Stefan Krah added the comment:
In case anyone wonders why the FreeBSD bot works again: I've
installed OpenSSL from source.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Antoine Pitrou added the comment:
In case anyone wonders why the FreeBSD bot works again: I've
installed OpenSSL from source.
Did you install the same version?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
Stefan Krah added the comment:
Antoine Pitrou rep...@bugs.python.org wrote:
Did you install the same version?
No, I used the latest version + FIPS. Since FreeBSD 9.0 is EOL, I did not
feel like investigating too much. :)
--
___
Python tracker
Roundup Robot added the comment:
New changeset d6501421b86b by Antoine Pitrou in branch '3.4':
Try to fix buildbot failures on old OpenSSLs ( 1.0.0) - followup to issue
#21015
http://hg.python.org/cpython/rev/d6501421b86b
New changeset 1305410bff2d by Antoine Pitrou in branch 'default':
Try to
Antoine Pitrou added the comment:
So, I think I've found the issue. On OpenSSL 1.0.0, the ECDH ciphers exist
but the ECDH cipher alias doesn't. I've committed a patch which should fix
the issue, although the set_ciphers() call may be entirely useless given our
current default cipher list.
Ned Deily added the comment:
That does indeed make the test now pass on OS X 10.9:
test_default_ecdh_curve (test.test_ssl.ThreadedTests) ... server: new
connection from ('127.0.0.1', 60758)
server: connection cipher is now ('AECDH-AES256-SHA', 'TLSv1/SSLv3', 256)
server: selected protocol
Antoine Pitrou added the comment:
The buildbots seem happy as well, so I'm closing this.
--
resolution: - fixed
stage: needs patch - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
Mark Dickinson added the comment:
The docs[1] for SSL_set_ecdh_auto say: These functions were first added to
OpenSSL 1.0.2. From looking at Modules/_ssl.c, it looks as though we're
trying to use them when the version is = 0.9.8.
[1]
Antoine Pitrou added the comment:
The docs[1] for SSL_set_ecdh_auto say: These functions were first
added to OpenSSL 1.0.2. From looking at Modules/_ssl.c, it looks as
though we're trying to use them when the version is = 0.9.8.
If that was the issue at hand we would get a compile error, no?
Mark Dickinson added the comment:
Yep, true. Ignore me.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
___
Python-bugs-list mailing
Changes by Mark Dickinson dicki...@gmail.com:
--
Removed message: http://bugs.python.org/msg216123
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Jeff Ramnani added the comment:
Really? Apple's packaging looks almost criminal here.
Apple has deprecated their bundled version of OpenSSL. This issue has more
details, http://bugs.python.org/issue17128
--
nosy: +jramnani
___
Python tracker
Stefan Krah added the comment:
FreeBSD 9.0 has the same broken install:
$ openssl version
OpenSSL 0.9.8y 5 Feb 2013
$ ls /usr/include/openssl/ecd*
/usr/include/openssl/ecdh.h /usr/include/openssl/ecdsa.h
I'm inclined to view this as an OS
Changes by Geoffrey Spear geoffsp...@gmail.com:
--
nosy: +geoffreyspear
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
___
Antoine Pitrou added the comment:
The OpenSSL command advertise itself as 0.9.8y but it doesn't include
any ECDH ciphers.
Really? Apple's packaging looks almost criminal here.
FreeBSD 9 is failing as well:
It's not necessarily the same issue as on OS X. Stefan, can you post the output
of
Stefan Krah added the comment:
This is for FreeBSD-9 (which, to be fair, has EOL status):
[stefan@freebsd-amd64 ~]$ openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA
STINNER Victor added the comment:
test_default_ecdh_curve() is still failing on x86 Ubuntu Shared 3.x:
http://buildbot.python.org/all/builders/x86%20Ubuntu%20Shared%203.x/builds/9964/steps/test/logs/stdio
==
ERROR:
Stefan Krah added the comment:
FreeBSD 9 is failing as well:
http://buildbot.python.org/all/builders/AMD64%20FreeBSD%209.0%203.x/builds/6583/steps/test/logs/stdio
--
nosy: +skrah
___
Python tracker rep...@bugs.python.org
Ned Deily added the comment:
test_default_ecdh_curve is failing on current OS X systems (10.9 Mavericks and
10.8 Mountain Lion, at least) using the system-supplied OpenSSL libraries:
==
ERROR: test_default_ecdh_curve
Nick Coghlan added the comment:
Marking this as buildbot, as Donald suspects it's the culprit for the current
SSL related buildbot failures after merging issue 20995.
Also Donald, welcome to the I broke (some of) the buildbots club, although
you did come up with something more exotic than the
Donald Stufft added the comment:
I always have to do things the hard way ;)
Note that my patch changes the set_ecdh_curve() method to no longer require a
name. If that is too big of a change for Python 3.4 we can just hardcode the
same name inside of ssl.py for 3.4
--
Antoine Pitrou added the comment:
I don't think it makes much sense to have a default argument to
set_ecdh_curve(). It's probably better to just copy mod_ssl's initialization
(which selects prime256v1 on not-so-new OpenSSLs).
--
___
Python tracker
Antoine Pitrou added the comment:
Here is a patch working with both 1.0.2 (set_ecdh_auto) and 1.0.1 (fallback on
prime256v1).
--
Added file: http://bugs.python.org/file34565/ssl_ecdh_auto.patch
___
Python tracker rep...@bugs.python.org
Antoine Pitrou added the comment:
Perhaps we should add a test for this.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
___
Antoine Pitrou added the comment:
New patch with a test.
--
Added file: http://bugs.python.org/file34566/ssl_ecdh_auto2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Donald Stufft added the comment:
The reason I made a default argument to set_ecdh_curve is that I couldn't find
any information about what happens if you set a ecdh curve _twice_ within a a
OpenSSL SSL Context. So I played it safe and made it a default argument that
only gets called if you
Donald Stufft added the comment:
I know it doesn't segfault or raise an error if you do that, but I don't know
if it:
1) Replaces the already called ECDH Curve
2) Adds to the already called ECDH Curve
3) Silently Does Nothing.
If it's 2 or 3 then your patch will make
Antoine Pitrou added the comment:
I know it doesn't segfault or raise an error if you do that, but I don't know
if it:
1) Replaces the already called ECDH Curve
2) Adds to the already called ECDH Curve
3) Silently Does Nothing.
Judging by OpenSSL's code, it replaces the already called
Donald Stufft added the comment:
Works for me, that's what it appears like to me too. +1
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Antoine Pitrou added the comment:
Here is an updated patch with proper releasing the EC_KEY structure.
(note that the patch has a slight performance implication: creating a
SSLContext becomes more costly - around 100µs more here)
--
Added file:
Donald Stufft added the comment:
Looks good to me, do you want to commit it Antoine?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Changes by Alex Gaynor alex.gay...@gmail.com:
--
nosy: +alex
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
___
Python-bugs-list mailing
Antoine Pitrou added the comment:
I will :)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
___
Python-bugs-list mailing list
Roundup Robot added the comment:
New changeset 869277faf3dc by Antoine Pitrou in branch '3.4':
Issue #21015: SSL contexts will now automatically select an elliptic curve for
ECDH key exchange on OpenSSL 1.0.2 and later, and otherwise default to
prime256v1.
Antoine Pitrou added the comment:
The Ubuntu LTS buildbot seems to feel better now, closing.
--
resolution: - fixed
stage: - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
New submission from Antoine Pitrou:
From the OpenSSL changelog:
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
Donald Stufft added the comment:
Heh, I was just getting ready to figure out if I should write this ticket or
not :)
I think we should do this. Nginx also defaults to prime256v1 (which is NIST
P-256), DJB seems to think that's an unsafe curve though
(http://safecurves.cr.yp.to/).
--
Donald Stufft added the comment:
Ok, looks like everyone just uses prime256v1, so we should use that!
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue21015
___
Donald Stufft added the comment:
I don't have a new enough OpenSSL to test against SSL_CTX_set_ecdh_auto and I
don't really know C very well so I didn't want to do try to handle that.
That being said, here is a patch that allows you to call
SSLContext().set_ecdh_curve() without any argument,
39 matches
Mail list logo
