s.connect((HOST, server.port))
self.assertIn("no shared cipher", str(server.conn_errors[0]))
+ @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+ def test_default_ecdh_curve(self):
+ # Issue #21015: elliptic curve-based Diffie Hellman key exchange
+ # should be enabled by default on SSL contexts.
+ context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ context.load_cert_chain(CERTFILE)
+ context.set_ciphers("ECDH")
+ with ThreadedEchoServer(context=context) as server:
+ with context.wrap_socket(socket.socket()) as s:
+ s.connect((HOST, server.port))
+ self.assertIn("ECDH", s.cipher()[0])
+
@unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
"'tls-unique' channel binding not available")
def test_tls_unique_channel_binding(self):
Library
-------
+- Issue #21015: SSL contexts will now automatically select an elliptic
+ curve for ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise
+ default to "prime256v1".
+
- Issue #20995: Enhance default ciphers used by the ssl module to enable
better security an prioritize perfect forward secrecy.
options |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(self->ctx, options);
+#ifndef OPENSSL_NO_ECDH
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ prime256v1 by default. This is Apache mod_ssl's initialization
+ policy, so we should be safe. */
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#else
+ {
+ EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(self->ctx, key);
+ EC_KEY_free(key);
+ }
+#endif
+#endif
+
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
sizeof(SID_CTX));
projects / python / commitdiff