Antoine Pitrou pit...@free.fr added the comment:
Could you provide a patch with those proposed changes?
Le samedi 18 février 2012 à 00:45 +, Vinay Sajip a écrit :
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Almost there. The file now compiles, but a failure occurs in a later
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Attached.
--
Added file: http://bugs.python.org/file24569/ssl-ecdh.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
Antoine Pitrou pit...@free.fr added the comment:
Attached.
Thanks. Should be fixed in 1a06f0a8120f. Can you check? :)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Good news: the _ssl module builds OK, the ssl module can be imported, and
test_ssl now has no failures on Mac OS X 10.5.8 / OpenSSL 0.9.7 :-)
--
___
Python tracker rep...@bugs.python.org
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
I'm getting a failure building on Mac OS X Leopard (10.5.8) relating to ECDH:
/Users/vinay/projects/pythonv/Modules/_ssl.c: In function PyInit__ssl:
/Users/vinay/projects/pythonv/Modules/_ssl.c:2545: error:
SSL_OP_SINGLE_ECDH_USE
Antoine Pitrou pit...@free.fr added the comment:
I'm getting a failure building on Mac OS X Leopard (10.5.8) relating to ECDH:
Thanks for reporting. It should be fixed in c1a07c8092f7. Can you try?
--
___
Python tracker rep...@bugs.python.org
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Can you try?
That error goes away, but there are others. Sorry, I missed them in amongst the
warnings, or I would have posted all of them. Here's the complete console
output for the _ssl extension:
building '_ssl' extension
gcc
Antoine Pitrou pit...@free.fr added the comment:
That error goes away, but there are others. Sorry, I missed them in
amongst the warnings, or I would have posted all of them. Here's the
complete console output for the _ssl extension:
Uh, what is the OpenSSL version there?
Can you try to find
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
It looks like it's OpenSSL 0.9.7. It's an old machine which I can't change
things on - it's got MacPorts OpenSSL which is 1.0.0g, and I thought it was
using that. On closer investigation, the version in /usr/include (0.9.7l) is
actually
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Oh - and, ECDH is not matched by any file in that OpenSSL include
directory/hierarchy.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Also, if it's OK for the Elliptic Curve code to be optional in builds, the
failure to import OP_SINGLE_ECDH_USE into ssl.py from _ssl should not cause
import ssl to fail.
--
___
Python tracker
Antoine Pitrou pit...@free.fr added the comment:
Ok, can you try again? 06ed9b3f02af
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
Vinay Sajip vinay_sa...@yahoo.co.uk added the comment:
Almost there. The file now compiles, but a failure occurs in a later step due
to compression functionality being unavailable:
building '_ssl' extension
gcc -fno-strict-aliasing -fno-common -dynamic -DNDEBUG -g -fwrapv -O3 -Wall
Antoine Pitrou pit...@free.fr added the comment:
Can you post the exact compiler errors you encountered?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
Antoine Pitrou pit...@free.fr added the comment:
Nevermind, I've found them on the Fedora buildbot.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset ec44f2e82707 by Antoine Pitrou in branch 'default':
Fix ssl module compilation if ECDH support was disabled in the OpenSSL build.
http://hg.python.org/cpython/rev/ec44f2e82707
--
Antoine Pitrou pit...@free.fr added the comment:
Since we're at it, do you know if Redhat also disables regular Diffie-Hellman?
See issue13626.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
Antoine Pitrou pit...@free.fr added the comment:
ec44f2e82707 fixed compilation on Fedora and test_ssl passed fine.
--
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
Meador Inge mead...@gmail.com added the comment:
ec44f2e82707 fixed compilation on Fedora and test_ssl passed fine.
Awesome, thanks Antoine. I will checkout the DH patch from issue13626 on
Fedora today.
--
___
Python tracker
Meador Inge mead...@gmail.com added the comment:
ECC is *not* available in the OpenSSL package provided on RedHat systems.
RedHat intentionally strips it due to patent concerns
(http://en.wikipedia.org/wiki/ECC_patents). Therefore committing this work
made it much more difficult to build
Antoine Pitrou pit...@free.fr added the comment:
Perhaps we should make these algorithms build conditional? Are these
patent issues of concern to us?
Well, if RedHat used the standard OPENSSL_NO_ECDH flag, it's easy
enough to fix compilation of the ssl module.
--
Changes by Antoine Pitrou pit...@free.fr:
--
status: closed - open
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
___
Python-bugs-list
Antoine Pitrou pit...@free.fr added the comment:
Here is a patch adding a set_ecdh_curve() method on SSL contexts, and a
ssl.OP_SINGLE_ECDH_USE option flag. This is enough to enable ECDH with
compatible clients (I've tested with Firefox and openssl s_client).
--
keywords: +patch
naif n...@globaleaks.org added the comment:
So, with this patch it should be possible to strictly enable ciphers such as:
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHASSLv3
Antoine Pitrou pit...@free.fr added the comment:
So, with this patch it should be possible to strictly enable ciphers such as:
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA
naif n...@globaleaks.org added the comment:
The Tor Project is composed of Cryptography experts, thus i am opening that
ticket cause with our group we're implementing Tor2web based on Python that
require *strict* security requirements for crypto.
The Tor Project heavily use Python for most of
Antoine Pitrou pit...@free.fr added the comment:
If you want we can open a discussion within Tor Project to have a
rationale method to define a set of default ciphers considering
the ration of security/performance/compatibility.
Why don't you simple define your own default ciphers and call
naif n...@globaleaks.org added the comment:
Created a ticket there for a default-setting:
Python SSL Stack doesn't have a Secure Default set of ciphers
http://bugs.python.org/issue13636
--
___
Python tracker rep...@bugs.python.org
Roundup Robot devn...@psf.upfronthosting.co.za added the comment:
New changeset 8b729d65cfd2 by Antoine Pitrou in branch 'default':
Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman
http://hg.python.org/cpython/rev/8b729d65cfd2
--
nosy: +python-dev
Antoine Pitrou pit...@free.fr added the comment:
Patch now committed in 3.3.
--
resolution: - fixed
stage: patch review - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
New submission from naif n...@globaleaks.org:
Python SSL doesn't support Elliptic Curve ciphers in in all version tested.
This is a serious performance issue because it's not possible to use as a
server or as client the performance improvement provided by ECC based ciphers.
Nowdays ECC are
naif n...@globaleaks.org added the comment:
Other example for DH and ECC from:
https://github.com/bumptech/stud/blob/master/stud.c
#ifndef OPENSSL_NO_DH
static int init_dh(SSL_CTX *ctx, const char *cert) {
DH *dh;
BIO *bio;
assert(cert);
bio = BIO_new_file(cert, r);
if
Antoine Pitrou pit...@free.fr added the comment:
It's not obvious to me which APIs should be used to provide such support.
Python mostly uses high-level OpenSSL APIs, and lets OpenSSL load certificates.
Do you want to try writing a patch? General instructions on how to contribute
can be found
naif n...@globaleaks.org added the comment:
Have a look also at DH related ticket: http://bugs.python.org/issue13626
There is a code example on how PHP manage the DH parameter setup with high
level OpenSSL.
The code must check if the ciphers is EC or DH and in that case setup
appropriate
Antoine Pitrou pit...@free.fr added the comment:
Ok, so you are talking specifically about ECDH? Or is there something to be
done for generic EC support?
OpenSSL has a SSL_CTX_set_tmp_dh() function (macro, actually), but it's
undocumented. Best bet is probably to follow ssl/ssltest.c (OpenSSL
naif n...@globaleaks.org added the comment:
This is how the Stud software enable also the use of ECC in OpenSSL TLS
https://github.com/bumptech/stud/pull/61
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue13627
___
___
Python-bugs-list mailing list
37 matches
Mail list logo