Opened 3 years ago

Last modified 12 months ago

#7033 task new


Reported by: lvh Owned by:
Priority: normal Milestone:
Component: core Keywords: tls ecdhe
Cc: tom@… Branch:

Description (last modified by lvh)

In ticket #6586, hynek and I introduced temporary ECDHE support for Twisted, greatly improving Twisted's default behavior for TLS servers. However, it does so with some custom code. It'd be preferable if we just inherited that behavior from PyOpenSSL instead, since it would be less code in Twisted to maintain.

For this to be possible, several things have to happen, all but the last of them upstream:

  • One of the ECDHE support branches needs to land in PyOpenSSL. Right now it looks most likely it will be
  • cryptography needs to make a release >= 0.2.2
  • PyOpenSSL needs to make a release that depends on a cryptography release >= 0.2.2
  • Twisted needs to depend on that new PyOpenSSL release

Once all of that happens, we can just use the behavior from PyOpenSSL, and remove the workaround.

Change History (2)

comment:1 Changed 3 years ago by lvh

  • Description modified (diff)

comment:2 Changed 12 months ago by tomrittervg

  • Cc tom@… added

pyopenssl 0.15 now supports ECDHE ciphersuites via the Context.set_tmp_ecdh function: However the current usage in twisted does not use it.

Note: See TracTickets for help on using tickets.