Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Deprecation warnings with newest cryptography

See original GitHub issue

Hello @ronf!

After upgrading cryptography to the latest 38.0.0 I can see these warnings on asyncssh import:

/Users/apawlucz/opt/anaconda3/envs/rd_39/lib/python3.9/site-packages/asyncssh/crypto/cipher.py:29: CryptographyDeprecationWarning: Blowfish has been deprecated
  from cryptography.hazmat.primitives.ciphers.algorithms import Blowfish, CAST5
/Users/apawlucz/opt/anaconda3/envs/rd_39/lib/python3.9/site-packages/asyncssh/crypto/cipher.py:29: CryptographyDeprecationWarning: CAST5 has been deprecated
  from cryptography.hazmat.primitives.ciphers.algorithms import Blowfish, CAST5
/Users/apawlucz/opt/anaconda3/envs/rd_39/lib/python3.9/site-packages/asyncssh/crypto/cipher.py:30: CryptographyDeprecationWarning: SEED has been deprecated
  from cryptography.hazmat.primitives.ciphers.algorithms import SEED, TripleDES
/Users/apawlucz/opt/anaconda3/envs/rd_39/lib/python3.9/site-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,

So not sure what is the best way to go forward here (except for a workaround to silence the warnings).

Thanks!

Issue Analytics

State:
Created a year ago
Reactions:3
Comments:6 (4 by maintainers)

Top GitHub Comments

6reactions

ronfcommented, Apr 28, 2022

Hi @adam-pawluczuk - thanks for the report!

It looks like this deprecation was added in cryptography 37.0.0, which went out yesterday. It doesn’t say exactly when these ciphers will be fully removed, though.

I’d like to keep support in AsyncSSH for as long as possible. While all of these ciphers (and more) are already disabled by default in AsyncSSH, I want to make it possible to re-enable them for cases where AsyncSSH is used to communicate with an implementation that might not support more modern ciphers.

Eventually, I’d want a conditional that could check at runtime whether the version of cryptography (or OpenSSL) has support for these ciphers or not. However, it’s not clear at this point what API (if any) cryptography will be provided to allow for that. Right now, I use calls like backend.ed25519_supported() and backend.ed448_supported() on the cryptography.hazmat.backends.openssl module to conditionally include support for some of the EdDSA algorithms. Hopefully something similar will be available at the point where these ciphers are removed. If not, I suppose I could always fall back to a cryptography version check.

In the meantime, there’s still the issue of what to do with the warnings. As you said, probably the best thing for now would be to just silence them, with something like:

diff --git a/asyncssh/crypto/cipher.py b/asyncssh/crypto/cipher.py
index 1c70d52..68badae 100644
--- a/asyncssh/crypto/cipher.py
+++ b/asyncssh/crypto/cipher.py
@@ -21,16 +21,22 @@
 """A shim around PyCA for accessing symmetric ciphers needed by AsyncSSH"""

 from typing import Any, MutableMapping, Optional, Tuple
+import warnings

 from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.primitives.ciphers import Cipher, CipherContext
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.primitives.ciphers.algorithms import AES, ARC4
-from cryptography.hazmat.primitives.ciphers.algorithms import Blowfish, CAST5
-from cryptography.hazmat.primitives.ciphers.algorithms import SEED, TripleDES
-
+from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
 from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR

+with warnings.catch_warnings():
+    warnings.simplefilter('ignore')
+
+    from cryptography.hazmat.primitives.ciphers.algorithms import Blowfish
+    from cryptography.hazmat.primitives.ciphers.algorithms import CAST5
+    from cryptography.hazmat.primitives.ciphers.algorithms import SEED
+

 _CipherAlgs = Tuple[Any, Any, int]
 _CipherParams = Tuple[int, int, int]

In a quick test against 37.0.1, that seems to work here.

It’s unfortunate that CryptographyDeprecationWarning is derived from UserWarning instead of DeprecationWarning. If it were a DeprecationWarning, these warnings would already be disabled by default in non-debug builds.

3reactions

ronfcommented, Apr 30, 2022

That works too. 😃

If needed, the proposed change above is now available in the “develop” library for anyone who wants it. It also updates the minimum cryptography version documented in the README, and corrects for a change in the cryptography type stubs which was causing mypy to complain about some code in the crypto/x509 module.

Top Results From Across the Web

Frequently asked questions — Cryptography 3.4.2 ...

The deprecation warning emitted on import does not inherit DeprecationWarning but inherits UserWarning instead. If your pytest setup follows the best practices ...

python - Paramiko/cryptography deprecation warnings ...

py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version.

Best practices for the AWS Encryption SDK

When you start using the AWS Encryption SDK, use the latest version ... Deprecation warnings and code comments typically recommend a good alternative....

Changelog — pyOpenSSL 21.0.0 documentation

Added a new optional chain parameter to OpenSSL.crypto. · Added OpenSSL.crypto. · Added Context. · Added OpenSSL. · Make verification callback optional in...

pyOpenSSL · PyPI

Updated to_cryptography and from_cryptography methods to support an upcoming release of cryptography without raising deprecation warnings.