New submission from naif <n...@globaleaks.org>:

Python SSL doesn't support DH ciphers in in all version tested.

This is a serious security issue because it's not possible to use as a server 
or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers 
.

In order to enable DH ciphers the SSL implementation the in the file 
Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.

For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : 

#if !defined(NO_DH)
                        case OPENSSL_KEYTYPE_DH:
                                {
                                        DH *dhpar = 
DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
                                        int codes = 0;

                                        if (dhpar) {
                                                DH_set_method(dhpar, 
DH_get_default_method());
                                                if (DH_check(dhpar, &codes) && 
codes == 0 && DH_generate_key(dhpar)) {
                                                        if 
(EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
                                                                return_val = 
req->priv_key;
                                                        }
                                                } else {
                                                        DH_free(dhpar);
                                                }
                                        }
                                }
                                break;
#endif
                        default:


An important security fix, to support and enable by default DH ciphers has to 
be done.

[1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy

----------
components: Library (Lib)
messages: 149749
nosy: naif
priority: normal
severity: normal
status: open
title: Python SSL stack doesn't support DH ciphers
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue13626>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to