Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1". 

(should also fix a buildbot failure introduced by #20995)
This commit is contained in:
Antoine Pitrou 2014-03-22 18:14:57 +01:00
parent 92497a42b7 0bebbc33fa
commit 39b7fce82d
3 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Lib/test/test_ssl.py
View File

@ -2567,6 +2567,18 @@ else:
s.connect((HOST, server.port)) s.connect((HOST, server.port))
self.assertIn("no shared cipher", str(server.conn_errors[0])) self.assertIn("no shared cipher", str(server.conn_errors[0]))
@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
def test_default_ecdh_curve(self):
# Issue #21015: elliptic curve-based Diffie Hellman key exchange
# should be enabled by default on SSL contexts.
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(CERTFILE)
context.set_ciphers("ECDH")
with ThreadedEchoServer(context=context) as server:
with context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port))
self.assertIn("ECDH", s.cipher()[0])
@unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES, @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
"'tls-unique' channel binding not available") "'tls-unique' channel binding not available")
def test_tls_unique_channel_binding(self): def test_tls_unique_channel_binding(self):

4
Misc/NEWS
View File

@ -23,6 +23,10 @@ Core and Builtins
Library Library
------- -------
- Issue #21015: SSL contexts will now automatically select an elliptic
curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise
default to "prime256v1".
- Issue #21000: Improve the command-line interface of json.tool. - Issue #21000: Improve the command-line interface of json.tool.
- Issue #20995: Enhance default ciphers used by the ssl module to enable - Issue #20995: Enhance default ciphers used by the ssl module to enable

15
Modules/_ssl.c
View File

@ -2059,6 +2059,21 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
options |= SSL_OP_NO_SSLv2; options |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(self->ctx, options); SSL_CTX_set_options(self->ctx, options);
#ifndef OPENSSL_NO_ECDH
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization
policy, so we should be safe. */
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
{
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(self->ctx, key);
EC_KEY_free(key);
}
#endif
#endif
#define SID_CTX "Python" #define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
sizeof(SID_CTX)); sizeof(SID_CTX));