crypt/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-01-26 07:41:33 +03:00
Code Activity
215 Commits 847 Branches 151 Tags
90f4b4daebccf1ea5cfefc745fd5cd63c61658bf
Commit Graph

89 Commits

Author SHA1 Message Date
Seth Schoen
90f4b4daeb move configuratoin parameters into config file; add extra sanity checks 2012-07-19 23:19:39 -07:00
Seth Schoen
6f5d15cddf whoops, the past is the past, not the future 2012-07-18 22:28:41 -07:00
Seth Schoen
c117582ece drop privileges and use external hashcash binary again 2012-07-18 22:25:23 -07:00
Seth Schoen
1e17b222ab document priority inversion bug 2012-07-18 19:38:00 -07:00
Seth Schoen
707dedbd9b add verification probe via Tor 2012-07-18 18:43:23 -07:00
Seth Schoen
bb0c4bf316 notes on future blacklist import speedups 2012-07-18 17:08:35 -07:00
Seth Schoen
df97026c72 Python hashcash minting is slow, so only generate 20 bits for now 2012-07-18 15:07:17 -07:00
Eric Wustrow
4b5ba56a2d check expiry in hashcash 2012-07-17 22:51:53 -04:00
Eric Wustrow
cf45b233f7 sorry, this one adds the previous commit about hashcash being dangerous...previous adds a symlink so clients can use it...grrr git is a mess within a mess 2012-07-17 21:11:38 -04:00
Seth Schoen
e857154682 updated modulus blacklisting stuff 2012-07-17 00:33:45 -07:00
Seth Schoen
1b88b67544 use C language hashcash program to generate cash from client 2012-07-16 19:25:27 -07:00
Seth Schoen
ac0defac00 remove client-side dependency on CSR.py 2012-07-16 15:11:10 -07:00
Seth Schoen
e70424dd4a database-backed blacklisting of moduli and names 2012-07-16 15:02:07 -07:00
Seth Schoen
acd5a77fc3 make the process faster by reducing delay times 2012-07-15 16:37:39 -07:00
Seth Schoen
f07275a99d another comment on locking 2012-07-15 16:33:23 -07:00
Seth Schoen
ad71e39d31 simplify by removing hashes of random numbers 
There may be circumstances where hashing random numbers might be
useful, but in order to justify it we would need to know something
about the generator that provides them.  However, checking with
strace shows that the CSPRNG in Crypto.Random may not reseed its
entropy enough, so we might ultimately want to use a different one.
It only reseeds 8 bytes per call even if you read megabytes of
random numbers from it!
 2012-07-15 16:16:28 -07:00
Seth Schoen
f2a3f830e6 right now challenges get issued pretty fast; polldelay = 10 seems high 2012-07-14 23:30:01 -07:00
Seth Schoen
1019a47b31 oops, confused module name and class name 2012-07-14 23:02:55 -07:00
Seth Schoen
88c5b270ef implement locking for issuing certs with openssl ca 2012-07-14 23:01:39 -07:00
Seth Schoen
97caf0f61a implementation of Redis-mediated lock in Python 2012-07-14 22:54:19 -07:00
Seth Schoen
f2d755d3d5 check recipient string before hashcash to produce more useful error message 
This is more work for the server but if we don't do it in this
order we always get a hashcash error instead of a recipient error
if the client is confused about what server it meant to query.
Giving the wrong error in this sense is OK from a protocol point
of view but quite frustrating for a human being on the client end
trying to figure out why the server is rejecting its apparently
perfectly valid hashcash...
 2012-07-14 17:35:22 -07:00
Seth Schoen
1fd5ae1c9d er, the parameter is only known as h inside the called function 2012-07-14 17:18:22 -07:00
Seth Schoen
088c97bbf5 use database to prevent double-spending of hashcash 2012-07-14 17:16:51 -07:00
Seth Schoen
c1927aed26 switch to hashlib 2012-07-14 15:02:26 -07:00
Seth Schoen
f9eb363311 we're using git pull rather than scp/rsync to deploy now 2012-07-14 14:56:30 -07:00
Seth Schoen
be58b8759a notes on locking and concurrency 2012-07-14 14:56:19 -07:00
Seth Schoen
064148df29 use hashcash in protocol 2012-07-14 14:34:24 -07:00
Seth Schoen
d18c7f6eee some .gitignore files to suppress display of generated files in git 2012-07-14 13:49:58 -07:00
Seth Schoen
f82c259b1a actually check request recipient 2012-07-14 13:35:52 -07:00
Seth Schoen
3b624c40a7 remove debug print 2012-07-13 22:58:00 -07:00
Seth Schoen
2f21a92e82 more appropriate verbosity 2012-07-13 22:55:38 -07:00
Seth Schoen
32c2ba8e71 correctly emit subject alternative names and remove most user-supplied data from cert 2012-07-13 22:50:58 -07:00
Seth Schoen
34e3663399 passing type unicode instead of str to M2Crypto causes failures (!) 2012-07-13 19:30:58 -07:00
Seth Schoen
5b43540452 crazy M2Crypto bug: you have to get_pubkey().get_rsa() not just get_pubkey() 2012-07-13 19:29:36 -07:00
Seth Schoen
0da690afb2 make sure we use our own modified M2Crypto everywhere 2012-07-13 19:28:52 -07:00
Seth Schoen
722aaab568 update description of dependencies and deployment 2012-07-13 16:03:21 -07:00
Seth Schoen
764b2783a7 explicitly require m3crypto inside ../m3/lib/python 2012-07-13 14:49:34 -07:00
Seth Schoen
e2b798fe26 implement session timeouts inside daemon 2012-07-12 18:19:14 -07:00
Eric Wustrow
956ea28b95 use M2Crypto in CSR verify/sign/encrypt 2012-07-12 20:30:46 -04:00
Eric Wustrow
0a85d8154f Merge branch 'master' of github.com:research/chocolate 2012-07-12 19:38:44 -04:00
Eric Wustrow
9ccd7d2e1e use M2Crypto (patched to support X509.Request.get_extensions) to read the SANs from the CSR; remove pkcs10.py 2012-07-12 19:38:37 -04:00
Seth Schoen
d58e2901fa script for clearing out Redis databae 2012-07-12 16:29:54 -07:00
Eric Wustrow
94b6e593fb A bit less annoying - you can init a BIO with a string 2012-07-12 19:16:48 -04:00
Eric Wustrow
1c129ea1d7 use M2Crypto for parse function 2012-07-12 19:10:54 -04:00
Eric Wustrow
1bb0fc7286 Merge branch 'master' of github.com:research/chocolate 2012-07-12 18:07:22 -04:00
Eric Wustrow
19df04c516 use M2Crypto instead of openssl command line/subprocess for CSR parsing 2012-07-12 18:07:13 -04:00
Seth Schoen
6d64bab45e wow, but M2Crypto is annoying! - make a BIO for the public key 
It turns out that M2Crypto.RSA.load_key_string() requires a keypair,
not a public key.  There is no M2Crypto.RSA.load_pub_key_string(),
only M2Crypto.RSA.load_pub_key_bio(), which requires an OpenSSL BIO
object.
 2012-07-12 14:48:32 -07:00
Seth Schoen
d441355715 make daemon exit cleanly after interrupt signals 2012-07-12 14:30:56 -07:00
Seth Schoen
49d70c0966 it's fine to use M2Crypto, but you must import it :-) 2012-07-12 12:39:54 -07:00
Seth Schoen
f907899358 slight tolerance for requests timestamped in the future 2012-07-12 12:38:13 -07:00