[fedor] improve Jingle XTLS security. Fixes #7544

This commit is contained in:
Yann Leboulanger 2013-11-05 11:21:56 +01:00
parent 9076ad8156
commit 0bae08571a
1 changed files with 12 additions and 7 deletions

View File

@ -92,7 +92,10 @@ def get_context(fingerprint, verify_cb=None):
"""
constructs and returns the context objects
"""
ctx = SSL.Context(SSL.TLSv1_METHOD)
ctx = SSL.Context(SSL.SSLv23_METHOD)
flags = (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE)
ctx.set_options(flags)
ctx.set_cipher_list('HIGH:!aNULL:!eNULL')
if fingerprint == 'server': # for testing purposes only
ctx.set_verify(SSL.VERIFY_NONE|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
@ -174,12 +177,12 @@ def createKeyPair(type, bits):
pkey.generate_key(type, bits)
return pkey
def createCertRequest(pkey, digest="md5", **name):
def createCertRequest(pkey, digest="sha1", **name):
"""
Create a certificate request.
Arguments: pkey - The key to associate with the request
digest - Digestion method to use for signing, default is md5
digest - Digestion method to use for signing, default is sha1
**name - The name of the subject of the request, possible
arguments are:
C - Country name
@ -201,7 +204,7 @@ def createCertRequest(pkey, digest="md5", **name):
req.sign(pkey, digest)
return req
def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="md5"):
def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="sha1"):
"""
Generate a certificate given a certificate request.
@ -213,7 +216,7 @@ def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter
starts being valid
notAfter - Timestamp (relative to now) when the certificate
stops being valid
digest - Digest method to use for signing, default is md5
digest - Digest method to use for signing, default is sha1
Returns: The signed certificate in an X509 object
"""
cert = crypto.X509()
@ -233,10 +236,12 @@ def make_certs(filepath, CN):
and '.cert' extensions
CN : common name
"""
key = createKeyPair(TYPE_RSA, 1024)
key = createKeyPair(TYPE_RSA, 4096)
req = createCertRequest(key, CN=CN)
cert = createCertificate(req, (req, key), 0, (0, 60*60*24*365*5)) # five years
open(filepath + '.pkey', 'w').write(crypto.dump_privatekey(
private_key_file = open(filepath + '.pkey', 'w')
os.chmod(filepath + '.pkey', 0600)
private_key_file.write(crypto.dump_privatekey(
crypto.FILETYPE_PEM, key))
open(filepath + '.cert', 'w').write(crypto.dump_certificate(
crypto.FILETYPE_PEM, cert))