From: Donald Stufft <donald@stufft.io>
Date: Thu, 2 Mar 2017 17:37:07 +0000 (-0500)
Subject: bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)
X-Git-Tag: v2.7.14rc1~258
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f1a696efd6ca674579e25de29ec4053ff5a5ade1;p=python

bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399)
---

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a92710077c..4fff16f6f4 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
         options |= SSL_OP_NO_SSLv3;
     SSL_CTX_set_options(self->ctx, options);
 
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
     /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
        prime256v1 by default.  This is Apache mod_ssl's initialization
        policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
      */
-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
+#if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(self->ctx, 1);
 #else
     {