| Use of OpenSSL |
| ============== |
| |
| ``cryptography`` depends on the `OpenSSL`_ C library for all cryptographic |
| operation. OpenSSL is the de facto standard for cryptographic libraries and |
| provides high performance along with various certifications that may be |
| relevant to developers. |
| |
| A list of supported versions can be found in our :doc:`/installation` |
| documentation. |
| |
| In general the backend should be considered an internal implementation detail |
| of the project, but there are some public methods available for debugging |
| purposes. |
| |
| .. data:: cryptography.hazmat.backends.openssl.backend |
| |
| .. method:: openssl_version_text() |
| |
| :return text: The friendly string name of the loaded OpenSSL library. |
| This is not necessarily the same version as it was compiled against. |
| |
| .. method:: openssl_version_number() |
| |
| .. versionadded:: 1.8 |
| |
| :return int: The integer version of the loaded OpenSSL library. This is |
| defined in ``opensslv.h`` as ``OPENSSL_VERSION_NUMBER`` and is |
| typically shown in hexadecimal (e.g. ``0x1010003f``). This is |
| not necessarily the same version as it was compiled against. |
| |
| .. _legacy-provider: |
| |
| Legacy provider in OpenSSL 3.x |
| ------------------------------ |
| |
| .. versionadded:: 39.0.0 |
| |
| Users can set ``CRYPTOGRAPHY_OPENSSL_NO_LEGACY`` environment variable to |
| disable the legacy provider in OpenSSL 3.x. This will disable legacy |
| cryptographic algorithms, including ``Blowfish``, ``CAST5``, ``SEED``, |
| ``ARC4``, and ``RC2`` (which is used by some encrypted serialization formats). |
| |
| Additionally, the ``CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY`` environment variable |
| can be set during the build process to prevent the library from ever attempting |
| to load the legacy provider. |
| |
| If loading the legacy provider is not disabled and the legacy provider fails to |
| load, a warning is emitted. |
| |
| .. _`OpenSSL`: https://www.openssl.org/ |
