[issue32858] Improve OpenSSL ECDH support

2018-02-20 Thread sruester
sruester added the comment: I agree, we shouldn't support that confusion. I opened two separate issues https://bugs.python.org/issue32882 and https://bugs.python.org/issue32883 and will close this one now. -- resolution: -> wont fix stage: patch review ->

[issue32858] Improve OpenSSL ECDH support

2018-02-19 Thread Christian Heimes
Christian Heimes added the comment: Please split this issue into multiple issues, a bug report for the curve configuration bug and a feature request for kxinfo. The bug fix may land in 2.7, 3.6 and 3.7 while the new feature can only land in 3.8. Before you start coding,

[issue32858] Improve OpenSSL ECDH support

2018-02-19 Thread sruester
sruester added the comment: AppVeyor build failed for pull request 5707. It looks like there was a problem with the build environment. -- ___ Python tracker

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread sruester
Change by sruester : -- pull_requests: +5495 ___ Python tracker ___ ___

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread sruester
sruester added the comment: I'd really love to see kxinfo() or a similar method in the standard. I chose to implement it similar to cipher() which seemed to be a good idea then. If there are any objections, please let's discuss how that information can be made

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread Christian Heimes
Christian Heimes added the comment: Thanks! I rejected your initial PR. In the past we added some cruft or badly designed features to the SSL module. I'm in the process of cleaning the module up. Any new feature or revised method should be designed carefully and added to

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread sruester
sruester added the comment: Attached script shows usage -- Added file: https://bugs.python.org/file47449/ssl-host-check.py ___ Python tracker

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread sruester
sruester added the comment: With OpenSSL 1.1.0g, the Code int nid = OBJ_sn2nid("X25519"); EC_KEY *key = EC_KEY_new_by_curve_name(nid); printf("id:%i key:%p\n", nid, key); gives id:1034 key:(nil) EC_KEY_new_by_curve_name is IMHO not the best option to define

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread sruester
Change by sruester : -- keywords: +patch pull_requests: +5489 stage: needs patch -> patch review ___ Python tracker ___

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread Christian Heimes
Christian Heimes added the comment: When I replace the current implementation of SSLContext.set_ecdh_curve() with an implementation based on SSL_CTX_set1_curves_list(), then I'm able to configure X25519 curve for ECDH. -- ___

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread Christian Heimes
Christian Heimes added the comment: Please elaborate, how did you test that the curve is not support? Python calls SSL_CTX_set_ecdh_auto(self->ctx, 1) to auto configure curves. >>> import ssl >>> ssl = ssl.SSLContext() >>> ssl.set_ecdh_curve('X25519') Traceback (most recent

[issue32858] Improve OpenSSL ECDH support

2018-02-16 Thread Stefan Rüster
New submission from Stefan Rüster : Tested with OpenSSL v1.1.0g, Python does not support selection of curve Curve25519 with _ssl.ctx.set_ecdh_curve("X25519"). Additionally the DH key exchange parameters (which curve has been chosen, what DH bit size was used) are not