Versions of Python greater than 3.10 require a larger Diffie-Hellman (DH) key than what Tableau Server uses

[joecornibe]

Hi, folks.

Here's the bug description:
Current versions of Python (3.12 and above) don't like Tableau Server's (e.g., version 2024.2) Diffie-Hellman key. This causes problems with Tableau Server Client Python, regardless of the TSC version. It's newer Python requiring a stronger DH key than what Tableau Server provides.

Here's more details and a suggestion for Tableau to increase the DH key in Tableau Server: https://ideas.salesforce.com/s/idea/a0BHp000016Klv0MAC/tableau-should-increase-the-size-of-its-diffiehellman-dh-key-exchange.

Here's the environment information:
Python Info:
Python Version: 3.10.5 (tags/v3.10.5:f377153, Jun 6 2022, 16:14:13) [MSC v.1929 64 bit (AMD64)]
Tableau Server Client Version: 0.17.0
Tableau Info:
Tableau Server Version: 2024.2.1
Tableau Server Build: 20242.24.0719.1101
REST API Version: 3.23

Here's how to reproduce this:

1. Use Python version greater than 3.10. I don't get the error when I use Python 3.10.5. I do get the error when I use Python version 3.12. Have Python 3.12 or greater authenticate into Tableau Server's REST API, and Python generates an error with the SSL handshake.

Here is the error message: "in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1000). Tableau Sever is not secure enough for the SSL connection with Python."

Resolution
This foremost should be resolved in Tableau Server by increasing the size of the DH key there.

In the meantime, I'm wondering if TSC has a preferred work-around to add to future versions of TSC. For example, lowering the default SSL security level in Python if an initial SSL handshake fails. I'm interested in feedback from Tableau and TSC developers on how concerned they are about this issue and if it's something that needs to be made more secure.

Thank you,
Joe

[stephendeoca]

Thank you for bringing this to our attention, we have this under our radar now.

[joecornibe]

You're welcome. Can you please let me know if Tableau agrees the DH Key is too short? Or, if you all think the key is sufficiently secure, can you provide an explanation I can share with my security team? Thank you again, Joe From: stephendeoca ***@***.***> Sent: Thursday, March 20, 2025 6:36 PM To: tableau/server-client-python ***@***.***> Cc: Cornibe, Joseph ***@***.***>; Author ***@***.***> Subject: Re: [tableau/server-client-python] Versions of Python greater than 3.10 require a larger Diffie-Hellman (DH) key than what Tableau Server uses (Issue #1582) You don't often get email from ***@***.*** Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Thank you for bringing this to our attention, we have this under our radar now. - Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5F3XZA5D3FXW4U5DKL2VM7DFAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBRHAYTIMRYGM>. You are receiving this because you authored the thread.Message ID: ***@***.***> [Image removed by sender. stephendeoca]stephendeoca left a comment (tableau/server-client-python#1582)<#1582 (comment)> Thank you for bringing this to our attention, we have this under our radar now. - Reply to this email directly, view it on GitHub<#1582 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMOUH5F3XZA5D3FXW4U5DKL2VM7DFAVCNFSM6AAAAABZILSXMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBRHAYTIMRYGM>. You are receiving this because you authored the thread.Message ID: ***@***.***> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, forwarding, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.