This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author naif
Recipients naif
Date 2011-12-18.13:06:06
SpamBayes Score 5.52265e-07
Marked as misclassified No
Message-id <>
Python SSL doesn't support DH ciphers in in all version tested.

This is a serious security issue because it's not possible to use as a server or client Perfect Forward Secrecy [1] security provided by DHE and ECDH ciphers .

In order to enable DH ciphers the SSL implementation the in the file Modules/_ssl.c, it must issue a DH_generate_parameters() if a cipher is DH.

For example PHP handling of DH ciphers, look php-5.3.8/ext/openssl/openssl.c : 

#if !defined(NO_DH)
                        case OPENSSL_KEYTYPE_DH:
                                        DH *dhpar = DH_generate_parameters(req->priv_key_bits, 2, NULL, NULL);
                                        int codes = 0;

                                        if (dhpar) {
                                                DH_set_method(dhpar, DH_get_default_method());
                                                if (DH_check(dhpar, &codes) && codes == 0 && DH_generate_key(dhpar)) {
                                                        if (EVP_PKEY_assign_DH(req->priv_key, dhpar)) {
                                                                return_val = req->priv_key;
                                                } else {

An important security fix, to support and enable by default DH ciphers has to be done.

Date User Action Args
2011-12-18 13:07:07naifsetrecipients: + naif
2011-12-18 13:07:07naifsetmessageid: <>
2011-12-18 13:06:06naiflinkissue13626 messages
2011-12-18 13:06:06naifcreate