fix(deps): update dependency pyopenssl to v26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pyOpenSSL (source)	^24.0.0 → ^26.0.0

GitHub Vulnerability Alerts

CVE-2026-27448

If a user provided callback to set_tlsext_servername_callback raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.

Unhandled exceptions now result in rejecting the connection.

Credit to Leury Castillo for reporting this issue.

CVE-2026-27459

If a user provided callback to set_cookie_generate_callback returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer.

Cookie values that are too long are now rejected.

---

Release Notes

pyca/pyopenssl (pyOpenSSL)

v26.0.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Dropped support for Python 3.7.
• The minimum cryptography version is now 46.0.0.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

v25.3.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• Maximum supported cryptography version is now 46.x.

v25.2.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• The minimum cryptography version is now 45.0.7.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• pyOpenSSL now sets SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER on connections by default, matching CPython's behavior.
• Added OpenSSL.SSL.Context.clear_mode.
• Added OpenSSL.SSL.Context.set_tls13_ciphersuites to set the allowed TLS 1.3 ciphers.
• Added OpenSSL.SSL.Connection.set_info_callback

v25.1.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

• Attempting using any methods that mutate an OpenSSL.SSL.Context after it
  has been used to create an OpenSSL.SSL.Connection will emit a warning. In
  a future release, this will raise an exception.

Changes:
^^^^^^^^

• cryptography maximum version has been increased to 45.0.x.

v25.0.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• Corrected type annotations on Context.set_alpn_select_callback, Context.set_session_cache_mode, Context.set_options, Context.set_mode, X509.subject_name_hash, and X509Store.load_locations.
• Deprecated APIs are now marked using warnings.deprecated. mypy will emit deprecation notices for them when used with --enable-error-code deprecated.

v24.3.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Removed the deprecated OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl, and OpenSSL.crypto.load_crl. cryptography.x509's CRL functionality should be used instead.
• Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead.

Deprecations:
^^^^^^^^^^^^^

• Deprecated OpenSSL.rand - callers should use os.urandom() instead.
• Deprecated add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead.
• Deprecated OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve, as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh, users should instead pass curves from cryptography.
• Deprecated passing X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate, OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL's X509 entirely.
• Deprecated passing PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey, users should instead pass cryptography private key instances. This is in preparation for deprecating pyOpenSSL's PKey entirely.

Changes:
^^^^^^^^

• cryptography maximum version has been increased to 44.0.x.
• OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate, OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain now take an as_cryptography keyword-argument. When True is passed then cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509. In the future, passing False (the default) will be deprecated.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.