Opened 2 years ago

Last modified 7 months ago

#7033 task new

Use PyOpenSSL's ECDHE API

Reported by: lvh Owned by:
Priority: normal Milestone:
Component: core Keywords: tls ecdhe
Cc: tom@… Branch:
Author: Launchpad Bug:

Description (last modified by lvh)

In ticket #6586, hynek and I introduced temporary ECDHE support for Twisted, greatly improving Twisted's default behavior for TLS servers. However, it does so with some custom code. It'd be preferable if we just inherited that behavior from PyOpenSSL instead, since it would be less code in Twisted to maintain.

For this to be possible, several things have to happen, all but the last of them upstream:

  • One of the ECDHE support branches needs to land in PyOpenSSL. Right now it looks most likely it will be https://github.com/pyca/pyopenssl/pull/57
  • cryptography needs to make a release >= 0.2.2
  • PyOpenSSL needs to make a release that depends on a cryptography release >= 0.2.2
  • Twisted needs to depend on that new PyOpenSSL release

Once all of that happens, we can just use the behavior from PyOpenSSL, and remove the workaround.

Change History (2)

comment:1 Changed 2 years ago by lvh

  • Description modified (diff)

comment:2 Changed 7 months ago by tomrittervg

  • Cc tom@… added

pyopenssl 0.15 now supports ECDHE ciphersuites via the Context.set_tmp_ecdh function: https://github.com/pyca/pyopenssl/blob/0.15.1/OpenSSL/SSL.py#L808 However the current usage in twisted does not use it.

Note: See TracTickets for help on using tickets.