This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients christian.heimes, dstufft, pitrou
Date 2014-03-22.02:34:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395455671.92.0.144736574461.issue21015@psf.upfronthosting.co.za>
In-reply-to
Content 
From the OpenSSL changelog:

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

We could probably call this function automatically on SSL contexts, when possible.

Besides, Apache's mod_ssl has the following code:

#if defined(SSL_CTX_set_ecdh_auto)
        SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
#else
        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
                             EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
#endif

So perhaps we can also reuse the same fallback to "prime256v1" (which would allow prioritizing ECDH in the cipher string).
History
Date User Action Args
2014-03-22 02:34:31pitrousetrecipients: + pitrou, christian.heimes, dstufft
2014-03-22 02:34:31pitrousetmessageid: <1395455671.92.0.144736574461.issue21015@psf.upfronthosting.co.za>
2014-03-22 02:34:31pitroulinkissue21015 messages
2014-03-22 02:34:31pitroucreate