Deprecate X509Name and the remaining APIs that consume or return it#1514
Merged
Conversation
Deprecates X509Name, X509.get_issuer, X509.get_subject, and Context.set_client_ca_list in favor of the APIs in cryptography.x509. X509.set_issuer and X509.set_subject were already deprecated as part of the X509 mutable-API deprecations. Connection.get_client_ca_list is not deprecated; it grew an as_cryptography parameter separately.
reaperhulk
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Deprecates
OpenSSL.crypto.X509Nameand the remaining APIs that consume or return it, in favor ofcryptography.x509:OpenSSL.crypto.X509Name(the class itself)OpenSSL.crypto.X509.get_issuerOpenSSL.crypto.X509.get_subjectOpenSSL.SSL.Context.set_client_ca_listX509.set_issuerandX509.set_subjectwere already deprecated as part of the X509 mutable-API deprecations (#1510), so they're not repeated here.Notes:
OpenSSL.SSL.Connection.get_client_ca_listis intentionally not deprecated — it grew anas_cryptographyparameter in Add as_cryptography parameter to Connection.get_client_ca_list #1508, which is the supported path going forward.X509Nameconstruction sites (X509._get_nameandConnection.get_client_ca_list) useobject.__new__(X509Name)so they don't emit spurious deprecation warnings; the user-facing deprecated methods are decorated individually and each emits exactly one warning.https://claude.ai/code/session_01KzTRkDmWNuEfCubRUhVit5
Generated by Claude Code