Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 0e576f1f50df1201c56bff7573ab8576e8ab2041^! / . / Doc / library
commit0e576f1f50df1201c56bff7573ab8576e8ab2041[log] [tgz]
authorAntoine Pitrou <solipsis@pitrou.net>Thu Dec 22 10:03:38 2011 +0100
committerAntoine Pitrou <solipsis@pitrou.net>Thu Dec 22 10:03:38 2011 +0100
treee6934d5a26fc1b6604b79046877b788cd75b22f4
parent5ad1af076c3e2b888c8b9401efe1201738e9962c [diff]
Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the
SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option.

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 9b3306c..0525e89 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst

@@ -428,9 +428,17 @@
 
    .. versionadded:: 3.3
 
+.. data:: OP_SINGLE_DH_USE
+
+   Prevents re-use of the same DH key for distinct SSL sessions.  This
+   improves forward secrecy but requires more computational resources.
+   This option only applies to server sockets.
+
+   .. versionadded:: 3.3
+
 .. data:: OP_SINGLE_ECDH_USE
 
-   Prevents re-use of the same ECDH key for several SSL sessions.  This
+   Prevents re-use of the same ECDH key for distinct SSL sessions.  This
    improves forward secrecy but requires more computational resources.
    This option only applies to server sockets.
 
@@ -707,12 +715,24 @@
       when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
       give the currently selected cipher.
 
+.. method:: SSLContext.load_dh_params(dhfile)
+
+   Load the key generation parameters for Diffie-Helman (DH) key exchange.
+   Using DH key exchange improves forward secrecy at the expense of
+   computational resources (both on the server and on the client).
+   The *dhfile* parameter should be the path to a file containing DH
+   parameters in PEM format.
+
+   This setting doesn't apply to client sockets.  You can also use the
+   :data:`OP_SINGLE_DH_USE` option to further improve security.
+
+   .. versionadded:: 3.3
+
 .. method:: SSLContext.set_ecdh_curve(curve_name)
 
-   Set the curve name for Elliptic Curve-based Diffie-Hellman (abbreviated
-   ECDH) key exchange.  Using Diffie-Hellman key exchange improves forward
-   secrecy at the expense of computational resources (both on the server and
-   on the client).  The *curve_name* parameter should be a string describing
+   Set the curve name for Elliptic Curve-based Diffie-Hellman (ECDH) key
+   exchange.  ECDH is significantly faster than regular DH while arguably
+   as secure.  The *curve_name* parameter should be a string describing
    a well-known elliptic curve, for example ``prime256v1`` for a widely
    supported curve.