id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
141	use better SSL certificates	Brian Warner	Brian Warner	"I was disappointed to see that a default foolscap certificate is using MD5
and RSA with 1024-bit pubkey keys, both of which are definitely behind the
curve as far as modern crypto practices go. (several collisions have already
been found for MD5, although what Foolscap really cares about are preimage
attacks, and as far as I've heard nobody's found one of those yet):

{{{
% python
>>> import foolscap
>>> foolscap.Tub(certFile=""foo.pem"")
<Tub id=lj37uywdnuoeghujdjnu7l5sxcxmzaoz>
>>> ^D
% openssl x509 -in foo.pem -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 132 (0x84)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=newpb_thingy
        Validity
            Not Before: Oct  7 23:02:55 2009 GMT
            Not After : Oct  7 23:02:55 2010 GMT
        Subject: CN=newpb_thingy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
 ...
}}}

I was expecting a modern OpenSSL to choose better defaults (this was tested
both on my OS-X 10.6 box and on a recent debian/sid system).

I don't know offhand how to tell python-openssl to use something better.
"	defect	closed	major	0.8.0	unknown	0.4.1	fixed	security	davidsarah