Message149749
Python SSL doesn't support DH ciphers in in all version tested.
This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers .
In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.
For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c :
#if !defined(NO_DH)
case OPENSSL_KEYTYPE_DH:
{
DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
int codes = 0;
if (dhpar) {
DH_set_method(dhpar, DH_get_default_method());
if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) {
if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
return_val = req->priv_key;
}
} else {
DH_free(dhpar);
}
}
}
break;
#endif
default:
An important security fix, to support and enable by default DH ciphers has to be done.
[1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy |
|
Date |
User |
Action |
Args |
2011-12-18 13:07:07 | naif | set | recipients:
+ naif |
2011-12-18 13:07:07 | naif | set | messageid: <1324213627.05.0.342479471062.issue13626@psf.upfronthosting.co.za> |
2011-12-18 13:06:06 | naif | link | issue13626 messages |
2011-12-18 13:06:06 | naif | create | |
|