Message 149755 - Python tracker

Message149755

Author	naif
Recipients	naif
Date	2011-12-18.13:37:58
SpamBayes Score	8.367155e-06
Marked as misclassified	No
Message-id	<1324215538.93.0.209202773548.issue13627@psf.upfronthosting.co.za>
In-reply-to

Content
Python SSL doesn't support Elliptic Curve ciphers in in all version tested. This is a serious performance issue because it's not possible to use as a server or as client the performance improvement provided by ECC based ciphers. Nowdays ECC are supported by all latests browsers. ECC provide a strong performance improvements (even x3) also when used with Perfect Forward Secrecy enabled ciphers like described on: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html In order to enable ECC ciphers (and eventually ECC keys) the SSL implementation the in the file Modules/_ssl.c must be modified. For example apache had several modifications to support ECC on their SSL (openssl based) stack: https://issues.apache.org/bugzilla/show_bug.cgi?id=40132 https://build.opensuse.org/package/view_file?file=httpd-ssl-ecc-ecdh.patch&package=apache2&project=home%3Aelvigia%3Atls1.2&rev=2 So Python SSL module should introduce similar modifications to fully support Elliptic Curve ciphers for SSL in order to: - Provide performance improvements - Provide cryptography security improvements - Allow writing of applications compliant with NSA Suite-B standard

Content

Python SSL doesn't support Elliptic Curve ciphers in in all version tested.

This is a serious performance issue because it's not possible to use as a server or as client the performance improvement provided by ECC based ciphers.
Nowdays ECC are supported by all latests browsers.

ECC provide a strong performance improvements (even x3) also when used with Perfect Forward Secrecy enabled ciphers like described on:
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

In order to enable ECC ciphers (and eventually ECC keys) the SSL implementation the in the file Modules/_ssl.c must be modified.

For example apache had several modifications to support ECC on their SSL (openssl based) stack:
https://issues.apache.org/bugzilla/show_bug.cgi?id=40132
https://build.opensuse.org/package/view_file?file=httpd-ssl-ecc-ecdh.patch&package=apache2&project=home%3Aelvigia%3Atls1.2&rev=2

So Python SSL module should introduce similar modifications to fully support Elliptic Curve ciphers for SSL in order to:

- Provide performance improvements
- Provide cryptography security improvements
- Allow writing of applications compliant with NSA Suite-B standard

History
Date	User	Action	Args
2011-12-18 13:38:59	naif	set	recipients: + naif
2011-12-18 13:38:58	naif	set	messageid: <1324215538.93.0.209202773548.issue13627@psf.upfronthosting.co.za>
2011-12-18 13:37:58	naif	link	issue13627 messages
2011-12-18 13:37:58	naif	create