cryptography/docs/openssl.rst

Use of OpenSSL
==============

``cryptography`` depends on the `OpenSSL`_ C library for all cryptographic
operation. OpenSSL is the de facto standard for cryptographic libraries and
provides high performance along with various certifications that may be
relevant to developers.

A list of supported versions can be found in our :doc:`/installation`
documentation.

In general the backend should be considered an internal implementation detail
of the project, but there are some public methods available for debugging
purposes.

.. data:: cryptography.hazmat.backends.openssl.backend

    .. method:: openssl_version_text()

        :return text: The friendly string name of the loaded OpenSSL library.
            This is not necessarily the same version as it was compiled against.

    .. method:: openssl_version_number()

        .. versionadded:: 1.8

        :return int: The integer version of the loaded OpenSSL library. This is
            defined in ``opensslv.h`` as ``OPENSSL_VERSION_NUMBER`` and is
            typically shown in hexadecimal (e.g. ``0x1010003f``). This is
            not necessarily the same version as it was compiled against.

.. _legacy-provider:

Legacy provider in OpenSSL 3.x
------------------------------

.. versionadded:: 39.0.0

Users can set ``CRYPTOGRAPHY_OPENSSL_NO_LEGACY`` environment variable to
disable the legacy provider in OpenSSL 3.x. This will disable legacy
cryptographic algorithms, including ``Blowfish``, ``CAST5``, ``SEED``,
``ARC4``, and ``RC2`` (which is used by some encrypted serialization formats).


.. _`OpenSSL`: https://www.openssl.org/
deprecate backend part 6 of n (#6524) 2021-11-03 22:51:23 +00:00			`Use of OpenSSL`
			`==============`
Put a warning 2013-09-30 17:52:36 +00:00
deprecate backend part 6 of n (#6524) 2021-11-03 22:51:23 +00:00			``cryptography`` depends on the `OpenSSL`_ C library for all cryptographic
			`operation. OpenSSL is the de facto standard for cryptographic libraries and`
			`provides high performance along with various certifications that may be`
			`relevant to developers.`
Move the danger to the very top of the file 2013-10-27 21:26:17 +00:00
deprecate backend part 6 of n (#6524) 2021-11-03 22:51:23 +00:00			A list of supported versions can be found in our :doc:`/installation`
			`documentation.`
Make the lib and ffi public for the OpenSSL binding and document them 2013-09-30 17:37:22 +00:00
deprecate backend part 6 of n (#6524) 2021-11-03 22:51:23 +00:00			`In general the backend should be considered an internal implementation detail`
drop support for openssl < 1.1.1d (#8449) This removes the OS random engine, which contained the only CPython PSF licensed code in the repository. Accordingly, that license has now been removed. 2023-03-24 12:36:58 +00:00			`of the project, but there are some public methods available for debugging`
			`purposes.`
Scrypt Implementation (#3117) * Scrypt implementation. * Docs stuff. * Make example just an example and not a doctest. * Add changelog entry. * Docs cleanup. * Add more tests. * Add multibackend tests. * PEP8. * Add docs about Scrypt parameters. * Docs cleanup. * Add AlreadyFinalized. 2016-09-01 15:39:57 +00:00
deprecate backend part 6 of n (#6524) 2021-11-03 22:51:23 +00:00			`.. data:: cryptography.hazmat.backends.openssl.backend`
Make the lib and ffi public for the OpenSSL binding and document them 2013-09-30 17:37:22 +00:00
add openssl_version_number & doc openssl_version_text (#3329) * add openssl_version_number & doc openssl_version_text fixes #3315 * more docs + actually assert on the test... * text 2016-12-22 03:10:03 +00:00			`.. method:: openssl_version_text()`

			`:return text: The friendly string name of the loaded OpenSSL library.`
			`This is not necessarily the same version as it was compiled against.`

			`.. method:: openssl_version_number()`

			`.. versionadded:: 1.8`

			`:return int: The integer version of the loaded OpenSSL library. This is`
			defined in ``opensslv.h`` as ``OPENSSL_VERSION_NUMBER`` and is
			typically shown in hexadecimal (e.g. ``0x1010003f``). This is
			`not necessarily the same version as it was compiled against.`

support compilation against openssl 3 with no legacy provider (#7650) You must pass CRYPTOGRAPHY_OPENSSL_NO_LEGACY for this to be allowed. Downstreams can easily patch this check out if they want to default to this behavior. 2022-09-26 21:20:58 +00:00			`.. _legacy-provider:`

			`Legacy provider in OpenSSL 3.x`
			`------------------------------`

			`.. versionadded:: 39.0.0`

			Users can set ``CRYPTOGRAPHY_OPENSSL_NO_LEGACY`` environment variable to
			`disable the legacy provider in OpenSSL 3.x. This will disable legacy`
			cryptographic algorithms, including ``Blowfish``, ``CAST5``, ``SEED``,
			``ARC4``, and ``RC2`` (which is used by some encrypted serialization formats).

add a little info about the various system randoms. maybe useful? 2014-01-30 03:39:13 +00:00
Make the lib and ffi public for the OpenSSL binding and document them 2013-09-30 17:37:22 +00:00			.. _`OpenSSL`: https://www.openssl.org/