summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2014-03-22 17:13:50 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2014-03-22 17:13:50 (GMT)
commit0bebbc33faae7ac10e7a7980b260e786f05d81bf (patch)
tree3a14bed28319e8cd67e99b6e5febe0befbbc6e08 /Modules/_ssl.c
parent79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99 (diff)
downloadcpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.zip
cpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.tar.gz
cpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.tar.bz2
Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
(should also fix a buildbot failure introduced by #20995)
Diffstat (limited to 'Modules/_ssl.c')
-rw-r--r--Modules/_ssl.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 813c926..5031476 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2059,6 +2059,21 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
options |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(self->ctx, options);
+#ifndef OPENSSL_NO_ECDH
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ prime256v1 by default. This is Apache mod_ssl's initialization
+ policy, so we should be safe. */
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#else
+ {
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(self->ctx, key);
+ EC_KEY_free(key);
+ }
+#endif
+#endif
+
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
sizeof(SID_CTX));