[issue21015] support SSL_CTX_set_ecdh_auto on newer OpenSSLs
Antoine Pitrou
report at bugs.python.org
Sat Mar 22 03:34:31 CET 2014
New submission from Antoine Pitrou:
>From the OpenSSL changelog:
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
support ECDH and use the most appropriate parameters.
[Steve Henson]
We could probably call this function automatically on SSL contexts, when possible.
Besides, Apache's mod_ssl has the following code:
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
#endif
So perhaps we can also reuse the same fallback to "prime256v1" (which would allow prioritizing ECDH in the cipher string).
----------
components: Library (Lib)
messages: 214431
nosy: christian.heimes, dstufft, pitrou
priority: normal
severity: normal
status: open
title: support SSL_CTX_set_ecdh_auto on newer OpenSSLs
type: enhancement
versions: Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21015>
_______________________________________
More information about the Python-bugs-list
mailing list