Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose constants that are no longer available in latest cryptography #1201

Closed
1 of 2 tasks
itamarst opened this issue Mar 24, 2023 · 1 comment · Fixed by #1202
Closed
1 of 2 tasks

Expose constants that are no longer available in latest cryptography #1201

itamarst opened this issue Mar 24, 2023 · 1 comment · Fixed by #1202

Comments

@itamarst
Copy link
Contributor

itamarst commented Mar 24, 2023

In order to customize TLS validation logic in pyOpenSSL, some constants are sometimes needed. For example, Tahoe-LAFS currently uses X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, and a few others (https://github.com/tahoe-lafs/tahoe-lafs/blob/d92470d233533bdc8ae1f014ca3a82b0ce74e3f3/src/allmydata/storage/http_client.py#L220).

Previous to cryptography v40, these were available there, but they no longer are.

@alex suggested that:

  1. They get added to public interface of pyOpenSSL, since that is the consumer.
  2. cryptography is then updated appropriately to expose just what pyOpenSSL needs.

I assume they should be exposed in OpenSSL.SSL?

  • PR to cryptography adding the constants is merged.
  • PR to this repository conditionally adding these to OpenSSL.SSL.__all__.
@itamarst
Copy link
Contributor Author

I will try to do this next week.

itamarst pushed a commit to itamarst/cryptography that referenced this issue Mar 27, 2023
This is necessary for custom TLS certificate validation logic; see pyca/pyopenssl#1201
alex pushed a commit to pyca/cryptography that referenced this issue Mar 28, 2023
* Restore the x509 error verification codes.

This is necessary for custom TLS certificate validation logic; see pyca/pyopenssl#1201

* Remove changelog entry.

---------

Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com>
reaperhulk pushed a commit to reaperhulk/cryptography that referenced this issue Mar 28, 2023
* Restore the x509 error verification codes.

This is necessary for custom TLS certificate validation logic; see pyca/pyopenssl#1201

* Remove changelog entry.

---------

Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com>
alex pushed a commit to pyca/cryptography that referenced this issue Mar 28, 2023
* Restore the x509 error verification codes.

This is necessary for custom TLS certificate validation logic; see pyca/pyopenssl#1201

* Remove changelog entry.

---------

Co-authored-by: Itamar Turner-Trauring <itamar@itamarst.org>
Co-authored-by: Itamar Turner-Trauring <itamar@pythonspeed.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging a pull request may close this issue.

1 participant