New submission from Antoine Pitrou:
>From the OpenSSL changelog:
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
support ECDH and use the most appropriate parameters.
[Steve Henson]
We could probably call this function automatically on SSL contexts, when
possible.
Besides, Apache's mod_ssl has the following code:
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
#endif
So perhaps we can also reuse the same fallback to "prime256v1" (which would
allow prioritizing ECDH in the cipher string).
----------
components: Library (Lib)
messages: 214431
nosy: christian.heimes, dstufft, pitrou
priority: normal
severity: normal
status: open
title: support SSL_CTX_set_ecdh_auto on newer OpenSSLs
type: enhancement
versions: Python 3.4, Python 3.5
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue21015>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
