Andy <grrrrrr...@surfsup.at> added the comment: While debugging I reproduced this on - 'OpenSSL 1.1.0f 25 May 2017' - 'OpenSSL 1.0.1f 6 Jan 2014' - and 'BoringSSL', latest.
using Python 2.7.12, 2.7.13, 2.7.6 and 3.5.3. This was all on Debian. Note that since I used Python <2.7.14 (or equivalent for 3.x) for all tests, the check "... && !defined(OPENSSL_VERSION_1_1)" is missing and therefore the bug *always* triggers regardless of OpenSSL version. I'm not sure I agree that this one curve is a good default. Note that openssl has 81 curves currently (openssl ecparam -list_curves) and probably can use most of them to connect to a server - accommodating a variety of server setups. Restricting this list to one single curve seems suboptimal. Think about it like this, if tomorrow we find an issue with that particular curve, all servers can just migrate to a different one and all clients will be able to connect just fine - except those that use Python, they will not be able to talk to those servers ever again until they are upgraded. I mean in the end it's your call but having a *client* just accepting one single security parameter and nothing else doesn't seem right. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31809> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
