Description
Add support for getting/setting groups used for key agreement
Proposal:
This feature proposal is an expansion of the feature proposed in issue #109945. It began as a discussion on the PR where I provided some suggestions on generalizing that feature to include supporting more than just EC curves, and I provided some rough example code. Since then, I've put together a more complete version of this which I'll be submitting shortly as a PR attached to this issue.
The basic idea is to add three new methods related to getting & setting groups used for key agreement:
SSLContext.get_groups() -> List[str]:
"""Get a list of groups implemented for key agreement, taking into account
the SSLContext's current TLS `minimum_version` and `maximum_version` values."""
SSLContext.set_groups(groups: str) -> None:
"""Set the groups allowed for key agreement for sockets created with this context."""
SSLSocket.group() -> str:
"""Return the group used for key agreement, after the TLS handshake completes."""These methods are designed to directly mimic the existing methods for getting and setting ciphers suites. Prior to TLS 1.3, all of this could be done with just setting ciphers, but that's no longer the case.
This proposal provides a superset of the functionality requested in #109945, allowing not only multiple EC curves to be specified but also allowing other mechanisms like fixed field DHE and post-quantum algorithms added in OpenSSL 3.5. In fact, once the set_groups() method is available the existing set_ecdh_curve() method could be deprecated, as the methods it calls are available all the way to OpenSSL 1.1.1, which is now the minimum supported OpenSSL version for Python.
The group() and get_groups() methods require later versions of OpenSSL (3.2 and 3.5, respectively), but the code can check for this and raise a NotImplemented exception if the version of OpenSSL that Python is built against is too old to support them.
Links to previous discussion of this feature:
Previous discussion occurred in PR #119244, and it was suggested that it might be best to create a new issue and PR, since the previous request might not be monitored any more.