OpenSSLCertificateOptions doesn’t support DHE
|Reported by:||hynek||Owned by:||hynek|
(github, patch, buildbot, log)
Our TLS currently supports only RSA for key exchange. For perfect forward secrecy we need DHE (and later ECDH, but baby steps).
pyOpenSSL supports the necessary APIs, basically all one needs is:
- a temporary DH file (can be created using openssl dhparam -rand - 1024 >tmp_dh_file)
- call ctx.load_tmp_dh('tmp_dh_file') on it.
I’ve got a PoC working. I would tackle this as soon as #6663 is resolved since it doesn’t make much sense without.