summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2011-12-19 16:16:51 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2011-12-19 16:16:51 (GMT)
commit923df6f22a4a9ca0e2d5f15b29ec747ce00cd606 (patch)
treef6d96b4d24957014b3a410df4f70fa8ddee6ab5a /Doc/library/ssl.rst
parentd1301953fe355bc6637f33a4985c950bcfc73adf (diff)
downloadcpython-923df6f22a4a9ca0e2d5f15b29ec747ce00cd606.zip
cpython-923df6f22a4a9ca0e2d5f15b29ec747ce00cd606.tar.gz
cpython-923df6f22a4a9ca0e2d5f15b29ec747ce00cd606.tar.bz2
Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
key exchange, through the SSLContext.set_ecdh_curve() method and the ssl.OP_SINGLE_ECDH_USE option.
Diffstat (limited to 'Doc/library/ssl.rst')
-rw-r--r--Doc/library/ssl.rst26
1 files changed, 26 insertions, 0 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 69eaf8b..7017b8f 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -428,6 +428,14 @@ Constants
.. versionadded:: 3.3
+.. data:: OP_SINGLE_ECDH_USE
+
+ Prevents re-use of the same ECDH key for several SSL sessions. This
+ improves forward secrecy but requires more computational resources.
+ This option only applies to server sockets.
+
+ .. versionadded:: 3.3
+
.. data:: HAS_SNI
Whether the OpenSSL library has built-in support for the *Server Name
@@ -672,6 +680,24 @@ to speed up repeated connections from the same clients.
when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
give the currently selected cipher.
+.. method:: SSLContext.set_ecdh_curve(curve_name)
+
+ Set the curve name for Elliptic Curve-based Diffie-Hellman (abbreviated
+ ECDH) key exchange. Using Diffie-Hellman key exchange improves forward
+ secrecy at the expense of computational resources (both on the server and
+ on the client). The *curve_name* parameter should be a string describing
+ a well-known elliptic curve, for example ``prime256v1`` for a widely
+ supported curve.
+
+ This setting doesn't apply to client sockets. You can also use the
+ :data:`OP_SINGLE_ECDH_USE` option to further improve security.
+
+ .. versionadded:: 3.3
+
+ .. seealso::
+ `SSL/TLS & Perfect Forward Secrecy <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html>`_
+ Vincent Bernat.
+
.. method:: SSLContext.wrap_socket(sock, server_side=False, \
do_handshake_on_connect=True, suppress_ragged_eofs=True, \
server_hostname=None)