Opened 15 years ago
Last modified 10 years ago
#141 closed defect
use better SSL certificates — at Initial Version
Reported by: | Brian Warner | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 0.8.0 |
Component: | unknown | Version: | 0.4.1 |
Keywords: | security | Cc: | davidsarah |
Description
I was disappointed to see that a default foolscap certificate is using MD5 and RSA with 1024-bit pubkey keys, both of which are definitely behind the curve as far as modern crypto practices go. (several collisions have already been found for MD5, although what Foolscap really cares about are preimage attacks, and as far as I've heard nobody's found one of those yet):
% python >>> import foolscap >>> foolscap.Tub(certFile="foo.pem") <Tub id=lj37uywdnuoeghujdjnu7l5sxcxmzaoz> >>> ^D % openssl x509 -in foo.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 132 (0x84) Signature Algorithm: md5WithRSAEncryption Issuer: CN=newpb_thingy Validity Not Before: Oct 7 23:02:55 2009 GMT Not After : Oct 7 23:02:55 2010 GMT Subject: CN=newpb_thingy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) ...
I was expecting a modern OpenSSL to choose better defaults (this was tested both on my OS-X 10.6 box and on a recent debian/sid system).
I don't know offhand how to tell python-openssl to use something better.
Note: See
TracTickets for help on using
tickets.