From 9b4338146ed82b4b1ae3f69050e5b67cdd3f084e Mon Sep 17 00:00:00 2001 From: Alberto Sottile Date: Thu, 7 Feb 2019 15:34:43 +0100 Subject: [PATCH] startTLS: enable Diffie-Hellman based key exchange on server Following the guidelines reported in the Twisted documentation here https://twistedmatrix.com/documents/current/core/howto/ssl.html this commit enables Diffie-Hellman based key exchange on the server. Before launching the server, a parameters .pem file must be generated as detailed in https://twistedmatrix.com/documents/18.9.0/api/twisted.internet.ssl.DiffieHellmanParameters.html by running `openssl dhparam -out dh_param_1024.pem -2 1024` on the server machine. This parameters file must be placed in the same path that contains the server certificates. --- syncplay/server.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/syncplay/server.py b/syncplay/server.py index 86d9c97..cdf24c8 100755 --- a/syncplay/server.py +++ b/syncplay/server.py @@ -13,6 +13,7 @@ from twisted.internet.protocol import Factory try: from OpenSSL import crypto from twisted.internet import ssl + from twisted.python.filepath import FilePath except: pass @@ -213,8 +214,12 @@ class SyncFactory(Factory): certifpyssl = crypto.load_certificate(crypto.FILETYPE_PEM, certif) chainpyssl = [crypto.load_certificate(crypto.FILETYPE_PEM, chain)] + dhFilePath = FilePath(path+'/dh_param_1024.pem') + dhParams = ssl.DiffieHellmanParameters.fromFile(dhFilePath) + contextFactory = ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl, - extraCertChain=chainpyssl, raiseMinimumTo=ssl.TLSVersion.TLSv1_2) + extraCertChain=chainpyssl, dhParameters=dhParams, + raiseMinimumTo=ssl.TLSVersion.TLSv1_2) self.options = contextFactory except Exception as e: print(e)