Author naif
Recipients naif
Date 2011-12-18.13:06:06
SpamBayes Score 5.52265e-07
Marked as misclassified No
Message-id <1324213627.05.0.342479471062.issue13626@psf.upfronthosting.co.za>
In-reply-to
Content
Python SSL doesn't support DH ciphers in in all version tested.

This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers .

In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.

For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : 

#if !defined(NO_DH)
                        case OPENSSL_KEYTYPE_DH:
                                {
                                        DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
                                        int codes = 0;

                                        if (dhpar) {
                                                DH_set_method(dhpar, DH_get_default_method());
                                                if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) {
                                                        if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
                                                                return_val = req->priv_key;
                                                        }
                                                } else {
                                                        DH_free(dhpar);
                                                }
                                        }
                                }
                                break;
#endif
                        default:


An important security fix, to support and enable by default DH ciphers has to be done.

[1] http://en.wikipedia.org/wiki/Perfect_forward_secrecy
History
Date User Action Args
2011-12-18 13:07:07naifsetrecipients: + naif
2011-12-18 13:07:07naifsetmessageid: <1324213627.05.0.342479471062.issue13626@psf.upfronthosting.co.za>
2011-12-18 13:06:06naiflinkissue13626 messages
2011-12-18 13:06:06naifcreate