Message304579
Which version of OpenSSL are you using? Please note that macOS' system python uses either an ancient version of OpenSSL 0.9.8 or an ancient version of LibreSSL (IIRC 2.3.x).
The code in question is:
if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization
policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
*/
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
{
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(self->ctx, key);
EC_KEY_free(key);
}
#endif
#endif
The block is executed for all SSLContexts (server and client) because . The behavior depends on the version of OpenSSL:
OpenSSL >= 1.1: not executed
OpenSSL >= 1.0.2, < 1.1: SL_CTX_set_ecdh_auto(ctx, 1)
LibreSSL: SSL_CTX_set_ecdh_auto(ctx, 1)
OpenSSL < 1.0.2: hard-code prime256v1
Since we have no mean to distinguish between a server context and a client context at the moment, we unconditionally call SSL_CTX_set_ecdh_auto(). It may not be perfect under some condition. But it gives most users a sane and secure default to start with.
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_ecdh_auto.html |
|
Date |
User |
Action |
Args |
2017-10-18 14:06:53 | christian.heimes | set | recipients:
+ christian.heimes, janssen, alex, dstufft, grrrrrrrrr |
2017-10-18 14:06:53 | christian.heimes | set | messageid: <1508335613.33.0.213398074469.issue31809@psf.upfronthosting.co.za> |
2017-10-18 14:06:53 | christian.heimes | link | issue31809 messages |
2017-10-18 14:06:53 | christian.heimes | create | |
|