This is much faster than generation them on each start and allows us to
use larger parameter sizes.
/tests/client
/tests/proxy-ca-key.pem
/tests/proxy-ca.pem
/tests/client
/tests/proxy-ca-key.pem
/tests/proxy-ca.pem
/tests/proxy-invalid.pem
/tests/proxy-key.pem
/tests/proxy-invalid.pem
/tests/proxy-key.pem
+- Important: The file proxy-dh.pem is now required. tlsproxy-setup creates it,
+ but running it will overwrite the existing proxy-*.pem files. To create only
+ proxy-dh.pem use:
+
+ certtool --generate-dh-params --sec-param high --outfile proxy-dh.pem
+
- Add -a option, authentication for tlsproxy via basic digest authentication.
- Add -a option, authentication for tlsproxy via basic digest authentication.
+- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem.
- Code cleanup.
- Better error handling.
- Fix compile with recent GnuTLS (e.g. 3.2.3).
- Improve (error) logging; log to stderr.
- Add (basic) man pages.
- Improve test suite.
- Code cleanup.
- Better error handling.
- Fix compile with recent GnuTLS (e.g. 3.2.3).
- Improve (error) logging; log to stderr.
- Add (basic) man pages.
- Improve test suite.
-- tlsproxy-setup: Increase expiry-date and use larger private key.
+- tlsproxy-setup: Increase expiry-date and use larger private key, generate
+ proxy-dh.pem.
- `proxy-ca.pem`: CA which is used for all connections to the client
- `proxy-ca-key.pem`: private key for the CA
- `proxy-ca.pem`: CA which is used for all connections to the client
- `proxy-ca-key.pem`: private key for the CA
+- `proxy-dh.pem`: Diffie-Hellman parameters for the proxy
- `proxy-key.pem`: private key for the proxy
- `proxy-invalid.pem`: special certificate used for invalid pages
- `proxy-key.pem`: private key for the proxy
- `proxy-invalid.pem`: special certificate used for invalid pages
- proxy-ca.pem
- proxy-ca-key.pem
- proxy-ca.pem
- proxy-ca-key.pem
- proxy-key.pem
- proxy-invalid.pem
- proxy-key.pem
- proxy-invalid.pem
+# Generate proxy Diffie-Hellman parameters.
+certtool --generate-dh-params \
+ --sec-param high \
+ --outfile proxy-dh.pem
+
/* Size of ringbuffer. */
#define RINGBUFFER_SIZE 10
/* Size of ringbuffer. */
#define RINGBUFFER_SIZE 10
-/* Bit size of Diffie-Hellman key exchange parameters. */
-#define DH_SIZE 1024
-
/* For gnutls_*() functions. */
#define GNUTLS_ERROR_EXIT(error, message) \
/* For gnutls_*() functions. */
#define GNUTLS_ERROR_EXIT(error, message) \
static void initialize_gnutls(void) {
int result;
static void initialize_gnutls(void) {
int result;
+ char *dh_parameters;
+ gnutls_datum_t dh_parameters_datum;
+
/* Recent versions of GnuTLS automatically initialize the cryptography layer
* in gnutls_global_init(). */
#if GNUTLS_VERSION_NUMBER <= 0x020b00
/* Recent versions of GnuTLS automatically initialize the cryptography layer
* in gnutls_global_init(). */
#if GNUTLS_VERSION_NUMBER <= 0x020b00
result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
- /* Generate Diffie-Hellman parameters. */
+ /* Read Diffie-Hellman parameters. */
+ dh_parameters = slurp_text_file(PROXY_DH_PATH);
+ if (dh_parameters == NULL) {
+ fprintf(stderr, PROXY_DH_PATH " missing, "
+ "use `tlsproxy-setup` to create it\n");
+ exit(EXIT_FAILURE);
+ }
+ dh_parameters_datum.data = (unsigned char *)dh_parameters;
+ dh_parameters_datum.size = strlen(dh_parameters);
+
result = gnutls_dh_params_init(&global_tls_dh_params);
GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
result = gnutls_dh_params_init(&global_tls_dh_params);
GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
- result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
- GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
+ result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
+ &dh_parameters_datum,
+ GNUTLS_X509_FMT_PEM);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
+
+ free(dh_parameters);
}
static void deinitialize_gnutls(void) {
gnutls_dh_params_deinit(global_tls_dh_params);
}
static void deinitialize_gnutls(void) {
gnutls_dh_params_deinit(global_tls_dh_params);
/* Length for path arrays. */
#define TLSPROXY_MAX_PATH_LENGTH 1024
/* Length for path arrays. */
#define TLSPROXY_MAX_PATH_LENGTH 1024
-/* Paths to necessary TLS files: the CA and the server key. */
+/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
#define PROXY_CA_PATH "proxy-ca.pem"
#define PROXY_KEY_PATH "proxy-key.pem"
#define PROXY_CA_PATH "proxy-ca.pem"
#define PROXY_KEY_PATH "proxy-key.pem"
+#define PROXY_DH_PATH "proxy-dh.pem"
/* Path to special "invalid" certificate send to the client when an error
* occurs. */
#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
/* Path to special "invalid" certificate send to the client when an error
* occurs. */
#define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
CLEANFILES = \
proxy-ca-key.pem \
proxy-ca.pem \
CLEANFILES = \
proxy-ca-key.pem \
proxy-ca.pem \
proxy-invalid.pem \
proxy-key.pem \
tmp
proxy-invalid.pem \
proxy-key.pem \
tmp
# present.
if test -f proxy-ca-key.pem &&
test -f proxy-ca.pem &&
# present.
if test -f proxy-ca-key.pem &&
test -f proxy-ca.pem &&
+ test -f proxy-dh.pem &&
test -f proxy-invalid.pem &&
test -f proxy-key.pem
then
test -f proxy-invalid.pem &&
test -f proxy-key.pem
then