New submission from naif <n...@globaleaks.org>: Python SSL doesn't support DH ciphers in in all version tested.
This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers . In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH. For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : #if !defined(NO_DH) case OPENSSL_KEYTYPE_DH: { DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL); int codes = 0; if (dhpar) { DH_set_method(dhpar, DH_get_default_method()); if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) { if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) { return_val = req->priv_key; } } else { DH_free(dhpar); } } } break; #endif default: An important security fix, to support and enable by default DH ciphers has to be done. [1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy ---------- components: Library (Lib) messages: 149749 nosy: naif priority: normal severity: normal status: open title: Python SSL stack doesn't support DH ciphers versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13626> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com