[Python-checkins] cpython (3.4): Issue #21015: SSL contexts will now automatically select an elliptic curve for

antoine.pitrou python-checkins at python.org
Sat Mar 22 18:15:09 CET 2014 

http://hg.python.org/cpython/rev/869277faf3dc
changeset:   89917:869277faf3dc
branch:      3.4
parent:      89910:e9749a7aa958
user:        Antoine Pitrou <solipsis at pitrou.net>
date:        Sat Mar 22 18:13:50 2014 +0100
summary:
  Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".

(should also fix a buildbot failure introduced by #20995)

files:
  Lib/test/test_ssl.py |  12 ++++++++++++
  Misc/NEWS            |   4 ++++
  Modules/_ssl.c       |  15 +++++++++++++++
  3 files changed, 31 insertions(+), 0 deletions(-)


diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2567,6 +2567,18 @@
                         s.connect((HOST, server.port))
             self.assertIn("no shared cipher", str(server.conn_errors[0]))
 
+        @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+        def test_default_ecdh_curve(self):
+            # Issue #21015: elliptic curve-based Diffie Hellman key exchange
+            # should be enabled by default on SSL contexts.
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            context.load_cert_chain(CERTFILE)
+            context.set_ciphers("ECDH")
+            with ThreadedEchoServer(context=context) as server:
+                with context.wrap_socket(socket.socket()) as s:
+                    s.connect((HOST, server.port))
+                    self.assertIn("ECDH", s.cipher()[0])
+
         @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
                              "'tls-unique' channel binding not available")
         def test_tls_unique_channel_binding(self):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,10 @@
 Library
 -------
 
+- Issue #21015: SSL contexts will now automatically select an elliptic
+  curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise
+  default to "prime256v1".
+
 - Issue #20995: Enhance default ciphers used by the ssl module to enable
   better security an prioritize perfect forward secrecy.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2059,6 +2059,21 @@
         options |= SSL_OP_NO_SSLv2;
     SSL_CTX_set_options(self->ctx, options);
 
+#ifndef OPENSSL_NO_ECDH
+    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+       prime256v1 by default.  This is Apache mod_ssl's initialization
+       policy, so we should be safe. */
+#if defined(SSL_CTX_set_ecdh_auto)
+    SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#else
+    {
+        EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        SSL_CTX_set_tmp_ecdh(self->ctx, key);
+        EC_KEY_free(key);
+    }
+#endif
+#endif
+
 #define SID_CTX "Python"
     SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
                                    sizeof(SID_CTX));

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list