Obnoxious CryptographyDeprecationWarning because of missing hmac.compare_time function everywhere

Asked 10/8, 2018 at 3:59 Answered 3/5, 2021 at 21:59

Solved python python-requests urllib urllib3

Things were running along fine until one of my projects started printing this everywhere, at the top of every execution, at least once:

local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.

I have no idea why it started and it's disrupting the applications'/tools' output, especially when it's being captured and consumed by other tools. Like many difficulties throughout time, I'm fairly certain it is related to urllib and, by association, requests. Worse, I have so many projects and cross-dependencies that I can't possibly update all of the imports and branches with the call to warnings.filterwarnings() to suppress the warning.

I have Python 2.7.6 . Apparently this goes away in 2.7.7 . Only, I have some systems that have 2.7.6 where I do not see the warnings. So, something may or may not be disabling them in one version and I might've inadvertently replaced it with another version.

My Ubuntu, Python, urllib, requests (with the security option), cryptography, and hmac are all identical versions/builds on systems that do print the warning and systems that do not.

There appears to be no relevant warnings or announcements online and it seems like any related project is static/stable by this point (even though 'hmac' can be installed via PIP, it hasn't changed in eight years).

Anson answered 10/8, 2018 at 3:59 Comment(4)

What version of the cryptography module do you have installed in the different environments. This warning was only added to the git repository early in 2018: github.com/pyca/cryptography/pull/4261. Can you pin the cryptography module to an older version - you would not get these warnings? I'm assuming you just have an older version of the module installed on the systems you are not getting the warning. – Adolf 10/8, 2018 at 4:14

Hmm. Well, 2.2.2 removes the warning for me, locally, but now my confusion is due to the fact that: a) I run all of my stuff out of virtualenvs and the cryptography package is absent and unimportable unless I install it through my install process. So, why is the one that my install process is installing producing the warning remotely but not locally. b) That said, I'm quite sure that when I've asked our devops team to update our provisioning for the servers, they did not tie it to a specific version. So, the servers should have latest,too. Ideas? – Anson 10/8, 2018 at 4:39

Sorry, no idea what your processes are so cannot answer why. – Adolf 10/8, 2018 at 4:45

I'm doing my best to spell them out for you. There's no magic to it. They're effectively just PIP-installs. I figured there was something that I must be missing. – Anson 10/8, 2018 at 4:57

I hit this error for quite sometime. For my environment, it was a pain to upgrade Python to a higher version than 2.7.6. The easier solution was to downgrade cryptography module using pip:

pip2.7 install cryptography==2.2.2

I think the best solution is to upgrade your python version though

Columbous answered 17/9, 2018 at 22:55 Comment(3)

Yeah, but sometimes it's out if your hands. This had worked for me, too. Tried all of the recent versions until it went away. – Anson 17/9, 2018 at 23:20

In my python 3.6.8 venv on a cloud VPS: pip install cryptography==2.2.2 rolled back that package and eliminated that warning. On a CentOS 7 VPS, it was the far simpler solution than updating python. – Interlinear 3/8, 2022 at 2:36

Phenomenal answer, after suffering for years with this nightmare horrid warning, I finally got rid of it. – Belike 23/12, 2022 at 12:31

This answer is for Python3

I got here by looking for an answer while using Paramiko. For those still looking for a simple answer. I got these CryptographyDeprecationWarning suppresed with the these lines of code before importing Paramiko:

import warnings 
warnings.filterwarnings(action='ignore',module='.*paramiko.*')

I hope this helps

Whitleywhitlock answered 25/3, 2019 at 10:58 Comment(5)

The original question is a general Python cryptography warning. It has nothing to do with Paramiko. – Anson 26/3, 2019 at 1:39

@DustinOprea understood, maybe I should clarify that Paramiko was throwing the CryptographyDeprecationWarning for me. Hence my answer. Apologies if is confusing. – Whitleywhitlock 26/3, 2019 at 14:54

I'm just trying to mitigate the chance that observers would think this might be Paramiko specific. Anything that is throwing the warning is doing so due to the issue in the cryptography package that they're all using. – Anson 27/3, 2019 at 6:58

Useful #54861526 – Deafen 4/4, 2019 at 12:48

should import warnings not warning – Incarnation 28/5, 2019 at 12:58

If you want to be more selective about suppressing JUST that particular deprecation warning:

import warnings
from cryptography.utils import CryptographyDeprecationWarning
warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)

... Well, I'm pretty sure the above did work at the time of posting, or perhaps still does in some circumstances. But recently I found a situation where it didn't suppress the warning, whereas this suggestion in a comment from Nikolaj Š. did:

import warnings
# Suppress the deprecation warning from the cryptography module.
with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    import cryptography

So ... go with whatever works!

Stamford answered 24/11, 2020 at 17:14 Comment(2)

I had tried reverse-engineering the whole thing in order to crack that code and arrive at just such a solution but got nowhere. This is useful to know. – Anson 25/11, 2020 at 19:33

thanks a lot! putting this at the right place is the only way I could get rid of this log noise. – Nyasaland 19/2, 2021 at 18:30

I fixed this for all my local projects and tools using Python 2 by removing the warning from the python source code [your_installation_path]\Python\Lib\site-packages\cryptography\__init__.py

Just remove this snipped at the end of the file and delete the __init__.pyc file so its recompiled with the changes:

if sys.version_info[0] == 2:
warnings.warn(
    "Python 2 is no longer supported by the Python core team. Support for "
    "it is now deprecated in cryptography, and will be removed in the "
    "next release.",
    CryptographyDeprecationWarning,
    stacklevel=2,
)

Wedged answered 3/5, 2021 at 21:59 Comment(0)

I started getting this warning for a straightforward requests.get call. This warning is printed when the module cryptography.hazmat.primitives.constant_time is loaded, and so this should typically only come once per Python program. If you are seeing it many times, it must be because a Python program (like a utility) is getting executed multiple times. You just have to identify that program and add the below code to the main entry point:

import cryptography
from cryptography import utils
with warnings.catch_warnings():
    warnings.simplefilter('ignore', cryptography.utils.DeprecatedIn23)
    import cryptography.hazmat.primitives.constant_time

Energetic answered 15/9, 2018 at 17:25 Comment(3)

Tried your solution, but... AttributeError: 'module' object has no attribute 'DeprecatedIn23' – Craggy 18/6, 2019 at 11:39

@AleksandarPavić What version of Python are you using? – Energetic 18/6, 2019 at 14:14

Both import cryptography and from cryptography import <whatever> emit the deprecations warning for me, so I went for python import warnings with warnings.catch_warnings(): warnings.simplefilter("ignore") import cryptography After that you can import other modules depending on cryptography. – Clackmannan 8/3, 2022 at 8:35

For Python3 only:

Per an apparent Paramiko update this worked for me and solve the similar problem/symptoms I was experiencing:

pip3 install --upgrade paramiko

This installed paramiko 2.6.0 on my system, replacing 2.4.2:

$ pip3 install --upgrade paramiko
[...]
Installing collected packages: paramiko
  Found existing installation: paramiko 2.4.2
    Uninstalling paramiko-2.4.2:
      Successfully uninstalled paramiko-2.4.2
Successfully installed paramiko-2.6.0
$

My Python2 environment appears to be messed up, so I'm not able to test this on Python2.

Yttrium answered 11/10, 2019 at 20:18 Comment(0)

When you do pip2.7 install cryptography==2.2.2, it appears the error might still occur. I believe you need also sudo pip2.7 install --upgrade pip Aso, as of 5/5/19 the newest appears to be cryptography=2.6.1

Asymptotic answered 5/5, 2019 at 19:50 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags