[issue13626] Python SSL stack doesn't support DH ciphers

Antoine Pitrou added the comment: Thank you Meador. I've committed an updated patch. -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker ___

[issue13626] Python SSL stack doesn't support DH ciphers

Roundup Robot added the comment: New changeset 33dea851f918 by Antoine Pitrou in branch 'default': Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the http://hg.python.org/cpython/rev/33dea851f918 -- nosy: +python-dev ___ Pytho

[issue13626] Python SSL stack doesn't support DH ciphers

Meador Inge added the comment: Per the Red Hat problems in issue13627 I just tried this patch on Fedora 16. Everything built just fine. However, the patch doesn't apply cleanly to tip an longer: [meadori@motherbrain cpython]$ patch -p1 < ../patches/dh.patch patching file Doc/library/ssl.rs

[issue13626] Python SSL stack doesn't support DH ciphers

Antoine Pitrou added the comment: Here is a patch adding the load_dh_params method on SSL contexts, and the OP_SINGLE_DH_USE option flag. -- keywords: +patch stage: needs patch -> patch review Added file: http://bugs.python.org/file24053/dh.patch __

[issue13626] Python SSL stack doesn't support DH ciphers

naif added the comment: In the meantime i added two other tickets on security and performance improvements of Python SSL support, to make it really complete and comparable to Apache/Dovecot/PHP in terms of configuration and capability: Python SSL stack doesn't support ordering of Ciphers htt

[issue13626] Python SSL stack doesn't support DH ciphers

Antoine Pitrou added the comment: > Wow, i saw your patch for ECC SSL ciphers on > http://bugs.python.org/issue13627 . > > Do you think we can use the same method/concept as > ssl.OP_SINGLE_ECDH_USE but ssl.OP_SINGLE_DH_USE for DH? Of course. -- _

[issue13626] Python SSL stack doesn't support DH ciphers

naif added the comment: Wow, i saw your patch for ECC SSL ciphers on http://bugs.python.org/issue13627 . Do you think we can use the same method/concept as ssl.OP_SINGLE_ECDH_USE but ssl.OP_SINGLE_DH_USE for DH? -- ___ Python tracker

[issue13626] Python SSL stack doesn't support DH ciphers

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue13626] Python SSL stack doesn't support DH ciphers

Antoine Pitrou added the comment: Well the OpenSSL docs say “DH_generate_parameters() may run for several hours before finding a suitable prime”, which sounds like a good reason not to do it every time your program is run. Anyway, SSL_CTX_set_tmp_dh() should allow us to set DH parameters on a

[issue13626] Python SSL stack doesn't support DH ciphers

naif added the comment: Please look at how PHP implement the feature. It doesn't use any PEM or any Key File, but just initiatlize the DH parameters. Stud instead, ask the user to generate "offline" the DH parameters and save it into the PEM file. I think that the PHP approach it's better tha

[issue13626] Python SSL stack doesn't support DH ciphers

Antoine Pitrou added the comment: The ssl module doesn't directly handle keys, it just gives a PEM file to OpenSSL's ssl functions. So I don't understand what should be done precisely here, or even if something has to be done at all. -- nosy: +pitrou type: -> enhancement versions: -

[issue13626] Python SSL stack doesn't support DH ciphers

naif added the comment: Other example for DH and ECC from: https://github.com/bumptech/stud/blob/master/stud.c #ifndef OPENSSL_NO_DH static int init_dh(SSL_CTX *ctx, const char *cert) { DH *dh; BIO *bio; assert(cert); bio = BIO_new_file(cert, "r"); if (!bio) { ERR_pr

[issue13626] Python SSL stack doesn't support DH ciphers

New submission from naif : Python SSL doesn't support DH ciphers in in all version tested. This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers . In order to enable DH ciphers the SSL impl