diff --git a/dev-python/cryptography/Manifest b/dev-python/cryptography/Manifest
new file mode 100644
index 000000000..8198d095c
--- /dev/null
+++ b/dev-python/cryptography/Manifest
@@ -0,0 +1 @@
+DIST cryptography-2.2.2.tar.gz 443822 BLAKE2B d0fbaad78d172f1ba1bfa6edd64d2d5a0eac0853a564fdbb9830dfedc5c53fe1b28d8c1878be85ce38b8cd90a0c2e40e6a209158693a88a7053a80f0481e6302 SHA512 6c1b19cdb870d65abad42523697e9a0bebc7a0025b34f10c4bdd30c313333efd7c41bcb4237a29b3a1b270e3fbade75ccb35df172b055b7c075d619f4d9424c9
diff --git a/dev-python/cryptography/cryptography-2.2.2.ebuild b/dev-python/cryptography/cryptography-2.2.2.ebuild
new file mode 100644
index 000000000..c20ec519e
--- /dev/null
+++ b/dev-python/cryptography/cryptography-2.2.2.ebuild
@@ -0,0 +1,68 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy{,3} )
+PYTHON_REQ_USE="threads(+)"
+
+inherit distutils-r1 flag-o-matic
+
+DESCRIPTION="Library providing cryptographic recipes and primitives"
+HOMEPAGE="https://github.com/pyca/cryptography/ https://pypi.org/project/cryptography/"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="|| ( Apache-2.0 BSD )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
+IUSE="libressl test"
+
+# the openssl 1.0.2l-r1 needs to be updated again :(
+# It'd theb be able to go into the || section again
+#=dev-libs/openssl-1.0.2l-r1:0
+# the following is the original section, disallowing bindist entirely
+#!libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
+RDEPEND="
+	!libressl? (
+		dev-libs/openssl:0= (
+			|| (
+				dev-libs/openssl:0[-bindist(-)]
+				>=dev-libs/openssl-1.0.2o-r2:0
+			)
+		)
+	)
+	libressl? ( dev-libs/libressl:0= )
+	$(python_gen_cond_dep '>=dev-python/cffi-1.7:=[${PYTHON_USEDEP}]' 'python*')
+	$(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 pypy{,3})
+	>=dev-python/idna-2.1[${PYTHON_USEDEP}]
+	>=dev-python/asn1crypto-0.21.0[${PYTHON_USEDEP}]
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	>=dev-python/six-1.4.1[${PYTHON_USEDEP}]
+	virtual/python-ipaddress[${PYTHON_USEDEP}]
+	"
+DEPEND="${RDEPEND}
+	>=dev-python/setuptools-1.0[${PYTHON_USEDEP}]
+	test? (
+		~dev-python/cryptography-vectors-${PV}[${PYTHON_USEDEP}]
+		dev-python/hypothesis[${PYTHON_USEDEP}]
+		dev-python/iso8601[${PYTHON_USEDEP}]
+		dev-python/pretend[${PYTHON_USEDEP}]
+		dev-python/pyasn1-modules[${PYTHON_USEDEP}]
+		>=dev-python/pytest-2.9.0[${PYTHON_USEDEP}]
+		dev-python/pytz[${PYTHON_USEDEP}]
+	)"
+
+DOCS=( AUTHORS.rst CONTRIBUTING.rst README.rst )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.4-libressl-2.7-x509.patch
+	"${FILESDIR}"/${PN}-2.1.4-libressl-2.7-x509_vfy.patch
+)
+
+python_configure_all() {
+	append-cflags $(test-flags-CC -pthread)
+}
+
+python_test() {
+	py.test -v -v -x || die "Tests fail with ${EPYTHON}"
+}
diff --git a/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch b/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
new file mode 100644
index 000000000..a23ed7658
--- /dev/null
+++ b/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
@@ -0,0 +1,17 @@
+diff -Naur cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py
+--- cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py	2017-02-01 12:29:59.080728417 -0800
++++ cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py	2017-02-01 12:31:48.017895844 -0800
+@@ -221,10 +221,13 @@
+ static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+ static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+ static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
++#if !CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER || \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2050100fL)
+ static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
+ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
++#endif
+ #endif
+ 
+ /* OpenSSL 1.0.2beta2+ verification parameters */
+ #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
diff --git a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
new file mode 100644
index 000000000..9a14d4606
--- /dev/null
+++ b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
@@ -0,0 +1,23 @@
+diff -ur a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
+--- a/src/_cffi_src/openssl/x509.py	2017-07-27 05:11:29.000000000 +0200
++++ b/src/_cffi_src/openssl/x509.py	2018-03-23 10:28:00.387774214 +0100
+@@ -254,8 +254,7 @@
+ 
+ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);
+ 
+-/* in 1.1.0 becomes const ASN1_BIT_STRING, const X509_ALGOR */
+-void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *);
++void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **, const X509 *);
+ 
+ long X509_get_version(X509 *);
+ 
+@@ -338,7 +337,8 @@
+ CUSTOMIZATIONS = """
+ /* Added in 1.0.2 beta but we need it in all versions now due to the great
+    opaquing. */
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ /* from x509/x_x509.c version 1.0.2 */
+ void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                          const X509 *x)
diff --git a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
new file mode 100644
index 000000000..a1c93cf0c
--- /dev/null
+++ b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
@@ -0,0 +1,73 @@
+$OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.7 2018/02/22 18:49:16 sthen Exp $
+
+--- a/src/_cffi_src/openssl/x509_vfy.py
++++ b/src/_cffi_src/openssl/x509_vfy.py
+@@ -204,7 +204,7 @@ int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJE
+ X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int);
+ X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *);
+ Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *);
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *);
++X509 *X509_OBJECT_get0_X509(const X509_OBJECT *);
+ int X509_OBJECT_get_type(const X509_OBJECT *);
+ 
+ /* added in 1.1.0 */
+@@ -220,14 +220,11 @@ static const long Cryptography_HAS_102_VERIFICATION_ER
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
+ #else
+ static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
++#if LIBRESSL_VERSION_NUMBER >= 0x2070000fL
++static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
++#else
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;
+ 
+-static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+-static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+ /* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added
+    in the future... */
+ #ifndef X509_V_ERR_HOSTNAME_MISMATCH
+@@ -240,12 +237,6 @@ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
+ #endif
+ 
+-/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
+-   below because it shows up in some earlier 3rd party OpenSSL packages. */
+-static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
+-static const long X509_V_FLAG_SUITEB_192_LOS = 0;
+-static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+-
+ int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
+                                    size_t) = NULL;
+ int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
+@@ -257,6 +248,19 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PA
+                                         unsigned int) = NULL;
+ #endif
+ 
++static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
++static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
++static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
++/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
++   below because it shows up in some earlier 3rd party OpenSSL packages. */
++static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
++static const long X509_V_FLAG_SUITEB_192_LOS = 0;
++static const long X509_V_FLAG_SUITEB_128_LOS = 0;
++#endif
++
+ /* OpenSSL 1.0.2+ or Solaris's backport */
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+ static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
+@@ -292,7 +296,7 @@ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+     return ctx->cert;
+ }
+ 
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) {
++X509 *X509_OBJECT_get0_X509(const X509_OBJECT *x) {
+     return x->data.x509;
+ }
+ #endif
diff --git a/dev-python/cryptography/metadata.xml b/dev-python/cryptography/metadata.xml
new file mode 100644
index 000000000..2dfa57bc0
--- /dev/null
+++ b/dev-python/cryptography/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>python@gentoo.org</email>
+    <name>Python</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="pypi">cryptography</remote-id>
+    <remote-id type="github">pyca/cryptography</remote-id>
+  </upstream>
+</pkgmetadata>
diff --git a/net-analyzer/sslyze/Manifest b/net-analyzer/sslyze/Manifest
index fdadbf9f5..4d83199f1 100644
--- a/net-analyzer/sslyze/Manifest
+++ b/net-analyzer/sslyze/Manifest
@@ -1,4 +1,3 @@
-DIST sslyze-1.3.0.tar.gz 2550770 BLAKE2B f6140fa7b0069d2d1b66620faae2a365b103c543d66a8958ac88f31d8c52187d4ca142f4f64e7764ebe79c60a86d00eaa439379e03e717dae0e935c5aff65249 SHA512 fa354b3f1641e164d00f8a77042c3a07600c91f06c1acee200c9c3457353a04339e2caf4929e4cc46087fa24e70ad74cb014f733c62af6725c3f9f96900ff3cd
-DIST sslyze-1.3.2.tar.gz 2602857 BLAKE2B 3ed73d58134a190e38307c7628fd23264638b476fad65b92a4fd3e7767691662cb1d3d5d7b723588527ce57ac55801f26a8a5e278c5cd26a572d38f8b4ee98fc SHA512 3a267a378a440b7fafafb6c28fa3ebb6bc1bbbc67a8d6a43dffde7b7df18cedb6bd14cd6e8af755f6173d44460c5b2fc83c9ff068c60db25ca4c8df0967eed93
 DIST sslyze-1.3.4.tar.gz 2427566 BLAKE2B 002755723e2f1f4eea0da4f5cdecfc1ee5109e94cc39f9063ec35ae882a269f0e7546917a85e6a0f0bdcb58f1c746a5a9fc33dfed866ef79ed20189436d9bb54 SHA512 0e82de17c1e53aec9a4e7a84291e0e7e83fb358ed23e822daed7f1febd1fc30c2b49d293e7a688d3089d51c79bdbf653beac7e2c73b2213b9428e02ed1b11436
 DIST sslyze-1.4.1.tar.gz 2525359 BLAKE2B 8b7730ef2755fcb6ae7cfafedac3c9c286324430b6debb859bea1afbc1375ff44abaa9081cce099bbac3979c4e2cb625525374260e83770f51b39457a5867747 SHA512 3843c5a52b963e763604a3897760d9e49141690f377ece86f5c56d43689ba002ca56e27d5ae5fad1bea6c5f3ea0b2497feaf627d9b6d0e6b7e8de4c1cdcd2615
+DIST sslyze-1.4.2.tar.gz 2609182 BLAKE2B 765e44f62b72d86bf67aafa68fe6a0ad0573e3aefce41684f926dd05f4265be274c60350294b1e708432990dea3e5b96a107e187bcd32574f005978b53f62adc SHA512 7c84074fe36e72f1bf7644dc2a75330cdd1316bb60efde0df3a1a6f1dc1dc5b241364303e2e02ee992d5b16d67fb447b6d29826e3b07d0565759664f1a722c0b
diff --git a/net-analyzer/sslyze/sslyze-1.4.1-r1.ebuild b/net-analyzer/sslyze/sslyze-1.4.1-r1.ebuild
index 796199440..f7132e3df 100644
--- a/net-analyzer/sslyze/sslyze-1.4.1-r1.ebuild
+++ b/net-analyzer/sslyze/sslyze-1.4.1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -18,6 +18,7 @@ IUSE=""
 DEPEND=""
 RDEPEND="=dev-python/nassl-1.1*[${PYTHON_USEDEP}]
 	>=dev-python/cryptography-2.1.4[${PYTHON_USEDEP}]
+	>=dev-python/tls_parser-1.2.0[${PYTHON_USEDEP}]
 	$(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python{2_7,3_3})
 	$(python_gen_cond_dep 'dev-python/typing[${PYTHON_USEDEP}]' python{2_7,3_3,3_4})
 "
diff --git a/net-analyzer/sslyze/sslyze-1.4.2.ebuild b/net-analyzer/sslyze/sslyze-1.4.2.ebuild
new file mode 100644
index 000000000..734ffec8c
--- /dev/null
+++ b/net-analyzer/sslyze/sslyze-1.4.2.ebuild
@@ -0,0 +1,24 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python{2_7,3_{4,5,6}} )
+inherit distutils-r1
+
+DESCRIPTION="Fast and full-featured SSL scanner"
+HOMEPAGE="https://github.com/nabla-c0d3/sslyze"
+SRC_URI="https://github.com/nabla-c0d3/sslyze/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+DEPEND=""
+RDEPEND="=dev-python/nassl-1.1*[${PYTHON_USEDEP}]
+	=dev-python/cryptography-2.2.2[${PYTHON_USEDEP}]
+	>=dev-python/tls_parser-1.2.0[${PYTHON_USEDEP}]
+	$(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python{2_7,3_3})
+	$(python_gen_cond_dep 'dev-python/typing[${PYTHON_USEDEP}]' python{2_7,3_3,3_4})
+"
diff --git a/profiles/pentoo/base/package.accept_keywords/dev-python b/profiles/pentoo/base/package.accept_keywords/dev-python
index e5df07359..76127aac1 100644
--- a/profiles/pentoo/base/package.accept_keywords/dev-python
+++ b/profiles/pentoo/base/package.accept_keywords/dev-python
@@ -78,6 +78,7 @@ dev-python/simplesoapy
 =dev-python/nassl-1.1*
 =dev-python/tls_parser-1.2*
 =dev-python/cryptography-2.1*
+=dev-python/cryptography-2.2*
 
 #gplaycli
 =dev-python/androguard-3.2*