René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Add support in SSL module for getting/setting groups used for key agreement","articleBody":"# Add support for getting/setting groups used for key agreement\n\n### Proposal:\n\nThis feature proposal is an expansion of the feature proposed in issue #109945. It began as a discussion on the PR where I provided some suggestions on generalizing that feature to include supporting more than just EC curves, and I provided some rough example code. Since then, I've put together a more complete version of this which I'll be submitting shortly as a PR attached to this issue.\n\nThe basic idea is to add three new methods related to getting \u0026 setting groups used for key agreement:\n\n```python\n    SSLContext.get_groups() -\u003e List[str]:\n        \"\"\"Get a list of groups implemented for key agreement, taking into account\n           the SSLContext's current TLS `minimum_version` and `maximum_version` values.\"\"\"\n    \n    SSLContext.set_groups(groups: str) -\u003e None:\n        \"\"\"Set the groups allowed for key agreement for sockets created with this context.\"\"\"\n\n    SSLSocket.group() -\u003e str:\n        \"\"\"Return the group used for key agreement, after the TLS handshake completes.\"\"\"\n```\n\nThese methods are designed to directly mimic the existing methods for getting and setting ciphers suites. Prior to TLS 1.3, all of this could be done with just setting ciphers, but that's no longer the case.\n\nThis proposal provides a superset of the functionality requested in #109945, allowing not only multiple EC curves to be specified but also allowing other mechanisms like fixed field DHE and post-quantum algorithms added in OpenSSL 3.5. In fact, once the `set_groups()` method is available the existing `set_ecdh_curve()` method could be deprecated, as the methods it calls are available all the way to OpenSSL 1.1.1, which is now the minimum supported OpenSSL version for Python.\n\nThe `group()` and `get_groups()` methods require later versions of OpenSSL (3.2 and 3.5, respectively), but the code can check for this and raise a NotImplemented exception if the version of OpenSSL that Python is built against is too old to support them.\n\n### Links to previous discussion of this feature:\n\nPrevious discussion occurred in PR #119244, and it was suggested that it might be best to create a new issue and PR, since the previous request might not be monitored any more.\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-136307\n* gh-137405\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/ronf","@type":"Person","name":"ronf"},"datePublished":"2025-07-04T22:22:54.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":10},"url":"https://github.com/136306/cpython/issues/136306"}