################### 1.23.0 (2023-02-18) ################### * Add support for cryptography 39.0. * Add support for acme 2.2.0 and 2.3.0. * Add support for Ed448 and Ed25519 based certificate authorities. * Enable ACMEv2 support by default. ACMEv2 still needs to be enabled for every CA individually. * The profile used when issuing certificates via ACMEv2 is now configurable by certificate authority. The default is the profile named in :ref:`settings-ca-default-profile` instead of the "server" profile. * The ``CA_DIGEST_ALGORITHM`` setting is now called :ref:`settings-ca-default-signature-hash-algorithm`. Values must be a hash algorithm listed in :py:attr:`~django_ca.typehints.SignatureHashAlgorithmName`. * The default hash algorithm for certificate authorities with a DSA private key can now be configured using :ref:`settings-ca-default-dsa-signature-hash-algorithm`. * The :ref:`settings-ca-crl-profiles` setting allows setting overriding parameters for automatically generated CRLs. This is not a new feature, but it is now documented. * Use ``yaml.safe_load`` to load configuration files to protect against malicious configuration. * OCSP keys now use the same signature hash algorithm as their certificate authority by default. * CRLs are now signed with the same signature hash algorithm as their certificate authority by default. *************** Standardization *************** A larger effort has been taken to use standard names for various parts of django-ca. Old option values are supported for a few more releases, please refer to the deprecation notices below for how long they will be supported. * Elliptic Curve keys are now consistently referred to as "EC" instead of "ECC" and Ed25519 keys are now referred to as "Ed25519" instead of "EdDSA". This affects the ``--key-type`` parameter of :command:`manage.py init_ca` and other commands that generate private keys. * The ``CA_DEFAULT_ECC_CURVE`` setting was renamed to ``CA_DEFAULT_ELLIPTIC_CURVE``. * Hash algorithms are now referred to by their standard name, e.g. "SHA-512" instead of ":spelling:ignore:`sha512`". Please see :py:attr:`~django_ca.typehints.SignatureHashAlgorithmName` for all supported algorithm names. ******** Bugfixes ******** * Fixed timestamps in CRLs if ``USE_TZ=False``. Previously, the local time as UTC was used, so freshly issued CRLs might not yet be valid depending on your systems timezone. * Fixed the hash algorithm in OCSP responses. The same algorithm as in the request is now used, previously SHA1 was used (which happens to match the default algorithm used by OpenSSL). Some clients (e.g. :manpage:`openssl ocsp(1SSL)`) cannot determine the status of a certificate if a different hash is used. ******************* Deprecation notices ******************* * This is the last release to support ``acme==2.1.0`` and ``acme==2.2.0``. * Support for the ``CA_DIGEST_ALGORITHM`` setting will be removed in ``django-ca==1.25.0``. Use the :ref:`settings-ca-default-signature-hash-algorithm` setting instead. * Support for the ``CA_DEFAULT_ECC_CURVE`` setting will be removed in ``django-ca==1.25.0``. Use the :ref:`settings-ca-default-elliptic-curve` setting instead. * Support for using ``ECC`` as key type will be removed ``django-ca==1.26.0``. Use ``EC`` instead. * Support for using ``EdDSA`` as key type will be removed in ``django-ca==1.26.0``. Use ``Ed25519`` instead. * Support for non-standard hash algorithm names (e.g. ``sha512`` instead of ``SHA-512`` will be removed in ``django-ca==1.25.0``. Use standard hash algorithm names instead (see :py:attr:`~django_ca.typehints.SignatureHashAlgorithmName` for supported algorithms). * Support for non-standard elliptic curve names (e.g. ``SECP256R1`` instead of ``secp256r1`` will be removed in ``django-ca==1.25.0``. Use standard elliptic curve names instead (see :py:attr:`~django_ca.constants.ELLIPTIC_CURVE_TYPES` for supported curves). * The ``pre_issue_cert`` is will be removed in ``django_ca==1.24.0``. Use the new :py:class:`~django_ca.signals.pre_sign_cert` signal instead. * The subject wrapper class ``django_ca.subject.Subject`` is will be removed in ``django-ca==1.24.0``. * Extension wrapper classes in ``django_ca.extensions`` are will be removed in ``django_ca==1.24.0``. ****************************** Backwards incompatible changes ****************************** * Drop support for Python 3.7. * Drop support for Django 4.0. * Drop support for cryptography 36.0. * Drop support for acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0. * Drop support for Alpine 3.14 and 3.15. * Remove the ``acme`` extra. * :ref:`CA_DEFAULT_SUBJECT ` must no longer be a dict. Use a list or tuple instead.