Giter VIP home page Giter VIP logo

Comments (6)

blahah avatar blahah commented on June 1, 2024 2

Waiting on this: jfromaniello/selfsigned#35

from bankai.

blahah avatar blahah commented on June 1, 2024 1

It's definitely sub-optimal to be failing because the key is too weak. Any secured linux distro will enforce the SSL DEFAULT@SECLEVEL=2, and compromising the security of the whole system for the sake of one module seems problematic.

This appears to be a NodeJS core TLS module issue?

from bankai.

blahah avatar blahah commented on June 1, 2024 1

Actually I just noticed selfsigned hardcodes one side of the cert to be 1024. I am making a PR to that project to respect keySize for both keys, which we should wait for before considering this fixed.

from bankai.

goto-bus-stop avatar goto-bus-stop commented on June 1, 2024

I think bankai's createKeys function can probably be updated to fix this somehow? I don't really know what it would look like, but if anyone's interested in trying to contribute a fix, this is probably the place to investigate!

bankai/lib/http-server.js

Lines 110 to 179 in 858a25b

function createKeys (cb) {
mkdirp(CONFIG_DIR, function (err) {
if (err) return cb(err)
fs.readdir(CONFIG_DIR, function (err, files) {
if (err) return cb(err)
var keys = {}
// check if both files exist
if (files.indexOf(KEY_NAME) !== -1 && files.indexOf(CERT_NAME) !== -1) {
return async.parallel([
function (done) {
fs.readFile(CERT_LOCATION, function (err, buf) {
if (err) return done(err)
keys.cert = buf
done()
})
},
function (done) {
fs.readFile(KEY_LOCATION, function (err, buf) {
if (err) return done(err)
keys.key = buf
done()
})
}
], function (err) {
if (err) return cb(err)
cb(null, keys)
})
}
var opts = {
days: 2048,
algorithm: 'sha256',
extensions: [
{
name: 'subjectAltName',
altNames: [
{
type: 2, // DNSName
value: 'localhost'
}
]
}
]
}
selfsigned.generate([{ name: 'commonName', value: 'localhost' }], opts, function (err, keys) {
if (err) return cb(err)
keys = {
key: keys.private,
cert: keys.cert
}
async.parallel([
function (done) {
fs.writeFile(KEY_LOCATION, keys.key, done)
},
function (done) {
fs.writeFile(CERT_LOCATION, keys.cert, done)
}
], function (err) {
if (err) return cb(err)
cb(null, keys)
})
})
})
})
}

from bankai.

blahah avatar blahah commented on June 1, 2024

Looks like a fix was pre-emptively attempted in the past, but a typo led to it not working (keySize rather than days should have been set to 2048).

It's better to have keys expire frequently BTW, especially in this sort of situation where they are easily regenerated by trusted applications. I'd recommend using a 90 day expiry the same as LetsEncrypt. This protects to some extent against key exfiltration by malware, bots etc. by limit the amount of time an exfiltrated key can be used maliciously.

PR incoming...

from bankai.

blahah avatar blahah commented on June 1, 2024

Turns out the default expiration for selfsigned, which is doing the cert generation, is 30 days, which is more secure. So in my PR I've just switched days for keySize, meaning days will default to 30 which I suspect was the intention of the original edit.

from bankai.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.