Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gen_ssl_cert: new tool to generate SSL certs for Monero #5495

Merged
merged 1 commit into from Oct 24, 2019

Conversation

moneromooo-monero
Copy link
Collaborator

@moneromooo-monero moneromooo-monero commented Apr 25, 2019

No description provided.

@vtnerd
Copy link
Contributor

vtnerd commented May 2, 2019

I don't understand - openssl provides such tools ?

@moneromooo-monero
Copy link
Collaborator Author

moneromooo-monero commented May 2, 2019

It creates keys for use with monero.
It's basically equivalent to:
// openssl genrsa -out /tmp/KEY 4096
// openssl req -new -key /tmp/KEY -out /tmp/REQ
// openssl x509 -req -days 180 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT

@moneromooo-monero
Copy link
Collaborator Author

moneromooo-monero commented Aug 26, 2019

Do you have an objection to this ? As you suspected, it's a "make it easy for the user to start using it" thing.

@@ -133,6 +133,8 @@ namespace net_utils
constexpr size_t get_ssl_magic_size() { return 9; }
bool is_ssl(const unsigned char *data, size_t len);
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);

bool create_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert);
Copy link
Collaborator

@hyc hyc Aug 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This API signature is inadequate. There should be differences between server certs and client certs, but this API doesn't specify which is being created.

In particular, the subjectName of a server cert SHOULD be its fully qualified domain name. And the subjectAltName extension of the cert MUST have its fully qualified domain name, and SHOULD have its IP address. Conformant clients SHOULD validate that the name or IP address of the cert matches the server that the client connected to.

I noted before in the patch adding SSL to epee that the cert generation function is missing steps to properly set the subject*Name fields of the generated certs.

Copy link
Collaborator Author

@moneromooo-monero moneromooo-monero Aug 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not want to leak a fq server name in the cert (though vtnerd added support for this after my patch). Ideally people would whitelist fingerprints of the certs they intend to accept, rather than rely on name matching, which relies on centralized signature "authorities".

Copy link
Collaborator

@hyc hyc Oct 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I guess that makes sense.

hyc
hyc approved these changes Oct 24, 2019
luigi1111 added a commit that referenced this issue Oct 24, 2019
28a627c gen_ssl_cert: new tool to generate SSL certs for Monero (moneromooo-monero)
@luigi1111 luigi1111 merged commit 28a627c into monero-project:master Oct 24, 2019
1 check was pending
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants