changes.
  
• Upgraded the included pyOpenSSL library from version 0.10 to version 0.13. See these announcements for a summary of changes: pyOpenSSL 0.11, pyOpenSSL 0.12, pyOpenSSL 0.13.
  

• Updated the pyOpenSSL license information from LGPL to Apache License 2.0.
• Added support for Python 2.7 on all platforms.
  
• Added documentation for automatic download of egg distributions using compatible tools such as easy_install and zc.buildout.
  

Changes from 0.9.0_0.9.8l_1 to 0.10.0_1.0.0a_1:

• Upgraded the included OpenSSL library from version 0.9.8l to version 1.0.0a. See http://www.openssl.org/news/news.html for a complete list of changes.
  
• Upgraded the included pyOpenSSL library from version 0.9 to version 0.10. See the announcement for a summary of changes.
  
• Added a new default certificate search path. The embedded OpenSSL libs will now look for certificates in /etc/ssl on Unix platforms and /System/Library/OpenSSL on Mac OS X

Note that it's still better to explicitly tell OpenSSL where to look for trusted certificates via .load_verify_locations(None, certs_dir) than to rely on the above defaults using context.set_default_verify_paths()

• Added support for Win64 and precompiled Python 2.6 compatible binaries for that platform (you can find the OpenSSL libs in openssl-win64/vc9).
• Added support for Mac OS X 10.6 on Intel x64.
• Added .egg Distributions for Python 2.4 as well (in order to support Plone 3).
  

Changes from 0.9.0_0.9.8k_1 to 0.9.0_0.9.8l_1:

• Upgraded the included OpenSSL libraries to version 0.9.8l, which includes a number of important bug fixes related to SSL, most notably the work-around for the Man-in-the-Middle (MitM) TLS vulnerability disclosed on Nov. 5th, tracked as CVE-2009-3555.
  
• IMPORTANT: The work-around chosen by the OpenSSL team is to disable SSL session renegotiations altogether. This can cause applications relying on this feature on the client or server side to fail. You can still download the previous version of our pyOpenSSL distribution if you run into such problems.
  

Changes from 0.8.1_0.9.8j_2 to 0.9.0_0.9.8k_1:

• Upgraded the included pyOpenSSL library to version 0.9, which includes a new fix for the threading problems of version 0.8 and several new features.
• Upgraded the included OpenSSL libraries to version 0.9.8k, which includes a number of important bug fixes related to SSL.

Changes from 0.8.1_0.9.8j_1 to 0.8.1_0.9.8j_2:

• Added support for Mac OS X and pre-built archives for this platform.

Changes from 0.8.0_0.9.8j_1 to 0.8.1_0.9.8j_1:

• Fixed a serious problem with pyOpenSSL 0.8.0 and multi-threaded applications: the new threading fixes cause invalid thread states in the Python interpreter which resulted in random core dumps and seg faults. The patch was provided by Maxim Sobolev on SourceForge. Note that this patch has not yet been integrated into upstream pyOpenSSL.
• Added pre-built archives for Windows upon request from the Plone people: this makes it easier to integrate the archives into buildout scripts.

Changes from 0.8.0_0.9.8i_1 to 0.8.0_0.9.8j_1:

• Upgraded the included OpenSSL libs to version 0.9.8j, which fixes a vulnerability found in earlier OpenSSL releases of the 0.9.8 branch: CVE-2008-5077.
• Enabled zlib compression support in OpenSSL for both the Linux and Windows builds, so OpenSSL client/servers can now negotiate on-the-fly zlib compression for SSL connections.

Changes from 0.7.0_0.9.8i_1 to 0.8.0_0.9.8i_1:

• Upgraded the included pyOpenSSL library to version 0.8, which includes several threading related fixes
• Applied several fixes to resolve compiler warnings

Changes from 0.7.0_0.9.8h_1 to 0.7.0_0.9.8i_1:

• Upgraded the included OpenSSL libraries to 0.9.8i, which includes security related bug fixes
• Added Python 2.6 support and binaries