Issue 32882: SSLContext.set_ecdh_curve() not accepting x25519

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/77063

classification

Title:	SSLContext.set_ecdh_curve() not accepting x25519
Type:	behavior	Stage:	patch review
Components:	SSL	Versions:	Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 2.7

process

Status:	open	Resolution:
Dependencies:		Superseder:	Improve OpenSSL ECDH support View: 32858
Assigned To:	christian.heimes	Nosy List:	christian.heimes, sruester
Priority:	normal	Keywords:	patch

Created on 2018-02-20 09:49 by sruester, last changed 2022-04-11 14:58 by admin.

Messages (3)
msg312405 - (view)	Author: sruester (sruester) *	Date: 2018-02-20 09:49
Using SSLContext.set_ecdh_curve() it is neither possible to choose X25519, nor to choose a list of curves to be used for key agreement.
msg312408 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2018-02-20 10:09
This bug was originally the more generic issue #32858. SSLContext.set_ecdh_curve() uses EC_KEY_new_by_curve_name() and SSL_CTX_set_tmp_ecdh() to configure the ECDH curve parameters. The current approach has multiple downsides. It doesn't work with X25519 and can only set one curve. OpenSSL 1.0.2+ has SSL_CTX_set1_curves_list(), which supports a list of curve names. Proposal: SSLContext.set_ecdh_curve() is changed from taking one curve name to an arg of curve names. With OpenSSL 1.0.2+, 1..n curves are supported. For OpenSSL < 1.0.2 on 2.7-3.6, one curve is supported. Perhaps it makes sense to map an empty arg to auto-configuration? I like to cover the issue in PEP 543, too. Cory, what do you think about another enum of IANA groups of EC groups, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 ?
msg391504 - (view)	Author: sruester (sruester) *	Date: 2021-04-21 09:29
PEP 543 was withdrawn in the meantime. Any suggestion how to proceed with this?

History
Date	User	Action	Args
2022-04-11 14:58:58	admin	set	github: 77063
2021-04-21 09:29:10	sruester	set	messages: + msg391504 versions: + Python 3.9, Python 3.10, Python 3.11
2018-02-20 10:34:42	sruester	set	pull_requests: + pull_request5550
2018-02-20 10:18:27	sruester	set	keywords: + patch stage: needs patch -> patch review pull_requests: + pull_request5549
2018-02-20 10:09:45	christian.heimes	set	versions: + Python 2.7, Python 3.6, Python 3.7, Python 3.8 type: behavior messages: + msg312408 superseder: Improve OpenSSL ECDH support stage: needs patch
2018-02-20 09:49:54	sruester	create