Skip to content

Commit b46f02e

Browse files
committed
bpo-34399: 2048 bits RSA keys and DH params
Downstream vendors have started to deprecate weak keys. Update all RSA keys and DH params to use at least 2048 bits. Finite field DH param file use RFC 7919 values, generated with certtool --get-dh-params --sec-param=high Signed-off-by: Christian Heimes <[email protected]>
1 parent aa4e4a4 commit b46f02e

File tree

5 files changed

+47
-44
lines changed

5 files changed

+47
-44
lines changed

Lib/test/dh1024.pem

Lines changed: 0 additions & 7 deletions
This file was deleted.

Lib/test/ffdh3072.pem

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
DH Parameters: (3072 bit)
2+
prime:
3+
00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
4+
4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
5+
2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
6+
24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
7+
02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
8+
f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
9+
57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
10+
e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
11+
35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
12+
fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
13+
d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
14+
63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
15+
e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
16+
fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
17+
fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
18+
c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
19+
fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
20+
03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
21+
e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
22+
c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
23+
93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
24+
e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
25+
6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
26+
1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
27+
ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
28+
2e:37:ff:ff:ff:ff:ff:ff:ff:ff
29+
generator: 2 (0x2)
30+
recommended-private-length: 276 bits
31+
-----BEGIN DH PARAMETERS-----
32+
MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
33+
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
34+
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
35+
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
36+
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
37+
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
38+
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
39+
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
40+
N///////////AgECAgIBFA==
41+
-----END DH PARAMETERS-----

Lib/test/test_ssl.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,6 @@ def data_file(*name):
5555
BYTES_CAPATH = os.fsencode(CAPATH)
5656
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
5757
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
58-
WRONG_CERT = data_file("wrongcert.pem")
5958

6059
CERTFILE_INFO = {
6160
'issuer': ((('countryName', 'XY'),),
@@ -118,7 +117,7 @@ def data_file(*name):
118117
NOKIACERT = data_file("nokia.pem")
119118
NULLBYTECERT = data_file("nullbytecert.pem")
120119

121-
DHFILE = data_file("dh1024.pem")
120+
DHFILE = data_file("ffdh3072.pem")
122121
BYTES_DHFILE = os.fsencode(DHFILE)
123122

124123
# Not defined in all versions of OpenSSL
@@ -2825,8 +2824,8 @@ def test_wrong_cert_tls12(self):
28252824
connect to it with a wrong client certificate fails.
28262825
"""
28272826
client_context, server_context, hostname = testing_context()
2828-
# load client cert
2829-
client_context.load_cert_chain(WRONG_CERT)
2827+
# load client cert that is not signed by trusted CA
2828+
client_context.load_cert_chain(CERTFILE)
28302829
# require TLS client authentication
28312830
server_context.verify_mode = ssl.CERT_REQUIRED
28322831
# TLS 1.3 has different handshake
@@ -2858,7 +2857,8 @@ def test_wrong_cert_tls12(self):
28582857
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
28592858
def test_wrong_cert_tls13(self):
28602859
client_context, server_context, hostname = testing_context()
2861-
client_context.load_cert_chain(WRONG_CERT)
2860+
# load client cert that is not signed by trusted CA
2861+
client_context.load_cert_chain(CERTFILE)
28622862
server_context.verify_mode = ssl.CERT_REQUIRED
28632863
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
28642864
client_context.minimum_version = ssl.TLSVersion.TLSv1_3

Lib/test/wrongcert.pem

Lines changed: 0 additions & 32 deletions
This file was deleted.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Update all RSA keys and DH params to use at least 2048 bits.

0 commit comments

Comments
 (0)