Message 149749 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	naif
Recipients	naif
Date	2011-12-18.13:06:06
SpamBayes Score	5.522654e-07
Marked as misclassified	No
Message-id	<1324213627.05.0.342479471062.issue13626@psf.upfronthosting.co.za>
In-reply-to

Content
Python SSL doesn't support DH ciphers in in all version tested. This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers . In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH. For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : #if !defined(NO_DH) case OPENSSL_KEYTYPE_DH: { DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL); int codes = 0; if (dhpar) { DH_set_method(dhpar, DH_get_default_method()); if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) { if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) { return_val = req->priv_key; } } else { DH_free(dhpar); } } } break; #endif default: An important security fix, to support and enable by default DH ciphers has to be done. [1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy

Python SSL doesn't support DH ciphers in in all version tested.

This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers .

In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.

For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : 

#if !defined(NO_DH)
                        case OPENSSL_KEYTYPE_DH:
                                {
                                        DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
                                        int codes = 0;

                                        if (dhpar) {
                                                DH_set_method(dhpar, DH_get_default_method());
                                                if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) {
                                                        if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
                                                                return_val = req->priv_key;
                                                        }
                                                } else {
                                                        DH_free(dhpar);
                                                }
                                        }
                                }
                                break;
#endif
                        default:


An important security fix, to support and enable by default DH ciphers has to be done.

[1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy

History
Date	User	Action	Args
2011-12-18 13:07:07	naif	set	recipients: + naif
2011-12-18 13:07:07	naif	set	messageid: <1324213627.05.0.342479471062.issue13626@psf.upfronthosting.co.za>
2011-12-18 13:06:06	naif	link	issue13626 messages
2011-12-18 13:06:06	naif	create