diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2014-03-22 17:13:50 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-03-22 17:13:50 (GMT) |
| commit | 0bebbc33faae7ac10e7a7980b260e786f05d81bf (patch) | |
| tree | 3a14bed28319e8cd67e99b6e5febe0befbbc6e08 /Modules | |
| parent | 79ccaa2cad2a13f0da2f900a0f9f61cd6b619c99 (diff) | |
| download | cpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.zip cpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.tar.gz cpython-0bebbc33faae7ac10e7a7980b260e786f05d81bf.tar.bz2 | |
Issue #21015: SSL contexts will now automatically select an elliptic curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to "prime256v1".
(should also fix a buildbot failure introduced by #20995)
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/_ssl.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 813c926..5031476 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -2059,6 +2059,21 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds) options |= SSL_OP_NO_SSLv2; SSL_CTX_set_options(self->ctx, options); +#ifndef OPENSSL_NO_ECDH + /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use + prime256v1 by default. This is Apache mod_ssl's initialization + policy, so we should be safe. */ +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); +#else + { + EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + SSL_CTX_set_tmp_ecdh(self->ctx, key); + EC_KEY_free(key); + } +#endif +#endif + #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, sizeof(SID_CTX)); |