Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

start part-way through the ssl cert lifetime

also, snap the start time and end time to a day boundary, since most
certs in the wild seem to do this.
Roger Dingledine 12 years ago
parent
edd6f02273
commit
0196647970
2 changed files with 23 additions and 7 deletions
Split View Show Diff Stats
  1. 11 5
      src/common/tortls.c
  2. 12 2
      src/or/router.c

+ 11 - 5
src/common/tortls.c
View File 

@@ -234,7 +234,7 @@ static X509* tor_tls_create_certificate(crypto_pk_t *rsa,
 
                                         crypto_pk_t *rsa_sign,
 
                                         const char *cname,
 
                                         const char *cname_sign,
 
-                                        unsigned int lifetime);
 
+                                        unsigned int cert_lifetime);
 
 
 static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
 
                                     crypto_pk_t *identity,
 
@@ -608,9 +608,10 @@ tor_x509_name_new(const char *cname)
 
 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
 
  * signed by the private key <b>rsa_sign</b>.  The commonName of the
 
  * certificate will be <b>cname</b>; the commonName of the issuer will be
 
- * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
 
- * starting from now.  Return a certificate on success, NULL on
 
- * failure.
 
+ * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
 
+ * seconds, starting from some time in the past.
 
+ *
 
+ * Return a certificate on success, NULL on failure.
 
  */
 
 static X509 *
 
 tor_tls_create_certificate(crypto_pk_t *rsa,
 
@@ -632,7 +633,12 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
 
 
   tor_tls_init();
 
 
-  start_time = time(NULL);
 
+  /* Make sure we're part-way through the certificate lifetime, rather
 
+   * than having it start right now. Don't choose quite uniformly, since
 
+   * then we might pick a time where we're about to expire. Lastly, be
 
+   * sure to start on a day boundary. */
 
+  start_time = time(NULL) - crypto_rand_int(cert_lifetime) + 2*24*3600;
 
+  start_time -= start_time % (24*3600);
 
 
   tor_assert(rsa);
 
   tor_assert(cname);

+ 12 - 2
src/or/router.c
View File 

@@ -660,8 +660,18 @@ router_initialize_tls_context(void)
 
       flags |= TOR_TLS_CTX_USE_ECDHE_P224;
 
   }
 
   if (!lifetime) { /* we should guess a good ssl cert lifetime */
 
-    /* choose between 1 and 365 days */
 
-    lifetime = 1*24*3600 + crypto_rand_int(364*24*3600);
 
+
 
+    /* choose between 5 and 365 days, and round to the day */
 
+    lifetime = 5*24*3600 + crypto_rand_int(361*24*3600);
 
+    lifetime -= lifetime % (24*3600);
 
+
 
+    if (crypto_rand_int(2)) {
 
+      /* Half the time we expire at midnight, and half the time we expire
 
+       * one second before midnight. (Some CAs wobble their expiry times a
 
+       * bit in practice, perhaps to reduce collision attacks; see ticket
 
+       * 8443 for details about observed certs in the wild.) */
 
+      lifetime--;
 
+    }
 
   }
 
 
   /* It's ok to pass lifetime in as an unsigned int, since