This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, sruester
Date 2018-02-20.10:09:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1519121385.62.0.467229070634.issue32882@psf.upfronthosting.co.za>
In-reply-to
Content 
This bug was originally the more generic issue #32858.

SSLContext.set_ecdh_curve() uses EC_KEY_new_by_curve_name() and SSL_CTX_set_tmp_ecdh() to configure the ECDH curve parameters. The current approach has multiple downsides. It doesn't work with X25519 and can only set one curve. OpenSSL 1.0.2+ has SSL_CTX_set1_curves_list(), which supports a list of curve names.

Proposal:

SSLContext.set_ecdh_curve() is changed from taking one curve name to an *arg of curve names. With OpenSSL 1.0.2+, 1..n curves are supported. For OpenSSL < 1.0.2 on 2.7-3.6, one curve is supported. Perhaps it makes sense to map an empty *arg to auto-configuration?

I like to cover the issue in PEP 543, too.

Cory,
what do you think about another enum of IANA groups of EC groups, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 ?
History
Date User Action Args
2018-02-20 10:09:45christian.heimessetrecipients: + christian.heimes, sruester
2018-02-20 10:09:45christian.heimessetmessageid: <1519121385.62.0.467229070634.issue32882@psf.upfronthosting.co.za>
2018-02-20 10:09:45christian.heimeslinkissue32882 messages
2018-02-20 10:09:45christian.heimescreate