[Cryptography-dev] PyCA cryptography 39.0.0 released

Paul Kehrer paul.l.kehrer at gmail.com
Sun Jan 1 23:19:45 EST 2023 

PyCA cryptography 39.0.0 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3.

Changelog (https://cryptography.io/en/latest/changelog/#v39-0-0):
* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed.
Users on older versions of OpenSSL will need to upgrade. Note that
this does not affect users of our wheels.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new
minimum LibreSSL version is 3.5.0. Going forward our policy is to
support versions of LibreSSL that are available in versions of OpenBSD
that are still receiving security support.
* BACKWARDS INCOMPATIBLE: Removed the encode_point and
from_encoded_point methods onEllipticCurvePublicNumbers, which had
been deprecated for several years. public_bytes()
andfrom_encoded_point() should be used instead.
* BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in
CertificateBuilder, other X.509 builders, and PKCS7 has been removed.
* BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11,
macOS users must upgrade to 10.12 or newer.
* ANNOUNCEMENT: The next version of cryptography (40.0) will change
the way we link OpenSSL. This will only impact users who build
cryptography from source (i.e., not from a wheel), and specify their
own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE,
LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will
no longer be respected. Instead, users will need to configure their
builds as documented here.
* Added support for disabling the legacy provider in OpenSSL 3.0.x.
* Added support for disabling RSA key validation checks when loading
RSA keys via load_pem_private_key(), load_der_private_key(), and
private_key(). This speeds up key loading but is unsafe if you are
loading potentially attacker supplied keys.
* Significantly improved performance for ChaCha20Poly1305 when
repeatedly calling encrypt or decrypt with the same key.
* Added support for creating OCSP requests with precomputed hashes
using add_certificate_by_hash().
* Added support for loading multiple PEM-encoded X.509 certificates
from a single input via load_pem_x509_certificates().

-Paul Kehrer (reaperhulk)

More information about the Cryptography-dev mailing list