Comments (9)
april
commented on May 22, 2024
Aye aye cap'n!
from badssl.com.
april
commented on May 22, 2024
@hotaru2k3 -- can you give me the steps that you used to generate dh-composite.pem and dh-small-subgroup.pem, so I can add them to the certificate and key generation script?
Thanks!
from badssl.com.
lilyanatia
commented on May 22, 2024
for dh-small-subgroup, i used a perl script (https://gist.github.com/hotaru2k3/5f01f5b987a718d45bb1; note that this is a horrible way to generate "real" parameters, but it's really fast if you don't need parameters that are actually secure), like so:
perl gendh.pl 2048 31
for dh-composite, i intended to just use 7^729 with 5 as the generator (#40), but apparently i accidentally replaced the file with dh-small-subgroup.pem... that should probably be fixed.
if you want to be really clever, openssl dhparam -check sometimes thinks this is a prime:
-----BEGIN DH PARAMETERS-----
MIGrAoGlIEshInKAeSezV2ca791LS3oPEnSWJc1xtUnWuLmJXpf8+frcrybGGNqD
yex/azkCBmG6Qi5sggrBTTuDKdbHHRahlTr9YKCqTGMBn5wpwI0FsMT80EH+vqpb
DoR15ulsxJR4726a6He0076BB708ZLNevH8r1xnGQXIHquwhUYEnGbW1uuZFYrzS
7UQXeirDFKRPNE30oS4NT7j/mcQJm/x3kksrAgEF
-----END DH PARAMETERS-----
i've been thinking about trying to generate a 2048-bit composite that fools openssl's prime check even more often, but the process looks really tedious.
from badssl.com.
april
commented on May 22, 2024
FYI, the "normal" dhparam ones are all in my push request. :)
from badssl.com.
lgarron
commented on May 22, 2024
dh-composite.pem and dh-small-subgroup.pem are now reused unconditionally every time you generate cert stuff: https://github.com/google/badssl.com/tree/master/certs/src/dhparam
It would be nice to be able to regenerate these using e.g. @hotaru2k3's script.
(If this is slow, we can do what we currently do with dh2048.pem and place it in the certs/sets/test/pregen folder to avoid regenerating it, by default.
from badssl.com.
april
commented on May 22, 2024
I might be okay with having static DH files. They can take a long time to generate, especially on VMs.
from badssl.com.
lgarron
commented on May 22, 2024
They can take a long time to generate, especially on VMs.
Yeah, that part is solved by the pregen folder. But I'd still like a way to force regenerating them from scratch.
from badssl.com.
april
commented on May 22, 2024
I believe the old certificate generator used to have that, must have been something that got excluded on the way in.
Can probably just have a make dhparams-regen that deletes the files that are currently in the pregen folder, and then creates them back in there by scratch. If you set the proper .gitignore on that folder, git should ignore any changes to those files.
from badssl.com.
lgarron
commented on May 22, 2024
Can probably just have a make dhparams-regen that deletes the files that are currently in the pregen folder, and then creates them back in there by scratch. If you set the proper .gitignore on that folder, git should ignore any changes to those files.
I don't think we should ever delete anything from the pregen folders, but we can certainly add instructions for doing so.
If you're talking about adding all 6 current dhparams into certs/sets/test/pregen, that sounds fine by me. But note that cert generation actually happens outside the VM now, so that should only save a few seconds for each new/cleaned repo.
from badssl.com.
Related Issues (20)
- feature request: server that does not support the Renegotiation Indication Extension (RFC 5746) HOT 13
- Wishlist: Delegated credentials (subcerts)
- Root CA used in client.badssl.com
- ECC Certs Expired HOT 1
- EV cert has just expired as well HOT 1
- null.badssl.com does not offer NULL cipher suites, does offer non-NULL cipher suites HOT 1
- Request: add DSA certificate HOT 1
- Certificate https://revoked.badssl.com/ has expired HOT 6
- Expired Certificate: extended-validation.badssl.com HOT 2
- thank you support this test web, I create a project domain-admin
- The certificate expires HOT 4
- Certificate expired: https://incomplete-chain.badssl.com/ HOT 1
- Certificate expired: captive-portal.badssl.com
- Certificate expired: badssl.com HOT 2
- how to use the badssl docker image with custom DNS name not badssl.test server for testing purposes ? HOT 1
- Add certificate with a too long validity period (>397/398 days & >825 days) HOT 1
- https://mixed-script.badssl.com/ HOT 4
- Expired certificate for incomplete-chain.badssl.com HOT 2
- As badssl.com seems dead - any recommended alternatives? HOT 2
- Error installing rubygems-update: rubygems-update requires Ruby version >= 3.0.0.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from badssl.com.