From jianhua at us.ibm.com Tue Sep 1 01:32:27 2015 From: jianhua at us.ibm.com (Jeff Feng) Date: Mon, 31 Aug 2015 18:32:27 -0500 Subject: [Cryptography-dev] openssl in virtualenv question Message-ID: <201508312332.t7VNWYjZ015900@d01av01.pok.ibm.com> Hi, I'm setting up development environment on my Mac, and using virtualenv. When I run cryptography test cases, I found the old OS X bundled openssl was used, not the latest openssl installed by Homebrew. So, I did version check in my virtualenv: $ which openssl /usr/local/bin/openssl <-- looks good $ openssl version OpenSSL 0.9.8zg 14 July 2015 <----errh, not right. $ /usr/local/bin/openssl version OpenSSL 1.0.2d 9 Jul 2015 <----- it's right Anyone have idea which config I missed ? Thanks in advance. - Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Tue Sep 1 05:09:10 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 31 Aug 2015 22:09:10 -0500 Subject: [Cryptography-dev] openssl in virtualenv question In-Reply-To: <201508312332.t7VNWYjZ015900@d01av01.pok.ibm.com> References: <201508312332.t7VNWYjZ015900@d01av01.pok.ibm.com> Message-ID: Hi Jeff, When compiling cryptography your compiler and linker will use the paths that are provided. Homebrew does not put OpenSSL in the include or library path for a variety of good reasons, so to compile against homebrew OpenSSL you'll need to follow the instructions here:?https://cryptography.io/en/latest/installation/#using-your-own-openssl-on-os-x If you're running a more recent pip (7+) you'll also need to either delete your wheel cache (as it now has the wrong compiled version cached) or pass --no-use-wheel as a flag. -Paul On August 31, 2015 at 6:43:03 PM, Jeff Feng (jianhua at us.ibm.com) wrote: Hi, I'm setting up development environment on my Mac, and using virtualenv. When I run cryptography test cases, I found the old OS X bundled openssl was used, not the latest openssl installed by Homebrew. So, I did version check in my virtualenv: $ which openssl /usr/local/bin/openssl <-- looks good $ openssl version OpenSSL 0.9.8zg 14 July 2015 <----errh, not right. $ /usr/local/bin/openssl version OpenSSL 1.0.2d 9 Jul 2015 <----- it's right Anyone have idea which config I missed ? Thanks in advance. - Jeff _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Sun Sep 6 04:05:44 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sat, 5 Sep 2015 21:05:44 -0500 Subject: [Cryptography-dev] PyCA cryptography 1.0.1 released Message-ID: PyCA cryptography (https://github.com/pyca/cryptography)?1.0.1 has been released! cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy 2.6+. Changelog (https://cryptography.io/en/latest/changelog/) * We now ship OS X wheels that statically link OpenSSL by default. When installing a wheel on OS X 10.10+ (and using a Python compiled against the 10.10 SDK) users will no longer need to compile. * Set the default string mask to UTF-8 in the OpenSSL backend to resolve character encoding issues with older versions of OpenSSL. * Several new OpenSSL bindings have been added to support a future pyOpenSSL release. * Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. Thanks to all the contributors who helped on this release, especially around infrastructure to support the new wheels. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From glyph at twistedmatrix.com Sun Sep 6 04:43:02 2015 From: glyph at twistedmatrix.com (Glyph) Date: Sat, 5 Sep 2015 22:43:02 -0400 Subject: [Cryptography-dev] PyCA cryptography 1.0.1 released In-Reply-To: References: Message-ID: > On Sep 5, 2015, at 22:05, Paul Kehrer wrote: > > PyCA cryptography (https://github.com/pyca/cryptography ) 1.0.1 has been released! cryptography is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic standard library". We support Python 2.6-2.7, Python 3.3+, and PyPy 2.6+. > > Changelog (https://cryptography.io/en/latest/changelog/ ) > > * We now ship OS X wheels that statically link OpenSSL by default. When installing a wheel on OS X 10.10+ (and using a Python compiled against the 10.10 SDK) users will no longer need to compile. This is very exciting, and should really reduce the number of problems people have getting bootstrapped with cryptography, and speed up `pip install twisted[tls]? on OS X. Thanks for making this happen, Paul! -glyph -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Sun Sep 27 16:07:32 2015 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sun, 27 Sep 2015 09:07:32 -0500 Subject: [Cryptography-dev] PyCA cryptography 1.0.2 released Message-ID: PyCA cryptography 1.0.2 has been released. This release contains a security fix that affects anyone running python with -O. Changelog: * SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia K?sper (Google Security Team) for the report. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From glyph at twistedmatrix.com Mon Sep 28 08:05:05 2015 From: glyph at twistedmatrix.com (Glyph Lefkowitz) Date: Sun, 27 Sep 2015 23:05:05 -0700 Subject: [Cryptography-dev] PyCA cryptography 1.0.2 released In-Reply-To: References: Message-ID: If running under -O[O] is a supported configuration for Cryptography now, is there a plan to migrate to something other than py.test so that the test suite can meaningfully execute in that environment as well? My usual assumption is that any Python with 'assert's in its test suite implicitly assumes this option will never be used. If running the test suite is impossible in such an interpreter, then perhaps it would be better to detect this configuration and fail hard, rather than piecemeal supporting bits of it, especially if bugs like this potentially cause security issues. -glyph > On Sep 27, 2015, at 7:07 AM, Paul Kehrer wrote: > > PyCA cryptography 1.0.2 has been released. This release contains a security fix that affects anyone running python with -O. > > Changelog: > > * SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia K?sper (Google Security Team) for the report. > > -Paul Kehrer (reaperhulk) > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald at stufft.io Mon Sep 28 08:22:34 2015 From: donald at stufft.io (Donald Stufft) Date: Mon, 28 Sep 2015 02:22:34 -0400 Subject: [Cryptography-dev] PyCA cryptography 1.0.2 released In-Reply-To: References: Message-ID: pytest supports -O[O] since 2.1.0 https://pytest.org/latest/announce/release-2.1.0.html On September 28, 2015 at 2:14:41 AM, Glyph Lefkowitz (glyph at twistedmatrix.com) wrote: > If running under -O[O] is a supported configuration for Cryptography now, is there a > plan to migrate to something other than py.test so that the test suite can meaningfully > execute in that environment as well? My usual assumption is that any Python with 'assert's > in its test suite implicitly assumes this option will never be used. > > If running the test suite is impossible in such an interpreter, then perhaps it would > be better to detect this configuration and fail hard, rather than piecemeal supporting > bits of it, especially if bugs like this potentially cause security issues. > > -glyph > > > On Sep 27, 2015, at 7:07 AM, Paul Kehrer wrote: > > > > PyCA cryptography 1.0.2 has been released. This release contains a security fix that > affects anyone running python with -O. > > > > Changelog: > > > > * SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions > to check response codes where our tests could not trigger a failure. However, when Python > is run with -O these asserts are optimized away. If a user ran Python with this flag and > got an invalid response code this could result in undefined behavior or worse. Accordingly, > all response checks from the OpenSSL backend have been converted from assert to a true > function call. Credit Emilia K?sper (Google Security Team) for the report. > > > > -Paul Kehrer (reaperhulk) > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA