automatically set SSL_CTX_set_ecdh_auto when available (#575)

pyca · Dec 19, 2016 · 6c6bf86 · 6c6bf86
1 parent 63ef9bc
commit 6c6bf86
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -29,6 +29,8 @@ Changes:
   This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
   For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
   `#578 <https://github.com/pyca/pyopenssl/pull/578>`_
+- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
+  `#575 <https://github.com/pyca/pyopenssl/pull/575>`_
 
 
 ----

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
@@ -475,6 +475,15 @@ def __init__(self, method):
         _openssl_assert(context != _ffi.NULL)
         context = _ffi.gc(context, _lib.SSL_CTX_free)
 
+        # If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve
+        # will be auto-selected. This function was added in 1.0.2 and made a
+        # noop in 1.1.0+ (where it is set automatically).
+        try:
+            res = _lib.SSL_CTX_set_ecdh_auto(context, 1)
+            _openssl_assert(res == 1)
+        except AttributeError:
+            pass
+
         self._context = context
         self._passphrase_helper = None
         self._passphrase_callback = None