Added support for using aws-lc instead of OpenSSL.
Properly raise an error if a DTLS cookie callback returned a cookie
longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in
a buffer-overflow. Credit to dark_haxor for reporting the issue.
CVE-2026-27459
Added OpenSSL.SSL.Connection.get_group_name to determine which group
name was negotiated.
Context.set_tlsext_servername_callback now handles exceptions raised
in the callback by calling sys.excepthook and returning a fatal TLS
alert. Previously, exceptions were silently swallowed and the
handshake would proceed as if the callback had succeeded. Credit to
Leury Castillo for reporting this issue. CVE-2026-27448
How to install
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
This update has been submitted for testing by jcline.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been pushed to testing.
no regressions noted
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by jcline.
This update has been pushed to stable.