Issue 29697: Wrong ECDH configuration with OpenSSL 1.1 (original) (raw)

Issue29697

Created on 2017-03-02 16:18 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (7)
msg288812 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-03-02 16:18
I think I made a mistake during the port to OpenSSL 1.1.x. defined(OPENSSL_VERSION_1_1) is on the wrong ifndef block. ------------------------------------------------------------------ Old code #ifndef OPENSSL_NO_ECDH /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use prime256v1 by default. This is Apache mod_ssl's initialization policy, so we should be safe. */ #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #else { EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(self->ctx, key); EC_KEY_free(key); } #endif #endif ------------------------------------------------------------------ New code with OpenSSL 1.1.x compatibility #ifndef OPENSSL_NO_ECDH /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use prime256v1 by default. This is Apache mod_ssl's initialization policy, so we should be safe. OpenSSL 1.1 has it enabled by default. */ #if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) SSL_CTX_set_ecdh_auto(self->ctx, 1); #else { EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(self->ctx, key); EC_KEY_free(key); } #endif #endif
msg288813 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2017-03-02 16:26
The bug report was too much of a "memo to me" brain dump. Let me clarify. For OpenSSL 1.0.2 we can call SSL_CTX_set_ecdh_auto() to enable ECDH curves. For OpenSSL < 1.0.2 it was necessary to configure a curve with SSL_CTX_set_tmp_ecdh(). OpenSSL >= 1.1.0 does neither need ecdh_auto nor tmp_ecdh. #if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) ... #endif
msg288914 - (view)	Author: Ned Deily (ned.deily) *	Date: 2017-03-03 19:14
Since the PRs have been merged, can this issue be closed now?
msg290343 - (view)	Author: Donald Stufft (dstufft) *	Date: 2017-03-24 23:14
New changeset f1a696efd6ca674579e25de29ec4053ff5a5ade1 by Donald Stufft in branch '2.7': bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-399) https://github.com/python/cpython/commit/f1a696efd6ca674579e25de29ec4053ff5a5ade1
msg290344 - (view)	Author: Donald Stufft (dstufft) *	Date: 2017-03-24 23:14
New changeset 784ba7c8ad53638c94270011d55d2536ff0cd2dd by Donald Stufft in branch '3.6': bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (#397) https://github.com/python/cpython/commit/784ba7c8ad53638c94270011d55d2536ff0cd2dd
msg290345 - (view)	Author: Donald Stufft (dstufft) *	Date: 2017-03-24 23:14
New changeset 564ace834f23587937b325e3545abe3f17fdbd2a by Donald Stufft in branch '3.5': bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-398) https://github.com/python/cpython/commit/564ace834f23587937b325e3545abe3f17fdbd2a
msg290346 - (view)	Author: Donald Stufft (dstufft) *	Date: 2017-03-24 23:14
New changeset 8ae264ce6dfcd6923d7bbde0e975389bea7d9881 by Donald Stufft in branch 'master': bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ (GH-395) https://github.com/python/cpython/commit/8ae264ce6dfcd6923d7bbde0e975389bea7d9881