Information on upgrading asyncssh from 2.12.0 to 2.14.2 to use Cryptography 42.0.5

[devfinwiz]

My project presently consumes asyncssh 2.12.0 and in my opinion, I cannot directly bump up to 2.14.2 since cryptography and asyncssh are related to each other and upgrading directly to 2.14.2 might break the code.
Any familiarity with what all needs to be taken care of to achieve upgrading asynchssh from 2.12.0 -> 2.14.2 to use it with Cryptography 42.0.5 ?

[ronf]

There really isn't a tight dependency between cryptography and AsyncSSH. At the moment, it only requires cryptography >= 39.0, and it should work with everything from that up to the latest. On my local machine, one of my installs was cryptography 42.0.1 and it ran just fine. For good measure, I upgraded that install to 42.0.5 and that works fine as well.

I also have other installs running cryptography 39.0.1 and those are fine as well.

[devfinwiz]

Sorry, I forgot to mention that currently my project consumes crptography==3.2.0 which is why I think there would definitely be many complexities while upgrading asyncssh to 2.14.2 from 2.12.0 and cryprography to 42.0.5 from 3.2.0.

[ronf]

Note that the version numbering in cryptography changed from major version 3.4.8 to version 35.0 back in 2021, so this isn't as big a jump as it might look.

AsyncSSH moved from a minimum cryptography version of 3.1 to 39.0 back in June of last year in change e70969f, to work around a performance problem related to extra checking in recent versions of OpenSSL when generating RSA keys. The fix for this depended on some new functionality in cryptography. In particular, I expect the addition of the "unsafe_skip_rsa_key_validation" argument passed to cryptography in crypto/rsa.py in this change wouldn't work in 3.2.0. If you backed out this change, I think there's a good chance cryptography 3.2.0 would work, but if you are linking against newer versions of OpenSSL, you'll likely hit the performance problem if you are using RSA keys.

I think your best bet here would be to try to move your project version to the latest version of cryptography. Sticking on an old version leaves your project open to many potential security vulnerabilities, and in my experience there haven't been that many breaking changes in cryptography. Where there were, it wasn't difficult to adjust application code to deal with them.

[devfinwiz]

Makes sense.
I ultimately wish to move to the latest versions of both asyncssh and cryptography. So, if I move ahead with upgrading these, how do I proceed? I mean what should my initial steps look like while moving from asyncssh 2.12.0 to 2.14.2 and cryptography from 3.2.0 to 42.0.5?
First step should be to upgrade cryptography or asyncssh? And what present functionalities of mine are likely to be affected if i proceed directly with the upgrade?
And, my project consumes openssl not directly but with a wrapper over it to make it fips compliant.

[ronf]

My recommendation would be to start by upgrading cryptography to the latest version without changing anything else and then running your application and see if anything breaks. If it does, check the change log for cryptography at https://cryptography.io/en/latest/changelog/ to see if it provides any guidance for dealing with backward-incompatible changes.

Once you have that working, try upgrading AsyncSSH to 2.14.2. That's a pretty small delta from where you are, and shouldn't be a problem once you have the newer cryptography installed.

I don't know which cryptography APIs you are using directly, but the link above should allow you see how your code might be impacted. On the AsyncSSH side, it's mostly bug fixes, and a handful of small features. There's nothing backward-incompatible, though, so anything you're doing with AsyncSSH should continue to work as it did before. For details of the changes, see the change log at https://asyncssh.readthedocs.io/en/latest/changes.html.

[devfinwiz]

Thanks, @ronf! I really appreciate your taking the time to help me out here.