-
Couldn't load subscription status.
- Fork 447
replace pyopenssl with cryptography #977
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
@c00kiemon5ter Is there anything you need or I could help you with to bring this forward?
This PR upgrade pyopenssl dependency. Current constraints is `<24.3.0`(up to 24.2.x). New constratints is `<24.4.0`(up to 24.3.x). This PR is for addressing security alert `GHSA-79v4-65xg-pq4g`. GHSA-79v4-65xg-pq4g // I guess this constratints is for pyopenssl->cryptography migration. IdentityPython#977 IdentityPython@735bfa5
ducdetronquito
commented
Jun 12, 2025
Hi !
At work we use @prauscher branch in production on multiple backends since yesterday with Python@3.13 and djangosaml2@1.10.1 and it works like a charm.
I hope this small datapoint will give more confidence to merge this PR :)
I also merged @prauscher branch to our repo and, with my exception above, have seen no problems. Thanks!
Thanks @johanlundberg, my new commit should eliminiate these problems
alecbarber
commented
Jul 11, 2025
Working great for us too! Just noting that for since the deps have been updated, the poetry.lock file also needs to be regenerated. poetry lock --no-update gives me this patch (I'd make a suggested change, but Github won't let me 😄)
diff --git a/poetry.lock b/poetry.lock index 93e08556..6357d2b7 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1248,24 +1248,6 @@ snappy = ["python-snappy"] test = ["pytest (>=8.2)", "pytest-asyncio (>=0.24.0)"] zstd = ["zstandard"] -[[package]] -name = "pyopenssl" -version = "24.2.1" -description = "Python wrapper module around the OpenSSL library" -optional = false -python-versions = ">=3.7" -files = [ - {file = "pyOpenSSL-24.2.1-py3-none-any.whl", hash = "sha256:967d5719b12b243588573f39b0c677637145c7a1ffedcd495a487e58177fbb8d"}, - {file = "pyopenssl-24.2.1.tar.gz", hash = "sha256:4247f0dbe3748d560dcbb2ff3ea01af0f9a1a001ef5f7c4c647956ed8cbf0e95"}, -] - -[package.dependencies] -cryptography = ">=41.0.5,<44" - -[package.extras] -docs = ["sphinx (!=5.2.0,!=5.2.0.post0,!=7.2.5)", "sphinx-rtd-theme"] -test = ["pretend", "pytest (>=3.0.1)", "pytest-rerunfailures"] - [[package]] name = "pytest" version = "8.3.4" @@ -1971,4 +1953,4 @@ s2repoze = ["paste", "repoze.who", "zope.interface"] [metadata] lock-version = "2.0" python-versions = "^3.9" -content-hash = "03ec3d72ebbfd582b62c153e6921c3032ff637943724b8a9222bc9593eae71e0" +content-hash = "ac583ea6afeb45d9c6a66f1a5a49ce08d58b4c0ef554be7d65c55761bc8e8c42"
Thank you @alecbarber - I also found types-pyopenssl to be obsolete now
rvanlaar
commented
Jul 17, 2025
It also looks like the dependency on pytz can be removed.
@rvanlaar good catch - as dateutil is no longer required too I removed pytz and dateutil as well as both typing classes.
Applies [@praushcer](https://github.com/prauscher)'s changes to remove pyopenssl. see [upstream IdentityPython#977](IdentityPython#977)
mikicz
commented
Jul 25, 2025
I would love it if this went in!
@c00kiemon5ter Is there anything I can help you with to get this merged?
@c00kiemon5ter I have merged master into this branch, so it should now be mergeable. As I do not understand any of this poetry magic, I hope my poetry lock does not trigger new problems, but please tell me if I should rebuild the poetry.lock somehow.
Hi @prauscher and @c00kiemon5ter - we've been relying on your fork/branch in our app and have noticed a breaking change as of 2 days ago.
It looks like:
requires-python = "^3.9"
is not accepted by our build chain (pip/uv within docker).
Further research suggests that the caret is not PEP 440-compliant. A possible fix would be:
requires-python = ">=3.9,<4.0"
Happy to be challenged on this, as I am not very versed in poetry magic :-)
Latest master (or v7.5.4) have fixed this.
Using >=3.9 is fine for now.
@prauscher I would avoid merges from other branches to keep the diff clean.
IMHO, rebasing is better and I will rebase this to test it.
94632eb to
a9b7b78
Compare
Rebased to current master, so @hsenot should be working again.
Personally I prefer merge over rebase to avoid force pushes, but ymmv. From what I can tell from the change preview, this should be clean-ish now.
hsenot
commented
Oct 9, 2025
Thanks heaps @prauscher , much appreciated.
We're keen to see this branch/fork merged too.
Lmk if you need help testing. Cheers!
SPKorhonen
commented
Oct 21, 2025
I'm also keen to see this merged. I've tested the branch and it works flawlessly and would allow us to remove pyopenssl as dependency in out project.
Uh oh!
There was an error while loading. Please reload this page.
Closes #879
Fixes #975
Description
The feature or problem addressed by this PR
This PR replaces pyopenssl whose usage is discouraged by its own developers. This is especially current since pyopenssl was forced to a version before 24.3.0 in response to #975. This inturn forces older cryptography-versions, making automated vulnerability checkers go brr.
What your changes do and why you chose this solution
The replacement of pyopenssl is quite direct, so probably cryptography could be used to a larger extend, reducing own security functions. On the other hand, cryptography is currently quite fixed to client/server authentification, enforcing stricter regulations on Certificate extensions etc, which might not be suitable here.
I ran the test suite on my machine which looked good, however while pyopenssl usually accepts strings or bytes, cryptography is usually fixed to bytes, forcing encoding to its user, so there may be dragons.
This being my first PR here, I'd highly value feedback and be happy to assist.
Checklist