From exarkun at twistedmatrix.com Thu Feb 13 16:46:15 2014 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Thu, 13 Feb 2014 15:46:15 -0000 Subject: [pyOpenSSL-Users] Announcing pyOpenSSL 0.14a4 Message-ID: <20140213154615.6595.1773327542.divmod.xquotient.4@top> I'm happy to announce that pyOpenSSL 0.14a4, the fourth alpha of the 0.14 release cycle, is now available. 0.14a4 includes fixes for these bugs that were present in 0.14a3: * On Python 2.x, most APIs that accepted int rejected long * The "info callback" was called with a Context instance instead of a Connection instance * Syscall error numbers were misreported on Windows * Some build and install related documentation still referred to the old C-based implementation pyOpenSSL 0.14 will bring many improvements over pyOpenSSL 0.13, including: * Support for TLSv1.1 and TLSv1.2 * First-class support for PyPy * New flags, such as MODE_RELEASE_BUFFERS and OP_NO_COMPRESSION * Some APIs to access to the SSL session cache * A variety of bug fixes for error handling cases * Additionally, there are three major changes to the project: First, the documentation has been converted from LaTeX (CPython's old documentation system) to Sphinx (CPython's new documentation system ;). Second, pyOpenSSL is no longer implemented in C as a collection of extension modules using the Python/C API. Instead, pyOpenSSL is now a pure-Python project with a dependency on a new project, http://github.com/pyca/cryptography, which provides (among other things) a cffi-based interface to OpenSSL. This change means that pyOpenSSL development is now more accessible to Python programmers with little or no experience with C. This is also how pyOpenSSL is now able to support PyPy. Finally, the project's code hosting has moved from Launchpad to Github. Many branches remain only on Launchpad along with their associated bug reports. Over the coming releases I hope that the fixes and features in these branches will be ported to Python and incorporated into the pyOpenSSL master development branch. Bug tracking has been disabled on Launchpad so that the amount of useful information hosted there can gradually dwindle to nothing. Please use Github for further development and bug reporting. As you might imagine, reimplementing all of pyOpenSSL in a new language has involved far more significant changes than I have ever included in a pyOpenSSL release before. I've also bent my own rule of not modifying untested code a bit. Because certain OpenSSL error cases are very difficult to trigger reliably (or even unreliably in some cases), not all such cases are covered by the automated test suite. In the past I've tried hard to avoid changing these parts of pyOpenSSL but that wasn't an option for this release. As such, testing of 0.14a4 is more important than ever before. Please do whatever you can to help out here. Run your test suite against it, play around with the new features, abuse it if you can, take a look at the implementation (the wonderful, wonderful Python implementation!), etc. This release is known to pass the full Twisted trunk at HEAD test suite on Python 2.7. If you have SSL-using, Twisted-based applications, it would be great if you could test those those against 0.14a4 and report your results! Results from testing of any other kind of pyOpenSSL-using software are appreciated as well, positive or negative. Thanks! Jean-Paul From myselfasunder at gmail.com Tue Feb 18 23:10:03 2014 From: myselfasunder at gmail.com (Dustin Oprea) Date: Tue, 18 Feb 2014 17:10:03 -0500 Subject: [pyOpenSSL-Users] Get private-key from P12.. Bug? Message-ID: I can import a P12 key, and call get_privatekey() to get a private-key object. However, there seems to only be meta data available on that object, along with a generate() call. I looked at the sourcecode, but, though there's a "pkey" member that represents the data, there is no getter for it. This is a bug, right? >>> with open('certificate.p12', 'rb') as f: ... p = f.read() ... >>> c = load_pkcs12(p, 'passphrase') >>> dir(c.get_privatekey()) ['__class__', '__delattr__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'bits', 'check', 'generate_key', 'type'] Dustin -------------- next part -------------- An HTML attachment was scrubbed... URL: From exarkun at twistedmatrix.com Sun Feb 23 14:56:40 2014 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Sun, 23 Feb 2014 13:56:40 -0000 Subject: [pyOpenSSL-Users] [ANN] pyOpenSSL 0.14 Message-ID: <20140223135640.6218.615676796.divmod.xquotient.17@top> Greetings fellow Pythoneers, I'm happy to announce that pyOpenSSL 0.14 is now available. pyOpenSSL is a set of Python bindings for OpenSSL. It includes some low-level cryptography APIs but is primarily focused on providing an API for using the TLS protocol from Python. Check out the PyPI page () for downloads. This release of pyOpenSSL adds: * Support for TLSv1.1 and TLSv1.2 * First-class support for PyPy * New flags, such as MODE_RELEASE_BUFFERS and OP_NO_COMPRESSION * Some APIs to access to the SSL session cache * A variety of bug fixes for error handling cases Additionally, there are three major changes to the project: First, the documentation has been converted from LaTeX (CPython's previous documentation system) to Sphinx (CPython's "new" documentation system ;). You can find the new documentation on the PyPI documentation site () or ). Second, pyOpenSSL is no longer implemented in C as a collection of extension modules using the Python/C API. Instead, pyOpenSSL is now a pure-Python project with a dependency on a new project, cryptography (), which provides (among other things) a cffi-based interface to OpenSSL. This change means that pyOpenSSL development is now more accessible to Python programmers with little or no experience with C. This is also how pyOpenSSL is now able to support PyPy. Finally, the project's code hosting has moved from Launchpad to Github. Many branches remain only on Launchpad along with their associated bug reports. Over the coming releases I hope that the fixes and features in these branches will be ported to Python and incorporated into the pyOpenSSL master development branch. Bug tracking has been disabled on Launchpad so that the amount of useful information hosted there can gradually dwindle to nothing. Please use Github () for further development and bug reporting. Thanks and enjoy, Jean-Paul From lancethepants at gmail.com Thu Feb 27 07:05:14 2014 From: lancethepants at gmail.com (Lance Fredrickson) Date: Wed, 26 Feb 2014 23:05:14 -0700 Subject: [pyOpenSSL-Users] 0.14 pure-Python implementation performance question. Message-ID: <530ED59A.5000107@gmail.com> I compile and use pyopenssl on a low-powered embedded devices (RT-N16 router) for use in sabnzbd usenet client (for https connections). My question is whether having a pure-Python implementation of pyopenssl may cause some slowdown, particularly on an embedded device. Being that pyopenssl is just a python wrapper for OpenSSL, I honestly don't know how much that may affect performance, or whether it still will mostly be dependent on my OpenSSL performance. I know 'c' will always beat python in speed, but don't know how being only a wrapper may affect things. My router already can't keep up with my internet connection, so I wouldn't want to slow it down anymore. I guess I can just try it and see, although it looks like it has another dependency I'd need to install too now. I thought I'd just ask and see if there's an easy answer. -Lance Fredrickson From lancethepants at gmail.com Thu Feb 27 07:05:25 2014 From: lancethepants at gmail.com (Lance Fredrickson) Date: Wed, 26 Feb 2014 23:05:25 -0700 Subject: [pyOpenSSL-Users] 0.14 pure-Python implementation performance question. Message-ID: <530ED5A5.4050804@gmail.com> I compile and use pyopenssl on a low-powered embedded devices (RT-N16 router) for use in sabnzbd usenet client (for https connections). My question is whether having a pure-Python implementation of pyopenssl may cause some slowdown, particularly on an embedded device. Being that pyopenssl is just a python wrapper for OpenSSL, I honestly don't know how much that may affect performance, or whether it still will mostly be dependent on my OpenSSL performance. I know 'c' will always beat python in speed, but don't know how being only a wrapper may affect things. My router already can't keep up with my internet connection, so I wouldn't want to slow it down anymore. I guess I can just try it and see, although it looks like it has another dependency I'd need to install too now. I thought I'd just ask and see if there's an easy answer. thanks -Lance Fredrickson From exarkun at twistedmatrix.com Thu Feb 27 14:21:16 2014 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Thu, 27 Feb 2014 13:21:16 -0000 Subject: [pyOpenSSL-Users] 0.14 pure-Python implementation performance question. In-Reply-To: <530ED5A5.4050804@gmail.com> References: <530ED5A5.4050804@gmail.com> Message-ID: <20140227132116.6218.985696392.divmod.xquotient.92@top> On 06:05 am, lancethepants at gmail.com wrote: >I compile and use pyopenssl on a low-powered embedded devices (RT-N16 >router) for use in sabnzbd usenet client (for https connections). >My question is whether having a pure-Python implementation of pyopenssl >may cause some slowdown, particularly on an embedded device. Being that >pyopenssl is just a python wrapper for OpenSSL, I honestly don't know >how much that may affect performance, or whether it still will mostly >be dependent on my OpenSSL performance. I know 'c' will always beat >python in speed, but don't know how being only a wrapper may affect >things. My router already can't keep up with my internet connection, so >I wouldn't want to slow it down anymore. >I guess I can just try it and see, although it looks like it has >another dependency I'd need to install too now. I thought I'd just ask >and see if there's an easy answer. Hi Lance, Thanks for raising this question! First, so everyone is clear, even though pyOpenSSL is now written entirely in Python all of the cryptography, protocol parsing, etc is all still done by OpenSSL (in C or whatever). The Python in pyOpenSSL is just about exposing the API. Some classes are defined, some methods are defined, certain input checking is done (can't pass a string to a C API expecting an integer, etc). I expect that this transition will introduce a little bit more overhead when pyOpenSSL is used on CPython but that it will speed things up (apart from making them work reliable) on PyPy. However, performance testing has never been a regular part of pyOpenSSL development. I'd be happy to try to integrate some kind of performance testing into the development workflow - but that means that someone needs to write some benchmarks. I'd encourage anyone interested in this to start filing issues on github. The only real guidance I'd start with is to suggest that codespeed2 is a project that almost exists and is helpful for performance testing so it might be good to write benchmarks with its requirements in mind. Somewhat related to this is the fact that Twisted does do performance testing and Twisted uses pyOpenSSL for its TLS-related functionality. However, I don't think that pyOpenSSL 0.14 has yet made it into Twisted's performance testing configuration. Anecdotally, the only thing I've heard about pyOpenSSL 0.14 performance so far is that by enabling TLS 1.2 a much faster cipher is now available and transfer speeds have *increased* dramatically for one user who was able to switch to TLS 1.2. Jean-Paul