Christian Heimes <li...@cheimes.de> added the comment: Which version of OpenSSL are you using? Please note that macOS' system python uses either an ancient version of OpenSSL 0.9.8 or an ancient version of LibreSSL (IIRC 2.3.x).
The code in question is: if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use prime256v1 by default. This is Apache mod_ssl's initialization policy, so we should be safe. OpenSSL 1.1 has it enabled by default. */ #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #else { EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(self->ctx, key); EC_KEY_free(key); } #endif #endif The block is executed for all SSLContexts (server and client) because . The behavior depends on the version of OpenSSL: OpenSSL >= 1.1: not executed OpenSSL >= 1.0.2, < 1.1: SL_CTX_set_ecdh_auto(ctx, 1) LibreSSL: SSL_CTX_set_ecdh_auto(ctx, 1) OpenSSL < 1.0.2: hard-code prime256v1 Since we have no mean to distinguish between a server context and a client context at the moment, we unconditionally call SSL_CTX_set_ecdh_auto(). It may not be perfect under some condition. But it gives most users a sane and secure default to start with. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_ecdh_auto.html ---------- nosy: +alex, dstufft, janssen _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31809> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com