Skip to content

replace pyopenssl with cryptography #977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

replace pyopenssl with cryptography #977

wants to merge 2 commits into from

Conversation

prauscher
Copy link

@prauscher prauscher commented Feb 12, 2025
edited
Loading

closes #879

Description

The feature or problem addressed by this PR

This PR replaces pyopenssl whose usage is discouraged by its own developers. This is especially current since pyopenssl was forced to a version before 24.3.0 in response to #975. This inturn forces older cryptography-versions, making automated vulnerability checkers go brr.

What your changes do and why you chose this solution

The replacement of pyopenssl is quite direct, so probably cryptography could be used to a larger extend, reducing own security functions. On the other hand, cryptography is currently quite fixed to client/server authentification, enforcing stricter regulations on Certificate extensions etc, which might not be suitable here.

I ran the test suite on my machine which looked good, however while pyopenssl usually accepts strings or bytes, cryptography is usually fixed to bytes, forcing encoding to its user, so there may be dragons.

This being my first PR here, I'd highly value feedback and be happy to assist.

Checklist

  • Checked that no other issues or pull requests exist for the same issue/change
  • Added tests covering the new functionality
  • Updated documentation OR the change is too minor to be documented
  • Updated CHANGELOG.md OR changes are insignificant

@GaetanLepage GaetanLepage mentioned this pull request Feb 13, 2025
Merged
13 tasks
@prauscher
Copy link
Author

@c00kiemon5ter Is there anything you need or I could help you with to bring this forward?

miettal added a commit to girasolenergy/pysaml2 that referenced this pull request Mar 13, 2025
@miettal
feat: bump pyopenssl 24.3.x
cc7ad29 
This PR upgrade pyopenssl dependency. Current constraints is
`<24.3.0`(up to 24.2.x). New constratints is `<24.4.0`(up to 24.3.x).
This PR is for addressing security alert `GHSA-79v4-65xg-pq4g`.

GHSA-79v4-65xg-pq4g

// I guess this constratints is for pyopenssl->cryptography migration.
IdentityPython#977
IdentityPython@735bfa5
@miettal miettal mentioned this pull request Mar 13, 2025
Open
1 task
@e1mo e1mo mentioned this pull request Mar 28, 2025
Merged
@ducdetronquito
Copy link

Hi !

At work we use @prauscher branch in production on multiple backends since yesterday with [email protected] and [email protected] and it works like a charm.

I hope this small datapoint will give more confidence to merge this PR :)

johanlundberg
johanlundberg reviewed Jun 13, 2025
View reviewed changes
@johanlundberg
Copy link
Contributor

I also merged @prauscher branch to our repo and, with my exception above, have seen no problems. Thanks!

@prauscher
Copy link
Author

Thanks @johanlundberg, my new commit should eliminiate these problems

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanlundberg johanlundberg johanlundberg left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

usage of pyopenssl library
3 participants
@prauscher @ducdetronquito @johanlundberg