Add binding for SSL_CTX_set1_curves_list and SSL_CTX_set1_groups_list

[evilaliv3]

Hello @alex @reaperhulk, this ticket is to re-open a discussion on the possibility to add binding for SSL_CTX_set1_curves_list and SSL_CTX_set1_groups_list (https://github.com/pyca/cryptography/issues/4980, https://github.com/pyca/cryptography/issues/9562)

At the moment a python application built on top of pyopenssl has no possibility to set a different order of preference on the selection of the curves that are forced to be x25519, secp256r1, x448, secp521r1, secp384r1 in this exact order of preference.

I fully agree with your previous evaluations that developers should be using the library defaults and adhere to the choices of the community, but i consider that such a binding is fundamental to protect users in case a specific curve would become known combination for a specific attack. At the moment, on such a situation there would be no workaround for pyopenssl users different from shutting down their system.

@alex : on #9562 you referred to the existance of the binding for set_tmp_ecdh but actually @t8m confirms that this could not be used to set x25519 and x448: https://github.com/openssl/openssl/discussions/24116

Thank you if you could evaluate this once again.

[t8m]

+1 to provide the bindings (set1_curves is alias to set1_groups) so one binding with the new name would be sufficient unless you need to support older OpenSSL versions.

[reaperhulk]

We would accept a PR to add these bindings contingent on a PR on the pyOpenSSL side that would use them appropriately.