bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)

author Donald Stufft <donald@stufft.io>

Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)

committer GitHub <noreply@github.com>

Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)
author Donald Stufft <donald@stufft.io>
Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)
committer GitHub <noreply@github.com>
Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index a92710077cc2831d7ad84dc9b735367f23b5f4e0..4fff16f6f49a03d51534aef6ea61ec586699ace0 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
          options |= SSL_OP_NO_SSLv3;
      SSL_CTX_set_options(self->ctx, options);
  
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
      /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
         prime256v1 by default.  This is Apache mod_ssl's initialization
         policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
       */
-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
+#if defined(SSL_CTX_set_ecdh_auto)
      SSL_CTX_set_ecdh_auto(self->ctx, 1);
  #else
      {
author	Donald Stufft <donald@stufft.io>
	Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)
committer	GitHub <noreply@github.com>
	Thu, 2 Mar 2017 17:37:07 +0000 (12:37 -0500)