Comments (28)
Can you confirm that this is all based on Python 2.7 and not some other version?
from pyopenssl.
Sorry for missing the details.
Yes. This is Python 2.7.3 on Ubuntu 12.04 x32.
from pyopenssl.
I experience the same issue on openSUSE 13.1 and SUSE Linux Enterprise (both running python 2.7.6).
from pyopenssl.
This is going to be fixed for 0.15 - actually fixed, not just documented as broken.
from pyopenssl.
What's the actual fix? I presume some of them really only ought to take bytes, but I could also appreciate that you want to have e.g. Context.set_cipher_list(u'ALL')
work again as well, since it did in previous versions :)
from pyopenssl.
Any API which in the past accepted bytes
without error should accept bytes
without error.
Any API which in the past accepted unicode
without error should accept unicode
without error.
"want" is putting it rather strongly though.
from pyopenssl.
Gotcha. So the resolution for code is: typecheck for unicode and encode ASCII if necessary. I'm inclined to raise warnings instead so we don't have to support it in perpetuity but I don't really care.
Solution for docs: document one seemingly appropriate type (and accidentally accept the other one, too), or document both as supported? I'd like to know for #126 :)
from pyopenssl.
Deprecating the nonsense case would be great. It doesn't need to be part of this change though (in the interest of getting it done).
I think document the appropriate type but if figuring that out is hard then maybe leave the docs alone?
from pyopenssl.
Are there any updates on the progress of this issue? I'm currently trying to decide whether to try and add support for 0.14 or just support 0.13 and the upcoming 0.15.
from pyopenssl.
I don't have availability to work on this in the near future. Other community members haven't expressed any interest in having this fixed, but have expressed interest in having 0.15 out sooner rather than later. The practical outcome may be that 0.15 is released with these regressions and they just become part of the API.
from pyopenssl.
Other community members haven't expressed any interest in having this fixed
Sorry, I meant "in fixing this themselves". Clearly the people who commented on this issue, at least, had some interest in having it fixed.
from pyopenssl.
I’m afraid the problem of this issue is that it has unclear scope and somehow daunting.
I don’t think it’s very difficult to go through the API and add some isinstance
+ encode("ascii")
if unicode has been passed. But somehow there’s not a clear path forward. If there would, I’m personally volunteering to walk it/help directing others.
from pyopenssl.
What is so complicated on DeprecationWarning
? Add all these isinstance
+ encode("utf8")
things, but throw a warning as well. In next major release, remove both?
from pyopenssl.
Is 0.15 going to be release any time soon? 0.14 was released a year ago and there are a lot of bugfixes and new features added since then.
from pyopenssl.
I am having the same issue. http://stackoverflow.com/questions/28749543/pyopenssl-signature-verification-using-python-3
from pyopenssl.
Is 0.15 going to be release any time soon?
It's on my todo list. I had planned to do one over the holidays but got tied up with other (even less fun, I assure you) things. I have some airport time coming up during which I intend to give this another shot. Sorry about not getting to this more quickly.
from pyopenssl.
I was just about to file this as a new bug when I stumbled upon this ticket. I'm working on a script to generate self-signed certificates and it's broken on Python 3. One thing I couldn't discern from the comments above: is there a workaround? Can I convert the strings to something else that would be accepted?
The following code works in Python 2
crypto.X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=ca_cert,
issuer=ca_cert)
However, on Python 3, it results in the error:
File "/usr/lib/python3.4/site-packages/OpenSSL/crypto.py", line 493, in __init__
extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
TypeError: initializer for ctype 'char *' must be a bytes or list or tuple, not str
from pyopenssl.
you can try using b"subjectKeyIdentifier"
to force bytes... similar for b"hash"
from pyopenssl.
I was just about to file this as a new bug when I stumbled upon this ticket. I'm working on a script to generate self-signed certificates and it's broken on Python 3.
Also please note this is not a pyOpenSSL bug. This is a Python 2 / Python 3 incompatibility. Your program passes byte strings to the pyOpenSSL API on Python 2. However, your program passes unicode strings to the pyOpenSSL API on Python 3. The API supports byte strings. My inclination at this point is not to change pyOpenSSL to support this usage. Instead, if you want to port an application to Python 3, you have to fix your string usage.
from pyopenssl.
At least set_cihpher_list
was working when passed Unicode strings in Python2. In python2 I am explicitly using u'ALL' to make it an unicode string.
from pyopenssl.
At least set_cihpher_list was working when passed Unicode strings in Python2.
Of course. Python 2 will implicitly encode unicode to str for any number of reasons. This was never intended behavior.
This isn't quite the same thing that sgallagher's comment is about. His program passes bytes to a pyOpenSSL API on Python 2. He can reasonably expect that passing bytes to that API on Python 3 should work. It does not seem to me that he can reasonably expect that passing unicode to that API on Python 3 API should work.
from pyopenssl.
I am +1 for updating the documentation to inform that only bytes are supported.
Later we can update separate API method to support Unicode and to write unit tests for that.
To fix this ticket I think that is ok to just add a bit warning in pyopenssl introduction that Unicode is not supported... and that Unicode which worked in py2.7 will break in py3.
from pyopenssl.
I am only testing on Py 2.7
I have found another Unicode issue in crypto.X509Req() subject which ask for Unicode
Extensions are accepted with UTF-8
I have this code
csr = crypto.X509Req()
subject = csr.get_subject()
name = u\u20acuro-zone.com'
subject.organizationName = name.encode('utf-8')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position X: ordinal not in range(128)
but will accept only accept Unicode ... not UTF-8 bytes.
Same story for commonName organizationalUnitName localityName stateOrProvinceName
countryName only accepts the hardcoded codes so we should not care about unicode here.
subject.emailAddress
only accepts ascii chars and fail if I sent it Unicode with non-ascii characters... but also fails if I encode them with utf-8
I am working at a python script to generate a CSR . The code and test is here chevah/chevah-keycert#10
from pyopenssl.
What version of pyOpenSSL did you test this against? master@HEAD runs this code without error.
from pyopenssl.
I was testing against released version 0.13 and 0.14.
I will give it a try with master. Looking forward for 0.15 release. Thanks!
from pyopenssl.
Is it fixed in version 12.6.0? https://pypi.python.org/pypi/pyOpenSSL
from pyopenssl.
This seems to have been fixed years ago. @adiroiban can you confirm and close please?
from pyopenssl.
Looks good. Thanks!
both Unicode and UTF-8 bytes are accepted
$ py
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from OpenSSL import crypto
>>> csr = crypto.X509Req()
>>> subject = csr.get_subject()
>>> name = 'u\u20acuro-zone.com'
>>> subject.organizationName = name.encode('utf-8')
>>> subject
<X509Name object '/O=u\u20acuro-zone.com'>
>>> subject.organizationName = name
>>> import OpenSSL
>>> OpenSSL.__version__
'16.2.0'
from pyopenssl.
Related Issues (20)
- Implement PyOpenSSL deprecated functions as calls into Cryptography library HOT 3
- Use SSL_session_reused API HOT 1
- RemoveError: 'pyopenssl' is a dependency of conda and cannot be removed from conda's operating environment. HOT 2
- Add support for retrieving negotiated SRTP profile HOT 4
- pyopenssl-23.3.0 is incompatible with the latest cryptography 42.0.0
- [docs] Use Furo?
- TLS 1.3 Session Resumption with PSKs in pyopenssl? HOT 1
- RFE: is it possible to start making github releases?🤔 HOT 2
- Support for `cryptography.X509.Extensions` in `pyopenssl.X509.add_extensions` etc? HOT 2
- 24.1.0: pytest fails in 3 units and some pytest warnings HOT 12
- 24.1.0: sphinx warnings `reference target not found` HOT 1
- CVE-2023-6129 Safety vulnerability HOT 1
- Some X509 Tests fail on v24.1.0 HOT 1
- Add SSL_OP_CLEANSE_PLAINTEXT to exported set of options
- Use of a Broken or Risky Cryptographic Algorithm [Snyk Vulnerability] HOT 1
- expose `SSL_set_info_callback` (i.e. `Connection.set_info_callback`)
- X.509Name.get_components() doesn't process Subject values like X.509Name.__getattr__() does with Unicode strings. HOT 1
- x509.sign does not work for Ed25519 keys (digest must be NULL) HOT 1
- CVE-2024-4741 HOT 1
- How to decrypt openSSL PKCS#7 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyopenssl.