From 6c6bf865acdd3c5ca5f47b1dbc2903023fd286b6 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 19 Dec 2016 06:03:48 -0600
Subject: automatically set SSL_CTX_set_ecdh_auto when available (#575)

---
 CHANGELOG.rst      | 2 ++
 src/OpenSSL/SSL.py | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 56c3c74..7085711 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -29,6 +29,8 @@ Changes:
   This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
   For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
   `#578 <https://github.com/pyca/pyopenssl/pull/578>`_
+- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
+  `#575 <https://github.com/pyca/pyopenssl/pull/575>`_
 
 
 ----
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 63a0b7e..eb0de10 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -475,6 +475,15 @@ class Context(object):
         _openssl_assert(context != _ffi.NULL)
         context = _ffi.gc(context, _lib.SSL_CTX_free)
 
+        # If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve
+        # will be auto-selected. This function was added in 1.0.2 and made a
+        # noop in 1.1.0+ (where it is set automatically).
+        try:
+            res = _lib.SSL_CTX_set_ecdh_auto(context, 1)
+            _openssl_assert(res == 1)
+        except AttributeError:
+            pass
+
         self._context = context
         self._passphrase_helper = None
         self._passphrase_callback = None
-- 
cgit v1.2.1