Hi
I want to implement diffie-hellman negotiation in my python api library. I do not know how to do it. I know that chupaka implemented it in delphi but i do not know this language. Can anyone help ? I know how this mechanism works but explanation on wiki is rather enigmatic.
Looking at Python’s docs on SSL, and the ssl.wrap_socket() in particular, it appears that it’s the same deal as with any other language that uses OpenSSL.
You need to add “ADH” to the list of allowed ciphers (in the “ciphers” parameter) - e.g. “DEFAULT:ADH” - to make certificates preferred, and then allow ADH as a last resort.
Additionally, you must set the “cert_reqs” parameter to “ssl.CERT_OPTIONAL”, in order to allow the omission of the certificate (the previous ADH addition was to allow the cipher algorithm that just so happens to be used when no certificate is provided).
If you want to support certificates, you must also somehow enable the user to fill in the “ca_certs” parameter. IDEALLY, you’d allow the user to explicitly specify whether they want to require a certificate (if they need better security; you don’t want to HAVE a certificate, only to then have your API application be fooled by an impostor that has ADH pseudo server), or if they want to connect using ADH.
Thx a lot. That was verry helpfull.