Christian Heimes <[email protected]> added the comment:
Which version of OpenSSL are you using? Please note that macOS' system python
uses either an ancient version of OpenSSL 0.9.8 or an ancient version of
LibreSSL (IIRC 2.3.x).
The code in question is:
if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization
policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
*/
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
{
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(self->ctx, key);
EC_KEY_free(key);
}
#endif
#endif
The block is executed for all SSLContexts (server and client) because . The
behavior depends on the version of OpenSSL:
OpenSSL >= 1.1: not executed
OpenSSL >= 1.0.2, < 1.1: SL_CTX_set_ecdh_auto(ctx, 1)
LibreSSL: SSL_CTX_set_ecdh_auto(ctx, 1)
OpenSSL < 1.0.2: hard-code prime256v1
Since we have no mean to distinguish between a server context and a client
context at the moment, we unconditionally call SSL_CTX_set_ecdh_auto(). It may
not be perfect under some condition. But it gives most users a sane and secure
default to start with.
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_ecdh_auto.html
----------
nosy: +alex, dstufft, janssen
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue31809>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
