chore(deps): update dependency pyopenssl to v26 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
pyOpenSSL (source)	==25.0.0 → ==26.0.0
pyopenssl (source)	==25.0.0 → ==26.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-27448

If a user provided callback to set_tlsext_servername_callback raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.

Unhandled exceptions now result in rejecting the connection.

Credit to Leury Castillo for reporting this issue.

---

Release Notes

pyca/pyopenssl (pyOpenSSL)

v26.0.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Dropped support for Python 3.7.
• The minimum cryptography version is now 46.0.0.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• Added support for using aws-lc instead of OpenSSL.
• Properly raise an error if a DTLS cookie callback returned a cookie longer than DTLS1_COOKIE_LENGTH bytes. Previously this would result in a buffer-overflow. Credit to dark_haxor for reporting the issue. CVE-2026-27459
• Added OpenSSL.SSL.Connection.get_group_name to determine which group name was negotiated.
• Context.set_tlsext_servername_callback now handles exceptions raised in the callback by calling sys.excepthook and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. Credit to Leury Castillo for reporting this issue. CVE-2026-27448

v25.3.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• Maximum supported cryptography version is now 46.x.

v25.2.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• The minimum cryptography version is now 45.0.7.

Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^

• pyOpenSSL now sets SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER on connections by default, matching CPython's behavior.
• Added OpenSSL.SSL.Context.clear_mode.
• Added OpenSSL.SSL.Context.set_tls13_ciphersuites to set the allowed TLS 1.3 ciphers.
• Added OpenSSL.SSL.Connection.set_info_callback

v25.1.0

Compare Source

Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations:
^^^^^^^^^^^^^

• Attempting using any methods that mutate an OpenSSL.SSL.Context after it
  has been used to create an OpenSSL.SSL.Connection will emit a warning. In
  a future release, this will raise an exception.

Changes:
^^^^^^^^

• cryptography maximum version has been increased to 45.0.x.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the pyOpenSSL dependency to version 26.0.0 across various requirements.txt files. This upgrade is critical for enhancing security by addressing known vulnerabilities related to TLS/DTLS handling, ensuring more robust and secure communication channels. The update also aligns with the latest Python and cryptography version requirements, maintaining compatibility and leveraging recent improvements.

Highlights

• Dependency Update: Updated the pyOpenSSL dependency from version 25.0.0 to 26.0.0 in multiple requirements.txt files.
• Security Fixes: Incorporated fixes for CVE-2026-27448, which ensures unhandled exceptions in set_tlsext_servername_callback now result in rejecting the connection, and CVE-2026-27459, which addresses a buffer overflow in the DTLS cookie callback.
• Backward Incompatibilities: Dropped support for Python 3.7 and increased the minimum cryptography version requirement to 46.0.0.

Changelog

• cloud-media-livestream/keypublisher/requirements.txt
  • Updated pyOpenSSL from 25.0.0 to 26.0.0.
• cloud-sql/sql-server/sqlalchemy/requirements.txt
  • Updated pyopenssl from 25.0.0 to 26.0.0.

Activity

• This pull request was automatically generated by Renovate Bot to update the pyOpenSSL dependency.
• The automerge feature is currently disabled by configuration, requiring manual merging.
• The PR description includes detailed release notes for pyOpenSSL v26.0.0, highlighting backward-incompatible changes, deprecations, and new features.
• Security advisories for CVE-2026-27448 and CVE-2026-27459 are explicitly mentioned, detailing the vulnerabilities and their resolutions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the pyopenssl dependency to v26.0.0 to address a security vulnerability. While the update for cloud-media-livestream/keypublisher/requirements.txt appears to be safe, the update for cloud-sql/sql-server/sqlalchemy/requirements.txt introduces a critical dependency conflict. The cloud-sql-python-connector package has a requirement for an older version of the cryptography library that is incompatible with pyopenssl==26.0.0. Please see the specific comment for details on how to resolve this.

[gemini-code-assist]

This update introduces an incompatible dependency. According to the release notes, pyopenssl==26.0.0 requires cryptography>=46.0.0. However, cloud-sql-python-connector==1.20.0 in this requirements.txt file requires cryptography<43.0.0. These conflicting requirements will cause installation to fail.

To fix this, you should revert this change until a compatible version of cloud-sql-python-connector is available.

pyopenssl==25.0.0