Skip to content

Commit e3228a3

Browse files
miss-islingtontiran
miss-islington
and
tiran
committed
bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8763)
Downstream vendors have started to deprecate weak keys. Update all RSA keys and DH params to use at least 2048 bits. Finite field DH param file use RFC 7919 values, generated with certtool --get-dh-params --sec-param=high Signed-off-by: Christian Heimes <[email protected]> (cherry picked from commit 88bfd0b) Co-authored-by: Christian Heimes <[email protected]>
1 parent 6c14060 commit e3228a3

File tree

5 files changed

+47
-44
lines changed

5 files changed

+47
-44
lines changed

Lib/test/dh1024.pem

Lines changed: 0 additions & 7 deletions
This file was deleted.

Lib/test/ffdh3072.pem

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
DH Parameters: (3072 bit)
2+
prime:
3+
00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
4+
4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
5+
2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
6+
24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
7+
02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
8+
f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
9+
57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
10+
e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
11+
35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
12+
fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
13+
d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
14+
63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
15+
e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
16+
fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
17+
fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
18+
c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
19+
fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
20+
03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
21+
e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
22+
c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
23+
93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
24+
e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
25+
6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
26+
1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
27+
ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
28+
2e:37:ff:ff:ff:ff:ff:ff:ff:ff
29+
generator: 2 (0x2)
30+
recommended-private-length: 276 bits
31+
-----BEGIN DH PARAMETERS-----
32+
MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
33+
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
34+
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
35+
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
36+
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
37+
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
38+
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
39+
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
40+
N///////////AgECAgIBFA==
41+
-----END DH PARAMETERS-----

Lib/test/test_ssl.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,6 @@ def data_file(*name):
5555
BYTES_CAPATH = os.fsencode(CAPATH)
5656
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
5757
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
58-
WRONG_CERT = data_file("wrongcert.pem")
5958

6059
CERTFILE_INFO = {
6160
'issuer': ((('countryName', 'XY'),),
@@ -118,7 +117,7 @@ def data_file(*name):
118117
NOKIACERT = data_file("nokia.pem")
119118
NULLBYTECERT = data_file("nullbytecert.pem")
120119

121-
DHFILE = data_file("dh1024.pem")
120+
DHFILE = data_file("ffdh3072.pem")
122121
BYTES_DHFILE = os.fsencode(DHFILE)
123122

124123
# Not defined in all versions of OpenSSL
@@ -2846,8 +2845,8 @@ def test_wrong_cert_tls12(self):
28462845
connect to it with a wrong client certificate fails.
28472846
"""
28482847
client_context, server_context, hostname = testing_context()
2849-
# load client cert
2850-
client_context.load_cert_chain(WRONG_CERT)
2848+
# load client cert that is not signed by trusted CA
2849+
client_context.load_cert_chain(CERTFILE)
28512850
# require TLS client authentication
28522851
server_context.verify_mode = ssl.CERT_REQUIRED
28532852
# TLS 1.3 has different handshake
@@ -2879,7 +2878,8 @@ def test_wrong_cert_tls12(self):
28792878
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
28802879
def test_wrong_cert_tls13(self):
28812880
client_context, server_context, hostname = testing_context()
2882-
client_context.load_cert_chain(WRONG_CERT)
2881+
# load client cert that is not signed by trusted CA
2882+
client_context.load_cert_chain(CERTFILE)
28832883
server_context.verify_mode = ssl.CERT_REQUIRED
28842884
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
28852885
client_context.minimum_version = ssl.TLSVersion.TLSv1_3

Lib/test/wrongcert.pem

Lines changed: 0 additions & 32 deletions
This file was deleted.

Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Update all RSA keys and DH params to use at least 2048 bits.

0 commit comments

Comments
 (0)