update TLS defaults: signature hash and DH params
* SHA1 is deprecated (use SHA256) * increase RSA key to 2048 bits * increase DH params to 4096 bits (LogJam attack)
This commit is contained in:
parent
f7b75ba8c2
commit
041ca5c499
|
@ -8,15 +8,25 @@ import OpenSSL
|
||||||
|
|
||||||
DEFAULT_EXP = 157680000 # = 24 * 60 * 60 * 365 * 5
|
DEFAULT_EXP = 157680000 # = 24 * 60 * 60 * 365 * 5
|
||||||
# Generated with "openssl dhparam". It's too slow to generate this on startup.
|
# Generated with "openssl dhparam". It's too slow to generate this on startup.
|
||||||
DEFAULT_DHPARAM = """-----BEGIN DH PARAMETERS-----
|
DEFAULT_DHPARAM = """
|
||||||
MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5
|
-----BEGIN DH PARAMETERS-----
|
||||||
zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK
|
MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3
|
||||||
1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC
|
O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv
|
||||||
-----END DH PARAMETERS-----"""
|
j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ
|
||||||
|
Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB
|
||||||
|
chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC
|
||||||
|
ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq
|
||||||
|
o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX
|
||||||
|
IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv
|
||||||
|
A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8
|
||||||
|
6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I
|
||||||
|
rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI=
|
||||||
|
-----END DH PARAMETERS-----
|
||||||
|
"""
|
||||||
|
|
||||||
def create_ca(o, cn, exp):
|
def create_ca(o, cn, exp):
|
||||||
key = OpenSSL.crypto.PKey()
|
key = OpenSSL.crypto.PKey()
|
||||||
key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
|
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
|
||||||
cert = OpenSSL.crypto.X509()
|
cert = OpenSSL.crypto.X509()
|
||||||
cert.set_serial_number(int(time.time()*10000))
|
cert.set_serial_number(int(time.time()*10000))
|
||||||
cert.set_version(2)
|
cert.set_version(2)
|
||||||
|
@ -39,7 +49,7 @@ def create_ca(o, cn, exp):
|
||||||
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
|
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
|
||||||
subject=cert),
|
subject=cert),
|
||||||
])
|
])
|
||||||
cert.sign(key, "sha1")
|
cert.sign(key, "sha256")
|
||||||
return key, cert
|
return key, cert
|
||||||
|
|
||||||
|
|
||||||
|
@ -69,7 +79,7 @@ def dummy_cert(privkey, cacert, commonname, sans):
|
||||||
cert.set_version(2)
|
cert.set_version(2)
|
||||||
cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", False, ss)])
|
cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", False, ss)])
|
||||||
cert.set_pubkey(cacert.get_pubkey())
|
cert.set_pubkey(cacert.get_pubkey())
|
||||||
cert.sign(privkey, "sha1")
|
cert.sign(privkey, "sha256")
|
||||||
return SSLCert(cert)
|
return SSLCert(cert)
|
||||||
|
|
||||||
|
|
||||||
|
@ -124,7 +134,7 @@ class CertStore(object):
|
||||||
"""
|
"""
|
||||||
Implements an in-memory certificate store.
|
Implements an in-memory certificate store.
|
||||||
"""
|
"""
|
||||||
def __init__(self, default_privatekey, default_ca, default_chain_file, dhparams=None):
|
def __init__(self, default_privatekey, default_ca, default_chain_file, dhparams):
|
||||||
self.default_privatekey = default_privatekey
|
self.default_privatekey = default_privatekey
|
||||||
self.default_ca = default_ca
|
self.default_ca = default_ca
|
||||||
self.default_chain_file = default_chain_file
|
self.default_chain_file = default_chain_file
|
||||||
|
@ -296,7 +306,7 @@ class SSLCert(object):
|
||||||
self.x509 = cert
|
self.x509 = cert
|
||||||
|
|
||||||
def __eq__(self, other):
|
def __eq__(self, other):
|
||||||
return self.digest("sha1") == other.digest("sha1")
|
return self.digest("sha256") == other.digest("sha256")
|
||||||
|
|
||||||
def __ne__(self, other):
|
def __ne__(self, other):
|
||||||
return not self.__eq__(other)
|
return not self.__eq__(other)
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
-----BEGIN DH PARAMETERS-----
|
-----BEGIN DH PARAMETERS-----
|
||||||
MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5
|
MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3
|
||||||
zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK
|
O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv
|
||||||
1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC
|
j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ
|
||||||
|
Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB
|
||||||
|
chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC
|
||||||
|
ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq
|
||||||
|
o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX
|
||||||
|
IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv
|
||||||
|
A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8
|
||||||
|
6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I
|
||||||
|
rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI=
|
||||||
-----END DH PARAMETERS-----
|
-----END DH PARAMETERS-----
|
||||||
|
|
Loading…
Reference in New Issue