bpo-34399: 2048 bits RSA keys and DH params (#8762)
Downstream vendors have started to deprecate weak keys. Update all RSA keys and DH params to use at least 2048 bits. Finite field DH param file use RFC 7919 values, generated with certtool --get-dh-params --sec-param=high Signed-off-by: Christian Heimes <christian@python.org>
This commit is contained in:
parent
aa4e4a40db
commit
88bfd0bce0
|
@ -1,7 +0,0 @@
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
|
|
||||||
rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
|
|
||||||
RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
|
|
||||||
-----END DH PARAMETERS-----
|
|
||||||
|
|
||||||
Generated with: openssl dhparam -out dh1024.pem 1024
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
DH Parameters: (3072 bit)
|
||||||
|
prime:
|
||||||
|
00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
|
||||||
|
4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
|
||||||
|
2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
|
||||||
|
24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
|
||||||
|
02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
|
||||||
|
f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
|
||||||
|
57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
|
||||||
|
e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
|
||||||
|
35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
|
||||||
|
fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
|
||||||
|
d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
|
||||||
|
63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
|
||||||
|
e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
|
||||||
|
fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
|
||||||
|
fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
|
||||||
|
c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
|
||||||
|
fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
|
||||||
|
03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
|
||||||
|
e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
|
||||||
|
c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
|
||||||
|
93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
|
||||||
|
e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
|
||||||
|
6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
|
||||||
|
1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
|
||||||
|
ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
|
||||||
|
2e:37:ff:ff:ff:ff:ff:ff:ff:ff
|
||||||
|
generator: 2 (0x2)
|
||||||
|
recommended-private-length: 276 bits
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||||
|
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||||
|
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
|
||||||
|
N///////////AgECAgIBFA==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -55,7 +55,6 @@ CAPATH = data_file("capath")
|
||||||
BYTES_CAPATH = os.fsencode(CAPATH)
|
BYTES_CAPATH = os.fsencode(CAPATH)
|
||||||
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
|
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
|
||||||
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
|
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
|
||||||
WRONG_CERT = data_file("wrongcert.pem")
|
|
||||||
|
|
||||||
CERTFILE_INFO = {
|
CERTFILE_INFO = {
|
||||||
'issuer': ((('countryName', 'XY'),),
|
'issuer': ((('countryName', 'XY'),),
|
||||||
|
@ -118,7 +117,7 @@ BADKEY = data_file("badkey.pem")
|
||||||
NOKIACERT = data_file("nokia.pem")
|
NOKIACERT = data_file("nokia.pem")
|
||||||
NULLBYTECERT = data_file("nullbytecert.pem")
|
NULLBYTECERT = data_file("nullbytecert.pem")
|
||||||
|
|
||||||
DHFILE = data_file("dh1024.pem")
|
DHFILE = data_file("ffdh3072.pem")
|
||||||
BYTES_DHFILE = os.fsencode(DHFILE)
|
BYTES_DHFILE = os.fsencode(DHFILE)
|
||||||
|
|
||||||
# Not defined in all versions of OpenSSL
|
# Not defined in all versions of OpenSSL
|
||||||
|
@ -2825,8 +2824,8 @@ class ThreadedTests(unittest.TestCase):
|
||||||
connect to it with a wrong client certificate fails.
|
connect to it with a wrong client certificate fails.
|
||||||
"""
|
"""
|
||||||
client_context, server_context, hostname = testing_context()
|
client_context, server_context, hostname = testing_context()
|
||||||
# load client cert
|
# load client cert that is not signed by trusted CA
|
||||||
client_context.load_cert_chain(WRONG_CERT)
|
client_context.load_cert_chain(CERTFILE)
|
||||||
# require TLS client authentication
|
# require TLS client authentication
|
||||||
server_context.verify_mode = ssl.CERT_REQUIRED
|
server_context.verify_mode = ssl.CERT_REQUIRED
|
||||||
# TLS 1.3 has different handshake
|
# TLS 1.3 has different handshake
|
||||||
|
@ -2858,7 +2857,8 @@ class ThreadedTests(unittest.TestCase):
|
||||||
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
|
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
|
||||||
def test_wrong_cert_tls13(self):
|
def test_wrong_cert_tls13(self):
|
||||||
client_context, server_context, hostname = testing_context()
|
client_context, server_context, hostname = testing_context()
|
||||||
client_context.load_cert_chain(WRONG_CERT)
|
# load client cert that is not signed by trusted CA
|
||||||
|
client_context.load_cert_chain(CERTFILE)
|
||||||
server_context.verify_mode = ssl.CERT_REQUIRED
|
server_context.verify_mode = ssl.CERT_REQUIRED
|
||||||
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
||||||
client_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
client_context.minimum_version = ssl.TLSVersion.TLSv1_3
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
MIICXAIBAAKBgQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnH
|
|
||||||
FlbsVUg2Xtk6+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6T
|
|
||||||
f9lnNTwpSoeK24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQAB
|
|
||||||
AoGAQFko4uyCgzfxr4Ezb4Mp5pN3Npqny5+Jey3r8EjSAX9Ogn+CNYgoBcdtFgbq
|
|
||||||
1yif/0sK7ohGBJU9FUCAwrqNBI9ZHB6rcy7dx+gULOmRBGckln1o5S1+smVdmOsW
|
|
||||||
7zUVLBVByKuNWqTYFlzfVd6s4iiXtAE2iHn3GCyYdlICwrECQQDhMQVxHd3EFbzg
|
|
||||||
SFmJBTARlZ2GKA3c1g/h9/XbkEPQ9/RwI3vnjJ2RaSnjlfoLl8TOcf0uOGbOEyFe
|
|
||||||
19RvCLXjAkEA1s+UE5ziF+YVkW3WolDCQ2kQ5WG9+ccfNebfh6b67B7Ln5iG0Sbg
|
|
||||||
ky9cjsO3jbMJQtlzAQnH1850oRD5Gi51dQJAIbHCDLDZU9Ok1TI+I2BhVuA6F666
|
|
||||||
lEZ7TeZaJSYq34OaUYUdrwG9OdqwZ9sy9LUav4ESzu2lhEQchCJrKMn23QJAReqs
|
|
||||||
ZLHUeTjfXkVk7dHhWPWSlUZ6AhmIlA/AQ7Payg2/8wM/JkZEJEPvGVykms9iPUrv
|
|
||||||
frADRr+hAGe43IewnQJBAJWKZllPgKuEBPwoEldHNS8nRu61D7HzxEzQ2xnfj+Nk
|
|
||||||
2fgf1MAzzTRsikfGENhVsVWeqOcijWb6g5gsyCmlRpc=
|
|
||||||
-----END RSA PRIVATE KEY-----
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICsDCCAhmgAwIBAgIJAOqYOYFJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
|
|
||||||
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
|
|
||||||
aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
|
|
||||||
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
|
|
||||||
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
|
|
||||||
gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
|
|
||||||
+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
|
|
||||||
24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
|
|
||||||
A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
|
|
||||||
OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
|
|
||||||
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
|
|
||||||
fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
|
|
||||||
usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
|
|
||||||
43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
|
|
||||||
eSHj5jpC8iZKjCHBn+mAi4cQ514=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -0,0 +1 @@
|
||||||
|
Update all RSA keys and DH params to use at least 2048 bits.
|
Loading…
Reference in New Issue