0.X
---
+- Important: The file proxy-dh.pem is now required. tlsproxy-setup creates it,
+ but running it will overwrite the existing proxy-*.pem files. To create only
+ proxy-dh.pem use:
+
+ certtool --generate-dh-params --sec-param high --outfile proxy-dh.pem
+
- Add -a option, authentication for tlsproxy via basic digest authentication.
+- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem.
- Code cleanup.
- Better error handling.
- Fix compile with recent GnuTLS (e.g. 3.2.3).
- Improve (error) logging; log to stderr.
- Add (basic) man pages.
- Improve test suite.
-- tlsproxy-setup: Increase expiry-date and use larger private key.
+- tlsproxy-setup: Increase expiry-date and use larger private key, generate
+ proxy-dh.pem.
0.2
- `proxy-ca.pem`: CA which is used for all connections to the client
- `proxy-ca-key.pem`: private key for the CA
+- `proxy-dh.pem`: Diffie-Hellman parameters for the proxy
- `proxy-key.pem`: private key for the proxy
- `proxy-invalid.pem`: special certificate used for invalid pages
/* Size of ringbuffer. */
#define RINGBUFFER_SIZE 10
-/* Bit size of Diffie-Hellman key exchange parameters. */
-#define DH_SIZE 1024
-
/* For gnutls_*() functions. */
#define GNUTLS_ERROR_EXIT(error, message) \
static void initialize_gnutls(void) {
int result;
+ char *dh_parameters;
+ gnutls_datum_t dh_parameters_datum;
+
/* Recent versions of GnuTLS automatically initialize the cryptography layer
* in gnutls_global_init(). */
#if GNUTLS_VERSION_NUMBER <= 0x020b00
result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
- /* Generate Diffie-Hellman parameters. */
+ /* Read Diffie-Hellman parameters. */
+ dh_parameters = slurp_text_file(PROXY_DH_PATH);
+ if (dh_parameters == NULL) {
+ fprintf(stderr, PROXY_DH_PATH " missing, "
+ "use `tlsproxy-setup` to create it\n");
+ exit(EXIT_FAILURE);
+ }
+ dh_parameters_datum.data = (unsigned char *)dh_parameters;
+ dh_parameters_datum.size = strlen(dh_parameters);
+
result = gnutls_dh_params_init(&global_tls_dh_params);
GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
- result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
- GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
+ result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
+ &dh_parameters_datum,
+ GNUTLS_X509_FMT_PEM);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
+
+ free(dh_parameters);
}
static void deinitialize_gnutls(void) {
gnutls_dh_params_deinit(global_tls_dh_params);
/* Length for path arrays. */
#define TLSPROXY_MAX_PATH_LENGTH 1024
-/* Paths to necessary TLS files: the CA and the server key. */
+/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
#define PROXY_CA_PATH "proxy-ca.pem"
#define PROXY_KEY_PATH "proxy-key.pem"
+#define PROXY_DH_PATH "proxy-dh.pem"
/* Path to special "invalid" certificate send to the client when an error
* occurs. */
#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
ruderich.org/simon / tlsproxy / tlsproxy.git / commitdiff