classification
Title: Wrong ECDH configuration with OpenSSL 1.1
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, dstufft, ned.deily
Priority: normal Keywords: 3.6regression

Created on 2017-03-02 16:18 by christian.heimes, last changed 2017-03-24 23:14 by dstufft. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 395 merged dstufft, 2017-03-02 16:26
PR 397 merged dstufft, 2017-03-02 16:45
PR 398 merged dstufft, 2017-03-02 16:46
PR 399 merged dstufft, 2017-03-02 16:51
Messages (7)
msg288812 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-03-02 16:18
I think I made a mistake during the port to OpenSSL 1.1.x. defined(OPENSSL_VERSION_1_1) is on the wrong ifndef block.

------------------------------------------------------------------
Old code

#ifndef OPENSSL_NO_ECDH
    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
       prime256v1 by default.  This is Apache mod_ssl's initialization
       policy, so we should be safe. */
#if defined(SSL_CTX_set_ecdh_auto)
    SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
    {
        EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
        SSL_CTX_set_tmp_ecdh(self->ctx, key);
        EC_KEY_free(key);
    }
#endif
#endif

------------------------------------------------------------------
New code with OpenSSL 1.1.x compatibility

#ifndef OPENSSL_NO_ECDH
    /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
       prime256v1 by default.  This is Apache mod_ssl's initialization
       policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
     */
#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
    SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
    {
        EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
        SSL_CTX_set_tmp_ecdh(self->ctx, key);
        EC_KEY_free(key);
    }
#endif
#endif
msg288813 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-03-02 16:26
The bug report was too much of a "memo to me" brain dump. Let me clarify.

For OpenSSL 1.0.2 we can call SSL_CTX_set_ecdh_auto() to enable ECDH curves. For OpenSSL < 1.0.2 it was necessary to configure a curve with SSL_CTX_set_tmp_ecdh(). OpenSSL >= 1.1.0 does neither need ecdh_auto nor tmp_ecdh. 

#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
...
#endif
msg288914 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-03-03 19:14
Since the PRs have been merged, can this issue be closed now?
msg290343 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2017-03-24 23:14
New changeset f1a696efd6ca674579e25de29ec4053ff5a5ade1 by Donald Stufft in branch '2.7':
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)
https://github.com/python/cpython/commit/f1a696efd6ca674579e25de29ec4053ff5a5ade1
msg290344 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2017-03-24 23:14
New changeset 784ba7c8ad53638c94270011d55d2536ff0cd2dd by Donald Stufft in branch '3.6':
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (#397)
https://github.com/python/cpython/commit/784ba7c8ad53638c94270011d55d2536ff0cd2dd
msg290345 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2017-03-24 23:14
New changeset 564ace834f23587937b325e3545abe3f17fdbd2a by Donald Stufft in branch '3.5':
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-398)
https://github.com/python/cpython/commit/564ace834f23587937b325e3545abe3f17fdbd2a
msg290346 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2017-03-24 23:14
New changeset 8ae264ce6dfcd6923d7bbde0e975389bea7d9881 by Donald Stufft in branch 'master':
bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-395)
https://github.com/python/cpython/commit/8ae264ce6dfcd6923d7bbde0e975389bea7d9881
History
Date User Action Args
2017-03-24 23:14:30dstufftsetmessages: + msg290346
2017-03-24 23:14:20dstufftsetmessages: + msg290345
2017-03-24 23:14:13dstufftsetmessages: + msg290344
2017-03-24 23:14:03dstufftsetmessages: + msg290343
2017-03-03 19:21:10dstufftsetstatus: open -> closed
resolution: fixed
stage: resolved
2017-03-03 19:14:03ned.deilysetnosy: + ned.deily, dstufft
messages: + msg288914
2017-03-02 16:51:29dstufftsetpull_requests: + pull_request331
2017-03-02 16:46:55dstufftsetpull_requests: + pull_request330
2017-03-02 16:45:58dstufftsetpull_requests: + pull_request328
2017-03-02 16:26:37christian.heimessetmessages: + msg288813
2017-03-02 16:26:00dstufftsetpull_requests: + pull_request327
2017-03-02 16:18:22christian.heimescreate