[New-bugs-announce] [issue26254] ssl server doesn't work with ECC certificates
Evgeny Kapun
report at bugs.python.org
Sun Jan 31 20:50:17 EST 2016
New submission from Evgeny Kapun:
I tried to use ssl module to create a server with a certificate that uses an ECC key. However, this didn't work. Here is how to reproduce this:
First, generate a key and a certificate:
$ openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -keyout key.pem -out cert.pem
(type some passphrase, then just press Enter in response to the questions that it asks)
Then run this Python program:
from socket import socket
from ssl import wrap_socket
s = socket()
s.bind(('localhost', 12345))
s.listen()
wrap_socket(s.accept()[0], 'key.pem', 'cert.pem', True)
This program will wait for a connection, so try to connect:
$ openssl s_client -connect localhost:12345
The program will ask for a passphrase, so type it. After that, you will get an exception:
Traceback (most recent call last):
File "test.py", line 6, in <module>
wrap_socket(s.accept()[0], 'key.pem', 'cert.pem', True)
File "/usr/lib/python3.5/ssl.py", line 1064, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python3.5/ssl.py", line 747, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 983, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 628, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:645)
If the certificate uses RSA key, it works. With ECC, I had no luck. I tried creating a context explicitly and using set_ciphers method to enable more ciphers. While it appears to support ECDSA ciphersuites, it can't use them for some reason.
----------
components: Extension Modules
messages: 259305
nosy: abacabadabacaba
priority: normal
severity: normal
status: open
title: ssl server doesn't work with ECC certificates
type: behavior
versions: Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26254>
_______________________________________
More information about the New-bugs-announce
mailing list