cryptography 37.0.0 Not Compatible with pyOpenSSL

[ulriksenstian]

Receiving the following error when importing pyOpenSSL:
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'.

Downgrading to 36.0.2 solved this issue.

[ulriksenstian]

pyOpenSSL 22.0.0

[alex]

X509_V_FLAG_CB_ISSUER_CHECK does not exist in pyOpenSSL 22.0.0, you are using an older version of pyOpenSSL with a brand new cryptography.

See also pyca/pyopenssl#1114

[ulriksenstian]

Our pip install in Databricks didn't actually install correctly. It is working now with PyOpenSSL==22.0.0

[reywood]

@alex Just a question. Is there a reason a new revision of pyOpenSSL 19 isn't released to pin the cryptography dependency to < 37?

[alex]

Several reasons:

1. In general we don't go back and issue point point releases on several year old versions of pyOpenSSL (maybe we should, but that's never been practice thus far)
2. Users who are precisely pinned to ==some release won't benefit from that in anyways, it only helps people who have version range pins. We have no idea of the relative frequency of one pinning strategy vs. another.
3. A much better fix is if pip would let us express "not compatible with" in cryptography's setup.cfg, then we could get folks useful error messages.

[reywood]

Cool. Thanks for the insight.

[reaperhulk]

For this specific instance (where we removed bindings that we only stopped using in pyOpenSSL 22.0.0, released in late January) we've chosen to temporarily revert that change and restore the bindings in 37.0.1. However, we'll remove them again in a future release so the best advice remains to always upgrade pyOpenSSL if you upgrade cryptography.