You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello @alex@reaperhulk, this ticket is to re-open a discussion on the possibility to add binding for SSL_CTX_set1_curves_list and SSL_CTX_set1_groups_list (#4980, #9562)
At the moment a python application built on top of pyopenssl has no possibility to set a different order of preference on the selection of the curves that are forced to be x25519, secp256r1, x448, secp521r1, secp384r1 in this exact order of preference.
I fully agree with your previous evaluations that developers should be using the library defaults and adhere to the choices of the community, but i consider that such a binding is fundamental to protect users in case a specific curve would become known combination for a specific attack. At the moment, on such a situation there would be no workaround for pyopenssl users different from shutting down their system.
@alex : on #9562 you referred to the existance of the binding for set_tmp_ecdh but actually @t8m confirms that this could not be used to set x25519 and x448: openssl/openssl#24116
Thank you if you could evaluate this once again.
The text was updated successfully, but these errors were encountered:
+1 to provide the bindings (set1_curves is alias to set1_groups) so one binding with the new name would be sufficient unless you need to support older OpenSSL versions.
Hello @alex @reaperhulk, this ticket is to re-open a discussion on the possibility to add binding for SSL_CTX_set1_curves_list and SSL_CTX_set1_groups_list (#4980, #9562)
At the moment a python application built on top of pyopenssl has no possibility to set a different order of preference on the selection of the curves that are forced to be
x25519, secp256r1, x448, secp521r1, secp384r1
in this exact order of preference.I fully agree with your previous evaluations that developers should be using the library defaults and adhere to the choices of the community, but i consider that such a binding is fundamental to protect users in case a specific curve would become known combination for a specific attack. At the moment, on such a situation there would be no workaround for pyopenssl users different from shutting down their system.
@alex : on #9562 you referred to the existance of the binding for set_tmp_ecdh but actually @t8m confirms that this could not be used to set x25519 and x448: openssl/openssl#24116
Thank you if you could evaluate this once again.
The text was updated successfully, but these errors were encountered: