Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2024-11-23 08:11:00 +00:00
Code Issues Projects Releases Wiki Activity

update TLS defaults: signature hash and DH params

Browse Source 
* SHA1 is deprecated (use SHA256)
* increase RSA key to 2048 bits
* increase DH params to 4096 bits (LogJam attack)
This commit is contained in:
Thomas Kriechbaumer 2015-05-27 10:53:23 +02:00
parent f7b75ba8c2
commit 041ca5c499
2 changed files with 32 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
netlib/certutils.py
View File

@ -8,15 +8,25 @@ import OpenSSL
DEFAULT_EXP = 157680000 # = 24 * 60 * 60 * 365 * 5 DEFAULT_EXP = 157680000 # = 24 * 60 * 60 * 365 * 5
# Generated with "openssl dhparam". It's too slow to generate this on startup. # Generated with "openssl dhparam". It's too slow to generate this on startup.
DEFAULT_DHPARAM = """-----BEGIN DH PARAMETERS----- DEFAULT_DHPARAM = """
MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5 -----BEGIN DH PARAMETERS-----
zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3
1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv
-----END DH PARAMETERS-----""" j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ
Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB
chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC
ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq
o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX
IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv
A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8
6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I
rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI=
-----END DH PARAMETERS-----
"""
def create_ca(o, cn, exp): def create_ca(o, cn, exp):
key = OpenSSL.crypto.PKey() key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024) key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
cert = OpenSSL.crypto.X509() cert = OpenSSL.crypto.X509()
cert.set_serial_number(int(time.time()*10000)) cert.set_serial_number(int(time.time()*10000))
cert.set_version(2) cert.set_version(2)
@ -39,7 +49,7 @@ def create_ca(o, cn, exp):
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
subject=cert), subject=cert),
]) ])
cert.sign(key, "sha1") cert.sign(key, "sha256")
return key, cert return key, cert
@ -69,7 +79,7 @@ def dummy_cert(privkey, cacert, commonname, sans):
cert.set_version(2) cert.set_version(2)
cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", False, ss)]) cert.add_extensions([OpenSSL.crypto.X509Extension("subjectAltName", False, ss)])
cert.set_pubkey(cacert.get_pubkey()) cert.set_pubkey(cacert.get_pubkey())
cert.sign(privkey, "sha1") cert.sign(privkey, "sha256")
return SSLCert(cert) return SSLCert(cert)
@ -124,7 +134,7 @@ class CertStore(object):
""" """
Implements an in-memory certificate store. Implements an in-memory certificate store.
""" """
def __init__(self, default_privatekey, default_ca, default_chain_file, dhparams=None): def __init__(self, default_privatekey, default_ca, default_chain_file, dhparams):
self.default_privatekey = default_privatekey self.default_privatekey = default_privatekey
self.default_ca = default_ca self.default_ca = default_ca
self.default_chain_file = default_chain_file self.default_chain_file = default_chain_file
@ -148,7 +158,7 @@ class CertStore(object):
) )
dh = OpenSSL.SSL._ffi.gc(dh, OpenSSL.SSL._lib.DH_free) dh = OpenSSL.SSL._ffi.gc(dh, OpenSSL.SSL._lib.DH_free)
return dh return dh
@classmethod @classmethod
def from_store(cls, path, basename): def from_store(cls, path, basename):
ca_path = os.path.join(path, basename + "-ca.pem") ca_path = os.path.join(path, basename + "-ca.pem")
@ -296,7 +306,7 @@ class SSLCert(object):
self.x509 = cert self.x509 = cert
def __eq__(self, other): def __eq__(self, other):
return self.digest("sha1") == other.digest("sha1") return self.digest("sha256") == other.digest("sha256")
def __ne__(self, other): def __ne__(self, other):
return not self.__eq__(other) return not self.__eq__(other)

14
test/data/dhparam.pem
View File

@ -1,5 +1,13 @@
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MIGHAoGBAOdPzMbYgoYfO3YBYauCLRlE8X1XypTiAjoeCFD0qWRx8YUsZ6Sj20W5 MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3
zsfQxlZfKovo3f2MftjkDkbI/C/tDgxoe0ZPbjy5CjdOhkzxn0oTbKTs16Rw8DyK O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv
1LjTR65sQJkJEdgsX8TSi/cicCftJZl9CaZEaObF2bdgSgGK+PezAgEC j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ
Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB
chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC
ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq
o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX
IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv
A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8
6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I
rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI=
-----END DH PARAMETERS----- -----END DH PARAMETERS-----