3 files changed, 31 insertions, 0 deletions

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 1a2a9f0..891720e 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2567,6 +2567,18 @@ else:
                         s.connect((HOST, server.port))
             self.assertIn("no shared cipher", str(server.conn_errors[0]))
 
+        @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+        def test_default_ecdh_curve(self):
+            # Issue #21015: elliptic curve-based Diffie Hellman key exchange
+            # should be enabled by default on SSL contexts.
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            context.load_cert_chain(CERTFILE)
+            context.set_ciphers("ECDH")
+            with ThreadedEchoServer(context=context) as server:
+                with context.wrap_socket(socket.socket()) as s:
+                    s.connect((HOST, server.port))
+                    self.assertIn("ECDH", s.cipher()[0])
+
         @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
                              "'tls-unique' channel binding not available")
         def test_tls_unique_channel_binding(self):
diff --git a/Misc/NEWS b/Misc/NEWS
index b5b719d..6b527ea 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #21015: SSL contexts will now automatically select an elliptic
+  curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise
+  default to "prime256v1".
+
 - Issue #20995: Enhance default ciphers used by the ssl module to enable
   better security an prioritize perfect forward secrecy.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 813c926..5031476 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2059,6 +2059,21 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
         options |= SSL_OP_NO_SSLv2;
     SSL_CTX_set_options(self->ctx, options);
 
+#ifndef OPENSSL_NO_ECDH
+    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+       prime256v1 by default.  This is Apache mod_ssl's initialization
+       policy, so we should be safe. */
+#if defined(SSL_CTX_set_ecdh_auto)
+    SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#else
+    {
+        EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        SSL_CTX_set_tmp_ecdh(self->ctx, key);
+        EC_KEY_free(key);
+    }
+#endif
+#endif
+
 #define SID_CTX "Python"
     SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
                                    sizeof(SID_CTX));