replace pyopenssl with cryptography

[prauscher]

trafficstars

closes #879

Description

The feature or problem addressed by this PR

This PR replaces pyopenssl whose usage is discouraged by its own developers. This is especially current since pyopenssl was forced to a version before 24.3.0 in response to #975. This inturn forces older cryptography-versions, making automated vulnerability checkers go brr.

What your changes do and why you chose this solution

The replacement of pyopenssl is quite direct, so probably cryptography could be used to a larger extend, reducing own security functions. On the other hand, cryptography is currently quite fixed to client/server authentification, enforcing stricter regulations on Certificate extensions etc, which might not be suitable here.

I ran the test suite on my machine which looked good, however while pyopenssl usually accepts strings or bytes, cryptography is usually fixed to bytes, forcing encoding to its user, so there may be dragons.

This being my first PR here, I'd highly value feedback and be happy to assist.

Checklist

• [x] Checked that no other issues or pull requests exist for the same issue/change
• [x] Added tests covering the new functionality
• [x] Updated documentation OR the change is too minor to be documented
• [x] Updated CHANGELOG.md OR changes are insignificant

[prauscher]

@c00kiemon5ter Is there anything you need or I could help you with to bring this forward?

[ducdetronquito]

Hi !

At work we use @prauscher branch in production on multiple backends since yesterday with [email protected] and [email protected] and it works like a charm.

I hope this small datapoint will give more confidence to merge this PR :)

[johanlundberg]

I also merged @prauscher branch to our repo and, with my exception above, have seen no problems. Thanks!

[prauscher]

Thanks @johanlundberg, my new commit should eliminiate these problems

[alecbarber]

Working great for us too! Just noting that for since the deps have been updated, the poetry.lock file also needs to be regenerated. poetry lock --no-update gives me this patch (I'd make a suggested change, but Github won't let me 😄)

diff --git a/poetry.lock b/poetry.lock
index 93e08556..6357d2b7 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1248,24 +1248,6 @@ snappy = ["python-snappy"]
 test = ["pytest (>=8.2)", "pytest-asyncio (>=0.24.0)"]
 zstd = ["zstandard"]

-[[package]]
-name = "pyopenssl"
-version = "24.2.1"
-description = "Python wrapper module around the OpenSSL library"
-optional = false
-python-versions = ">=3.7"
-files = [
-    {file = "pyOpenSSL-24.2.1-py3-none-any.whl", hash = "sha256:967d5719b12b243588573f39b0c677637145c7a1ffedcd495a487e58177fbb8d"},
-    {file = "pyopenssl-24.2.1.tar.gz", hash = "sha256:4247f0dbe3748d560dcbb2ff3ea01af0f9a1a001ef5f7c4c647956ed8cbf0e95"},
-]
-
-[package.dependencies]
-cryptography = ">=41.0.5,<44"
-
-[package.extras]
-docs = ["sphinx (!=5.2.0,!=5.2.0.post0,!=7.2.5)", "sphinx-rtd-theme"]
-test = ["pretend", "pytest (>=3.0.1)", "pytest-rerunfailures"]
-
 [[package]]
 name = "pytest"
 version = "8.3.4"
@@ -1971,4 +1953,4 @@ s2repoze = ["paste", "repoze.who", "zope.interface"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.9"
-content-hash = "03ec3d72ebbfd582b62c153e6921c3032ff637943724b8a9222bc9593eae71e0"
+content-hash = "ac583ea6afeb45d9c6a66f1a5a49ce08d58b4c0ef554be7d65c55761bc8e8c42"

[prauscher]

Thank you @alecbarber - I also found types-pyopenssl to be obsolete now

[rvanlaar]

It also looks like the dependency on pytz can be removed.

[prauscher]

@rvanlaar good catch - as dateutil is no longer required too I removed pytz and dateutil as well as both typing classes.

[mikicz]

I would love it if this went in!

[prauscher]

@c00kiemon5ter Is there anything I can help you with to get this merged?

[prauscher]

@c00kiemon5ter I have merged master into this branch, so it should now be mergeable. As I do not understand any of this poetry magic, I hope my poetry lock does not trigger new problems, but please tell me if I should rebuild the poetry.lock somehow.

[hsenot]

Hi @prauscher and @c00kiemon5ter - we've been relying on your fork/branch in our app and have noticed a breaking change as of 2 days ago.

It looks like:

requires-python = "^3.9"

is not accepted by our build chain (pip/uv within docker).

Further research suggests that the caret is not PEP 440-compliant. A possible fix would be:

requires-python = ">=3.9,<4.0"

Happy to be challenged on this, as I am not very versed in poetry magic :-)

[c00kiemon5ter]

Latest master (or v7.5.4) have fixed this. Using >=3.9 is fine for now.

@prauscher I would avoid merges from other branches to keep the diff clean. IMHO, rebasing is better and I will rebase this to test it.

[prauscher]

Rebased to current master, so @hsenot should be working again.

Personally I prefer merge over rebase to avoid force pushes, but ymmv. From what I can tell from the change preview, this should be clean-ish now.

[hsenot]

Thanks heaps @prauscher , much appreciated. We're keen to see this branch/fork merged too. Lmk if you need help testing. Cheers!

[SPKorhonen]

I'm also keen to see this merged. I've tested the branch and it works flawlessly and would allow us to remove pyopenssl as dependency in out project.

[prauscher]

@c00kiemon5ter do you need assistance with anything to review and merge this? I'd be happy to help

[prauscher]

Thanks @dotlambda - i guess this must have gone bad during the last rebase... Ran the testsuite now without issues, please confirm on your side :)

[ducdetronquito]

Thanks for you work and patience @prauscher, we are many to wait for your PR to be merged by the maintainers :)