[New-bugs-announce] [issue26254] ssl server doesn't work with ECC certificates

Evgeny Kapun report at bugs.python.org
Sun Jan 31 20:50:17 EST 2016 

New submission from Evgeny Kapun:

I tried to use ssl module to create a server with a certificate that uses an ECC key. However, this didn't work. Here is how to reproduce this:

First, generate a key and a certificate:

    $ openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -keyout key.pem -out cert.pem
    (type some passphrase, then just press Enter in response to the questions that it asks)

Then run this Python program:

    from socket import socket
    from ssl import wrap_socket
    s = socket()
    s.bind(('localhost', 12345))
    s.listen()
    wrap_socket(s.accept()[0], 'key.pem', 'cert.pem', True)

This program will wait for a connection, so try to connect:

    $ openssl s_client -connect localhost:12345

The program will ask for a passphrase, so type it. After that, you will get an exception:

    Traceback (most recent call last):
      File "test.py", line 6, in <module>
        wrap_socket(s.accept()[0], 'key.pem', 'cert.pem', True)
      File "/usr/lib/python3.5/ssl.py", line 1064, in wrap_socket
        ciphers=ciphers)
      File "/usr/lib/python3.5/ssl.py", line 747, in __init__
        self.do_handshake()
      File "/usr/lib/python3.5/ssl.py", line 983, in do_handshake
        self._sslobj.do_handshake()
      File "/usr/lib/python3.5/ssl.py", line 628, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:645)

If the certificate uses RSA key, it works. With ECC, I had no luck. I tried creating a context explicitly and using set_ciphers method to enable more ciphers. While it appears to support ECDSA ciphersuites, it can't use them for some reason.

----------
components: Extension Modules
messages: 259305
nosy: abacabadabacaba
priority: normal
severity: normal
status: open
title: ssl server doesn't work with ECC certificates
type: behavior
versions: Python 3.5

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26254>
_______________________________________

More information about the New-bugs-announce mailing list