Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DOH certificate generation commands into the example config. #2367

Merged
merged 1 commit into from Apr 14, 2023
Merged

Add DOH certificate generation commands into the example config. #2367

merged 1 commit into from Apr 14, 2023

Conversation

KOLANICH
Copy link
Contributor

@KOLANICH KOLANICH commented Apr 7, 2023

No description provided.

@jedisct1 jedisct1 merged commit f4007f7 into DNSCrypt:master Apr 14, 2023
@jedisct1
Copy link
Member

Thank you!

@syphyr
Copy link
Contributor

syphyr commented Apr 14, 2023

Is there a reason why the commands to generate localhost.pem changed from what the wiki currently says?

openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout
localhost.pem -out localhost.pem

@KOLANICH
Copy link
Contributor Author

RSA is a heavy asymmetric crypto method; since this crypto is not really used for security (we use a resolver under our control), I have changed it to a lightweight ECC suitable even for embedded devices (it is used in OpenWRT by default, if TLS is enabled in Web GUI). Though this curve is not in the list of safe curves, again, we use encryption in that case only to workaround the flaws in Firefox that seem will never be fixed.

@KOLANICH KOLANICH deleted the add_doh_key_generation_comands_into_example branch April 15, 2023 11:26
@jedisct1
Copy link
Member

RSA verification is faster than ECC.

And according to the recent activity on the relevant ticket, looks like Firefox will eventually fix the ECH issue.

@KOLANICH
Copy link
Contributor Author

Thank you for the info.

d3cim added a commit to d3cim/dnscrypt-proxy-android that referenced this pull request Apr 15, 2023
@d3cim
Add DOH certificate generation commands into the example config.
0a556a0 
DNSCrypt/dnscrypt-proxy#2367
@DNSCrypt DNSCrypt locked and limited conversation to collaborators May 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@KOLANICH @jedisct1 @syphyr