20

Things were running along fine until one of my projects started printing this everywhere, at the top of every execution, at least once:

local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.

I have no idea why it started and it's disrupting the applications'/tools' output, especially when it's being captured and consumed by other tools. Like many difficulties throughout time, I'm fairly certain it is related to urllib and, by association, requests. Worse, I have so many projects and cross-dependencies that I can't possibly update all of the imports and branches with the call to warnings.filterwarnings() to suppress the warning.

I have Python 2.7.6 . Apparently this goes away in 2.7.7 . Only, I have some systems that have 2.7.6 where I do not see the warnings. So, something may or may not be disabling them in one version and I might've inadvertently replaced it with another version.

My Ubuntu, Python, urllib, requests (with the security option), cryptography, and hmac are all identical versions/builds on systems that do print the warning and systems that do not.

There appears to be no relevant warnings or announcements online and it seems like any related project is static/stable by this point (even though 'hmac' can be installed via PIP, it hasn't changed in eight years).

Dustin Oprea
  • 9,673
  • 13
  • 65
  • 105
  • What version of the `cryptography` module do you have installed in the different environments. This warning was only added to the git repository early in 2018: https://github.com/pyca/cryptography/pull/4261. Can you pin the cryptography module to an older version - you would not get these warnings? I'm assuming you just have an older version of the module installed on the systems you are not getting the warning. – AChampion Aug 10 '18 at 04:14
  • 1
    Hmm. Well, 2.2.2 removes the warning for me, locally, but now my confusion is due to the fact that: a) I run all of my stuff out of virtualenvs and the cryptography package is absent and unimportable unless I install it through my install process. So, why is the one that my install process is installing producing the warning remotely but not locally. b) That said, I'm quite sure that when I've asked our devops team to update our provisioning for the servers, they did *not* tie it to a specific version. So, the servers should have latest,too. Ideas? – Dustin Oprea Aug 10 '18 at 04:39
  • Sorry, no idea what your processes are so cannot answer why. – AChampion Aug 10 '18 at 04:45
  • I'm doing my best to spell them out for you. There's no magic to it. They're effectively just PIP-installs. I figured there was something that I must be missing. – Dustin Oprea Aug 10 '18 at 04:57

7 Answers7

43

I hit this error for quite sometime. For my environment, it was a pain to upgrade Python to a higher version than 2.7.6. The easier solution was to downgrade cryptography module using pip:

pip2.7 install cryptography==2.2.2

I think the best solution is to upgrade your python version though

mbenhalima
  • 722
  • 1
  • 9
  • 20
  • Yeah, but sometimes it's out if your hands. This had worked for me, too. Tried all of the recent versions until it went away. – Dustin Oprea Sep 17 '18 at 23:20
  • In my python 3.6.8 venv on a cloud VPS: `pip install cryptography==2.2.2` rolled back that package and eliminated that warning. On a CentOS 7 VPS, it was the far simpler solution than updating python. – Victoria Stuart Aug 03 '22 at 02:36
  • Phenomenal answer, after suffering for years with this nightmare horrid warning, I finally got rid of it. – George Chalhoub Dec 23 '22 at 12:31
11

This answer is for Python3

I got here by looking for an answer while using Paramiko. For those still looking for a simple answer. I got these CryptographyDeprecationWarning suppresed with the these lines of code before importing Paramiko:

import warnings 
warnings.filterwarnings(action='ignore',module='.*paramiko.*')

I hope this helps

Vic Olvera
  • 119
  • 1
  • 4
  • 3
    The original question is a general Python cryptography warning. It has nothing to do with Paramiko. – Dustin Oprea Mar 26 '19 at 01:39
  • 2
    @DustinOprea understood, maybe I should clarify that Paramiko was throwing the CryptographyDeprecationWarning for me. Hence my answer. Apologies if is confusing. – Vic Olvera Mar 26 '19 at 14:54
  • I'm just trying to mitigate the chance that observers would think this might be Paramiko specific. Anything that is throwing the warning is doing so due to the issue in the cryptography package that they're all using. – Dustin Oprea Mar 27 '19 at 06:58
  • Useful https://stackoverflow.com/questions/54861026/how-to-silence-ellipticcurvepublicnumbers-encode-point-cryptographydeprecationwa – Steven Almeroth Apr 04 '19 at 12:48
  • 2
    should import `warnings` not `warning` – bitdancer May 28 '19 at 12:58
10

If you want to be more selective about suppressing JUST that particular deprecation warning:

import warnings
from cryptography.utils import CryptographyDeprecationWarning
warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)

... Well, I'm pretty sure the above did work at the time of posting, or perhaps still does in some circumstances. But recently I found a situation where it didn't suppress the warning, whereas this suggestion in a comment from Nikolaj Š. did:

import warnings
# Suppress the deprecation warning from the cryptography module.
with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    import cryptography

So ... go with whatever works!

Jason Drew
  • 281
  • 2
  • 8
  • I had tried reverse-engineering the whole thing in order to crack that code and arrive at just such a solution but got nowhere. This is useful to know. – Dustin Oprea Nov 25 '20 at 19:33
  • thanks a lot! putting this at the right place is the only way I could get rid of this log noise. – oberstet Feb 19 '21 at 18:30
3

I started getting this warning for a straightforward requests.get call. This warning is printed when the module cryptography.hazmat.primitives.constant_time is loaded, and so this should typically only come once per Python program. If you are seeing it many times, it must be because a Python program (like a utility) is getting executed multiple times. You just have to identify that program and add the below code to the main entry point:

import cryptography
from cryptography import utils
with warnings.catch_warnings():
    warnings.simplefilter('ignore', cryptography.utils.DeprecatedIn23)
    import cryptography.hazmat.primitives.constant_time
haridsv
  • 9,065
  • 4
  • 62
  • 65
  • Tried your solution, but... AttributeError: 'module' object has no attribute 'DeprecatedIn23' – Aleksandar Pavić Jun 18 '19 at 11:39
  • @AleksandarPavić What version of Python are you using? – haridsv Jun 18 '19 at 14:14
  • Both `import cryptography` and `from cryptography import ` emit the deprecations warning for me, so I went for ```python import warnings with warnings.catch_warnings(): warnings.simplefilter("ignore") import cryptography ``` After that you can import other modules depending on `cryptography`. – Nikolaj Š. Mar 08 '22 at 08:35
3

I fixed this for all my local projects and tools using Python 2 by removing the warning from the python source code [your_installation_path]\Python\Lib\site-packages\cryptography\__init__.py

Just remove this snipped at the end of the file and delete the __init__.pyc file so its recompiled with the changes:

if sys.version_info[0] == 2:
warnings.warn(
    "Python 2 is no longer supported by the Python core team. Support for "
    "it is now deprecated in cryptography, and will be removed in the "
    "next release.",
    CryptographyDeprecationWarning,
    stacklevel=2,
)
user2877574
  • 41
  • 2
1

For Python3 only:

Per an apparent Paramiko update this worked for me and solve the similar problem/symptoms I was experiencing:

pip3 install --upgrade paramiko

This installed paramiko 2.6.0 on my system, replacing 2.4.2:

$ pip3 install --upgrade paramiko
[...]
Installing collected packages: paramiko
  Found existing installation: paramiko 2.4.2
    Uninstalling paramiko-2.4.2:
      Successfully uninstalled paramiko-2.4.2
Successfully installed paramiko-2.6.0
$

My Python2 environment appears to be messed up, so I'm not able to test this on Python2.

Johnny Utahh
  • 2,389
  • 3
  • 25
  • 41
0

When you do pip2.7 install cryptography==2.2.2, it appears the error might still occur. I believe you need also sudo pip2.7 install --upgrade pip Aso, as of 5/5/19 the newest appears to be cryptography=2.6.1

phydroxide
  • 29
  • 4