PYTHON-5849 Fix OCSP and pyOpenSSL context compatibility with pyOpenSSL 26.2.0#2832
Merged
Conversation
…SL 26.2.0 - In _ocsp_callback, use get_peer_certificate(as_cryptography=True) and get_verified_chain(as_cryptography=True) to work directly with cryptography.x509.Certificate objects, avoiding pyOpenSSL X509 APIs removed in 26.2.0 (get_extension, get_extensions, X509Extension). - In SSLContext, cache options in self._options to avoid calling set_options() after a Connection is created; pyOpenSSL 26.2.0 raises ValueError for any Context mutation after first Connection creation. - Remove the now-unnecessary verify callback from __set_verify_mode; it has been optional since pyOpenSSL 20.0 and our minimum is 26.0.0.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Member
Author
|
Linkcheck failure is unrelated. |
sleepyStick
reviewed
Jun 1, 2026
sleepyStick
reviewed
Jun 1, 2026
| """Unit tests for _ocsp_callback using a mocked SSL Connection.""" | ||
|
|
||
| def _make_callback_data(self): | ||
| from pymongo.pyopenssl_context import _CallbackData |
Contributor
There was a problem hiding this comment.
(sorry to be pedantic but i think this could also be merged with the import at the top of the file?)
sleepyStick
reviewed
Jun 1, 2026
|
|
||
| @unittest.skipUnless(_HAVE_PYOPENSSL, "PyOpenSSL is not available.") | ||
| def test_returns_false_when_peer_cert_is_none(self): | ||
| from pymongo.ocsp_support import _ocsp_callback |
Contributor
There was a problem hiding this comment.
wait so why is this down here? (given that its still here i'm guessing there's a genuine reason and i'm being silly for not knowing it atm)
Member
Author
There was a problem hiding this comment.
They're all at the top now
sleepyStick
previously approved these changes
Jun 1, 2026
Member
Author
|
The test is still failing, putting this back into draft until Evergreen passes. |
…6.2.0 compat service_identity < 24.2.0 uses X509.get_extension(i) to iterate certificate extensions, which was removed in pyOpenSSL 26.2.0. The min_deps variant installed service_identity==23.1.0 alongside pyopenssl==26.2.0, causing AttributeError during verify_hostname after the TLS handshake.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PYTHON-5849
Changes in this PR
Update
pymongo/ocsp_support.pyandpymongo/pyopenssl_context.pyto be compatible with pyOpenSSL 26.2.0, which removed X509 extension APIs and added a restriction against mutating anSSL.Contextafter aConnectionhas been created from it.Test Plan
test/test_pyopenssl_context.pyunit tests all pass.just typing(mypy + pyright) reports no issues.Checklist
Checklist for Author
Checklist for Reviewer