[Python-checkins] bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8763)
Christian Heimes
webhook-mailer at python.org
Tue Aug 14 10:52:31 EDT 2018
https://github.com/python/cpython/commit/e3228a3f44e382b6cdd2b5e001b651347013a7d3
commit: e3228a3f44e382b6cdd2b5e001b651347013a7d3
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: Christian Heimes <christian at python.org>
date: 2018-08-14T16:52:27+02:00
summary:
bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8763)
Downstream vendors have started to deprecate weak keys. Update all RSA keys
and DH params to use at least 2048 bits.
Finite field DH param file use RFC 7919 values, generated with
certtool --get-dh-params --sec-param=high
Signed-off-by: Christian Heimes <christian at python.org>
(cherry picked from commit 88bfd0bce05043f658e50addd21366f317995e35)
Co-authored-by: Christian Heimes <christian at python.org>
files:
A Lib/test/ffdh3072.pem
A Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst
D Lib/test/dh1024.pem
D Lib/test/wrongcert.pem
M Lib/test/test_ssl.py
diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
deleted file mode 100644
index a391176b5fea..000000000000
--- a/Lib/test/dh1024.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
-rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
-RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
------END DH PARAMETERS-----
-
-Generated with: openssl dhparam -out dh1024.pem 1024
diff --git a/Lib/test/ffdh3072.pem b/Lib/test/ffdh3072.pem
new file mode 100644
index 000000000000..ad69bac8d00c
--- /dev/null
+++ b/Lib/test/ffdh3072.pem
@@ -0,0 +1,41 @@
+ DH Parameters: (3072 bit)
+ prime:
+ 00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
+ 4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
+ 2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
+ 24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
+ 02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
+ f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
+ 57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
+ e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
+ 35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
+ fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
+ d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
+ 63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
+ e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
+ fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
+ fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
+ c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
+ fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
+ 03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
+ e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
+ c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
+ 93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
+ e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
+ 6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
+ 1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
+ ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
+ 2e:37:ff:ff:ff:ff:ff:ff:ff:ff
+ generator: 2 (0x2)
+ recommended-private-length: 276 bits
+-----BEGIN DH PARAMETERS-----
+MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
+N///////////AgECAgIBFA==
+-----END DH PARAMETERS-----
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d80e8d3fcfc6..5c22630d190c 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -55,7 +55,6 @@ def data_file(*name):
BYTES_CAPATH = os.fsencode(CAPATH)
CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
CAFILE_CACERT = data_file("capath", "5ed36f99.0")
-WRONG_CERT = data_file("wrongcert.pem")
CERTFILE_INFO = {
'issuer': ((('countryName', 'XY'),),
@@ -118,7 +117,7 @@ def data_file(*name):
NOKIACERT = data_file("nokia.pem")
NULLBYTECERT = data_file("nullbytecert.pem")
-DHFILE = data_file("dh1024.pem")
+DHFILE = data_file("ffdh3072.pem")
BYTES_DHFILE = os.fsencode(DHFILE)
# Not defined in all versions of OpenSSL
@@ -2846,8 +2845,8 @@ def test_wrong_cert_tls12(self):
connect to it with a wrong client certificate fails.
"""
client_context, server_context, hostname = testing_context()
- # load client cert
- client_context.load_cert_chain(WRONG_CERT)
+ # load client cert that is not signed by trusted CA
+ client_context.load_cert_chain(CERTFILE)
# require TLS client authentication
server_context.verify_mode = ssl.CERT_REQUIRED
# TLS 1.3 has different handshake
@@ -2879,7 +2878,8 @@ def test_wrong_cert_tls12(self):
@unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
def test_wrong_cert_tls13(self):
client_context, server_context, hostname = testing_context()
- client_context.load_cert_chain(WRONG_CERT)
+ # load client cert that is not signed by trusted CA
+ client_context.load_cert_chain(CERTFILE)
server_context.verify_mode = ssl.CERT_REQUIRED
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
client_context.minimum_version = ssl.TLSVersion.TLSv1_3
diff --git a/Lib/test/wrongcert.pem b/Lib/test/wrongcert.pem
deleted file mode 100644
index 5f92f9bce765..000000000000
--- a/Lib/test/wrongcert.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnH
-FlbsVUg2Xtk6+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6T
-f9lnNTwpSoeK24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQAB
-AoGAQFko4uyCgzfxr4Ezb4Mp5pN3Npqny5+Jey3r8EjSAX9Ogn+CNYgoBcdtFgbq
-1yif/0sK7ohGBJU9FUCAwrqNBI9ZHB6rcy7dx+gULOmRBGckln1o5S1+smVdmOsW
-7zUVLBVByKuNWqTYFlzfVd6s4iiXtAE2iHn3GCyYdlICwrECQQDhMQVxHd3EFbzg
-SFmJBTARlZ2GKA3c1g/h9/XbkEPQ9/RwI3vnjJ2RaSnjlfoLl8TOcf0uOGbOEyFe
-19RvCLXjAkEA1s+UE5ziF+YVkW3WolDCQ2kQ5WG9+ccfNebfh6b67B7Ln5iG0Sbg
-ky9cjsO3jbMJQtlzAQnH1850oRD5Gi51dQJAIbHCDLDZU9Ok1TI+I2BhVuA6F666
-lEZ7TeZaJSYq34OaUYUdrwG9OdqwZ9sy9LUav4ESzu2lhEQchCJrKMn23QJAReqs
-ZLHUeTjfXkVk7dHhWPWSlUZ6AhmIlA/AQ7Payg2/8wM/JkZEJEPvGVykms9iPUrv
-frADRr+hAGe43IewnQJBAJWKZllPgKuEBPwoEldHNS8nRu61D7HzxEzQ2xnfj+Nk
-2fgf1MAzzTRsikfGENhVsVWeqOcijWb6g5gsyCmlRpc=
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICsDCCAhmgAwIBAgIJAOqYOYFJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
-+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
-24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
-A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
-OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
-U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
-fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
-usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
-43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
-eSHj5jpC8iZKjCHBn+mAi4cQ514=
------END CERTIFICATE-----
diff --git a/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst b/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst
new file mode 100644
index 000000000000..8c5458f490f2
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst
@@ -0,0 +1 @@
+Update all RSA keys and DH params to use at least 2048 bits.
More information about the Python-checkins
mailing list