Versions of Python greater than 3.10 require a larger Diffie-Hellman (DH) key than what Tableau Server uses #1582
Comments
|
Thank you for bringing this to our attention, we have this under our radar now. |
|
You're welcome.
Can you please let me know if Tableau agrees the DH Key is too short?
Or, if you all think the key is sufficiently secure, can you provide an explanation I can share with my security team?
Thank you again,
Joe
From: stephendeoca ***@***.***>
Sent: Thursday, March 20, 2025 6:36 PM
To: tableau/server-client-python ***@***.***>
Cc: Cornibe, Joseph ***@***.***>; Author ***@***.***>
Subject: Re: [tableau/server-client-python] Versions of Python greater than 3.10 require a larger Diffie-Hellman (DH) key than what Tableau Server uses (Issue #1582)
You don't often get email from ***@***.*** Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Thank you for bringing this to our attention, we have this under our radar now.
-
Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5F3XZA5D3FXW4U5DKL2VM7DFAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBRHAYTIMRYGM>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
[Image removed by sender. stephendeoca]stephendeoca left a comment (tableau/server-client-python#1582)<#1582 (comment)>
Thank you for bringing this to our attention, we have this under our radar now.
-
Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5F3XZA5D3FXW4U5DKL2VM7DFAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBRHAYTIMRYGM>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, forwarding, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
|
|
I have a proposed PR and will do some testing with some different server versions. |
|
Thank you, Brian.
If it's helpful, I've attached a correspondence about DH key length with Salesforce Security. They will try to increase the key length at some point.
Thank you again,
Joe
From: Brian Cantoni ***@***.***>
Sent: Tuesday, April 22, 2025 12:10 AM
To: tableau/server-client-python ***@***.***>
Cc: Cornibe, Joseph ***@***.***>; Author ***@***.***>
Subject: Re: [tableau/server-client-python] Versions of Python greater than 3.10 require a larger Diffie-Hellman (DH) key than what Tableau Server uses (Issue #1582)
You don't often get email from ***@***.*** Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
I have a proposed PR and will do some testing with some different server versions.
-
Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5BOR7DWYDJKBFRY2ED22W6KPAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRQGAYTCMJTGI>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
[Image removed by sender.]bcantoni left a comment (tableau/server-client-python#1582)<#1582 (comment)>
I have a proposed PR and will do some testing with some different server versions.
-
Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5BOR7DWYDJKBFRY2ED22W6KPAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRQGAYTCMJTGI>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, forwarding, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
|
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Hi, folks.
Here's the bug description:
Current versions of Python (3.12 and above) don't like Tableau Server's (e.g., version 2024.2) Diffie-Hellman key. This causes problems with Tableau Server Client Python, regardless of the TSC version. It's newer Python requiring a stronger DH key than what Tableau Server provides.
Here's more details and a suggestion for Tableau to increase the DH key in Tableau Server: https://ideas.salesforce.com/s/idea/a0BHp000016Klv0MAC/tableau-should-increase-the-size-of-its-diffiehellman-dh-key-exchange.
Here's the environment information:
Python Info:
Python Version: 3.10.5 (tags/v3.10.5:f377153, Jun 6 2022, 16:14:13) [MSC v.1929 64 bit (AMD64)]
Tableau Server Client Version: 0.17.0
Tableau Info:
Tableau Server Version: 2024.2.1
Tableau Server Build: 20242.24.0719.1101
REST API Version: 3.23
Here's how to reproduce this:
Here is the error message: "in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1000). Tableau Sever is not secure enough for the SSL connection with Python."
Resolution
This foremost should be resolved in Tableau Server by increasing the size of the DH key there.
In the meantime, I'm wondering if TSC has a preferred work-around to add to future versions of TSC. For example, lowering the default SSL security level in Python if an initial SSL handshake fails. I'm interested in feedback from Tableau and TSC developers on how concerned they are about this issue and if it's something that needs to be made more secure.
Thank you,
Joe
The text was updated successfully, but these errors were encountered: