Message 304581 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	grrrrrrrrr
Recipients	alex, christian.heimes, dstufft, grrrrrrrrr, janssen
Date	2017-10-18.15:10:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1508339420.71.0.213398074469.issue31809@psf.upfronthosting.co.za>
In-reply-to

Content
While debugging I reproduced this on - 'OpenSSL 1.1.0f 25 May 2017' - 'OpenSSL 1.0.1f 6 Jan 2014' - and 'BoringSSL', latest. using Python 2.7.12, 2.7.13, 2.7.6 and 3.5.3. This was all on Debian. Note that since I used Python <2.7.14 (or equivalent for 3.x) for all tests, the check "... && !defined(OPENSSL_VERSION_1_1)" is missing and therefore the bug always triggers regardless of OpenSSL version. I'm not sure I agree that this one curve is a good default. Note that openssl has 81 curves currently (openssl ecparam -list_curves) and probably can use most of them to connect to a server - accommodating a variety of server setups. Restricting this list to one single curve seems suboptimal. Think about it like this, if tomorrow we find an issue with that particular curve, all servers can just migrate to a different one and all clients will be able to connect just fine - except those that use Python, they will not be able to talk to those servers ever again until they are upgraded. I mean in the end it's your call but having a client just accepting one single security parameter and nothing else doesn't seem right.

While debugging I reproduced this on
- 'OpenSSL 1.1.0f  25 May 2017'
- 'OpenSSL 1.0.1f 6 Jan 2014'
- and 'BoringSSL', latest.

using Python 2.7.12, 2.7.13, 2.7.6 and 3.5.3. This was all on Debian.


Note that since I used Python <2.7.14 (or equivalent for 3.x) for all tests, the check "... && !defined(OPENSSL_VERSION_1_1)" is missing and therefore the bug *always* triggers regardless of OpenSSL version.



I'm not sure I agree that this one curve is a good default. Note that openssl has 81 curves currently (openssl ecparam -list_curves) and probably can use most of them to connect to a server - accommodating a variety of server setups. Restricting this list to one single curve seems suboptimal.

Think about it like this, if tomorrow we find an issue with that particular curve, all servers can just migrate to a different one and all clients will be able to connect just fine - except those that use Python, they will not be able to talk to those servers ever again until they are upgraded. I mean in the end it's your call but having a *client* just accepting one single security parameter and nothing else doesn't seem right.

History
Date	User	Action	Args
2017-10-18 15:10:20	grrrrrrrrr	set	recipients: + grrrrrrrrr, janssen, christian.heimes, alex, dstufft
2017-10-18 15:10:20	grrrrrrrrr	set	messageid: <1508339420.71.0.213398074469.issue31809@psf.upfronthosting.co.za>
2017-10-18 15:10:20	grrrrrrrrr	link	issue31809 messages
2017-10-18 15:10:20	grrrrrrrrr	create