Skip to content

Drop upper bounds on cryptography and pyopenssl#802

Open
hauntsaninja wants to merge 1 commit intooracle:masterfrom
hauntsaninja:patch-1
Open

Drop upper bounds on cryptography and pyopenssl#802
hauntsaninja wants to merge 1 commit intooracle:masterfrom
hauntsaninja:patch-1

Conversation

@hauntsaninja
Copy link

@hauntsaninja hauntsaninja commented Oct 27, 2025

These are security critical dependencies. Bounds here limit people's ability to respond to vulnerabilities.
See also #700 #692 #681 #618 #568 #548 #515
See also https://iscinumpy.dev/post/bound-version-constraints/

@oracle-contributor-agreement
Copy link

oracle-contributor-agreement bot commented Oct 27, 2025

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. label Oct 27, 2025
@bhimrazy bhimrazy mentioned this pull request Nov 2, 2025
Closed
@jh-wu
Copy link

jh-wu commented Nov 5, 2025

See also #805

akx added a commit to akx/oci-python-sdk that referenced this pull request Mar 18, 2026
@akx
Remove OpenSSL dependency
ef121d4 
The only place where `OpenSSL` is used is via an indirect dependency
from `urllib3.contrib.pyopenssl`, which itself is only used when
the Python built-in SSL module doesn't support SNI (Server Name Indication).

That module itself is only imported via the vendored `requests` init,
_iff_ `ssl.HAS_SNI` is `False`, or as an optional import in vendored `requests.help`
(which is never imported by code; in the original `requests` library, it's supposed
to be run as a command-line module, but it's unlikely `python -m oci._vendor.requests.help`
is a real use case).

The `urllib3.contrib.pyopenssl` module's docstring says:

> This module was relevant before the standard library ``ssl``
> module supported SNI, but now that we've dropped support for
> Python 2.7 all relevant Python versions support SNI so
> **this module is no longer recommended**.

This is related to oracle#802;
right now there are upper version pins on `pyOpenSSL`, which prevent downstream users
from upgrading to e.g. non-vulnerable versions of that library downstream.

Signed-off-by: Aarni Koskela <akx@iki.fi>
@akx akx mentioned this pull request Mar 18, 2026
Open
@FaserF
Copy link

FaserF commented Mar 24, 2026

I am also having issues due to this, but the workaround from this PR didnt fix it for me.

@hauntsaninja I think you will also need to change it in setup.py and pyproject.toml, see:
FaserF@4c3b207

@FaserF FaserF mentioned this pull request Mar 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

OCA Required At least one contributor does not have an approved Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hauntsaninja @jh-wu @FaserF