New submission from naif <n...@globaleaks.org>:
Python SSL doesn't support DH ciphers in in all version tested.
This is a serious security issue because it's not possible to use as a server
or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers
.
In order to enable DH ciphers the SSL implementation the in the file
Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.
For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c :
#if !defined(NO_DH)
case OPENSSL_KEYTYPE_DH:
{
DH *dhpar =
DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
int codes = 0;
if (dhpar) {
DH_set_method(dhpar,
DH_get_default_method());
if (DH_check(dhpar, &codes) &&
codes == 0 && DH_generate_key(dhpar)) {
if
(EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
return_val =
req->priv_key;
}
} else {
DH_free(dhpar);
}
}
}
break;
#endif
default:
An important security fix, to support and enable by default DH ciphers has to
be done.
[1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy
----------
components: Library (Lib)
messages: 149749
nosy: naif
priority: normal
severity: normal
status: open
title: Python SSL stack doesn't support DH ciphers
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue13626>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
