gh-103242: Migrate SSLContext.set_ecdh_curve not to use deprecated APIs (GH-103378)

Migrate `SSLContext.set_ecdh_curve()` not to use deprecated OpenSSL APIs. (cherry picked from commit 35167043e3) Co-authored-by: Dong-hee Na <donghee.na@python.org>
2026-03-17 02:10:56 +00:00 · 2023-04-08 11:21:27 -07:00 · 2023-04-08 11:21:27 -07:00 · 4fa5fda14b
commit 4fa5fda14b
parent 77359a86b8
2 changed files with 10 additions and 3 deletions
--- a/Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst
+++ b/Builtins/2023-04-08-17-13-07.gh-issue-103242.ysI1b3.rst
@ -0,0 +1,2 @@
+Migrate :meth:`~ssl.SSLContext.set_ecdh_curve` method not to use deprecated
+OpenSSL APIs. Patch by Dong-hee Na.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -4355,8 +4355,6 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name)
 {
    PyObject *name_bytes;
    int nid;
-    EC_KEY *key;
-
    if (!PyUnicode_FSConverter(name, &name_bytes))
        return NULL;
    assert(PyBytes_Check(name_bytes));
@ -4367,13 +4365,20 @@ _ssl__SSLContext_set_ecdh_curve(PySSLContext *self, PyObject *name)
                     "unknown elliptic curve name %R", name);
        return NULL;
    }
-    key = EC_KEY_new_by_curve_name(nid);
+#if OPENSSL_VERSION_MAJOR < 3
+    EC_KEY *key = EC_KEY_new_by_curve_name(nid);
    if (key == NULL) {
        _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
        return NULL;
    }
    SSL_CTX_set_tmp_ecdh(self->ctx, key);
    EC_KEY_free(key);
+#else
+    if (!SSL_CTX_set1_groups(self->ctx, &nid, 1)) {
+        _setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
+        return NULL;
+    }
+#endif
    Py_RETURN_NONE;
 }