Add binding for SSL_CTX_set1_curves_list

[evilaliv3]

While experimenting within the Globaleaks application i just find out that the binding for SSL_CTX_set1_curves_list is currently not exposed.

This would be useful in order to define a preference on the order of the curves that should be used.

The feature would result particularly important especially for the fact that it seems that OpenSSL default order seems to be x25519, secp256r1, x448, secp521r1, secp384r1. This specific order makes clients select secp256r1 even if they support secp521r1 or secp384r1. (openssl/openssl#9748)

[kroeckx]

This is one of those things where I think people should not change the defaults in an application, unless they know what they're doing. Most of the times I see something like that being used, they don't know what all the effects are, or after 10 years they end up with bad values. So I'm not sure it's a good idea to expose this to applications or not.

[evilaliv3]

Thank you @kroeckx

Thank you for exaplaing your point for the default value in openssl where as default you prefer to prioritize performances that would be more important for the general public (openssl/openssl#9748 (comment)) and i not agree on the reason you prefer to keep it as it is.

I would support anyway that cryptography would expose this option option to the user that require more security to make it possible to specify the order to prioritize security over performances.

[alex]

If OpenSSL's going to have an API for this, we can bind to it.

[evilaliv3]

@alex: the API is this: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_curves_list.html

It was first introduced in pyopenssl 1.0.2

Here you can see an example of configuration using SSL_CTX_set_ecdh_auto where each of the client that you see listed are able to support secp384r1 but given the order list of the server they are using secp256r1: https://www.ssllabs.com/ssltest/analyze.html?d=try.globaleaks.org

[evilaliv3]

@alex @kroeckx: one additional value in adding this binding would be to make it possible for users to disable a particular curve. Suppose in fact that tomorrow a particular curve will result vulnerable. By having this binding exposed it will be possible to immediately disable it and with a simple configuration patch the vulnerability.

[reaperhulk]

This binding can be added, but in general we'd expect it to be consumed by pyopenssl. If you'd like to add this then you should submit a PR here and also a pyopenssl PR that adds a new API consuming it.