Commit 01966479 authored by Roger Dingledine's avatar Roger Dingledine
Browse files

start part-way through the ssl cert lifetime

also, snap the start time and end time to a day boundary, since most
certs in the wild seem to do this.
parent edd6f022
Loading
Loading
Loading
Loading
+11 −5
Original line number Diff line number Diff line
@@ -234,7 +234,7 @@ static X509* tor_tls_create_certificate(crypto_pk_t *rsa,
                                        crypto_pk_t *rsa_sign,
                                        const char *cname,
                                        const char *cname_sign,
                                        unsigned int lifetime);
                                        unsigned int cert_lifetime);

static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
                                    crypto_pk_t *identity,
@@ -608,9 +608,10 @@ tor_x509_name_new(const char *cname)
/** Generate and sign an X509 certificate with the public key <b>rsa</b>,
 * signed by the private key <b>rsa_sign</b>.  The commonName of the
 * certificate will be <b>cname</b>; the commonName of the issuer will be
 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
 * starting from now.  Return a certificate on success, NULL on
 * failure.
 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
 * seconds, starting from some time in the past.
 *
 * Return a certificate on success, NULL on failure.
 */
static X509 *
tor_tls_create_certificate(crypto_pk_t *rsa,
@@ -632,7 +633,12 @@ tor_tls_create_certificate(crypto_pk_t *rsa,

  tor_tls_init();

  start_time = time(NULL);
  /* Make sure we're part-way through the certificate lifetime, rather
   * than having it start right now. Don't choose quite uniformly, since
   * then we might pick a time where we're about to expire. Lastly, be
   * sure to start on a day boundary. */
  start_time = time(NULL) - crypto_rand_int(cert_lifetime) + 2*24*3600;
  start_time -= start_time % (24*3600);

  tor_assert(rsa);
  tor_assert(cname);
+12 −2
Original line number Diff line number Diff line
@@ -660,8 +660,18 @@ router_initialize_tls_context(void)
      flags |= TOR_TLS_CTX_USE_ECDHE_P224;
  }
  if (!lifetime) { /* we should guess a good ssl cert lifetime */
    /* choose between 1 and 365 days */
    lifetime = 1*24*3600 + crypto_rand_int(364*24*3600);

    /* choose between 5 and 365 days, and round to the day */
    lifetime = 5*24*3600 + crypto_rand_int(361*24*3600);
    lifetime -= lifetime % (24*3600);

    if (crypto_rand_int(2)) {
      /* Half the time we expire at midnight, and half the time we expire
       * one second before midnight. (Some CAs wobble their expiry times a
       * bit in practice, perhaps to reduce collision attacks; see ticket
       * 8443 for details about observed certs in the wild.) */
      lifetime--;
    }
  }

  /* It's ok to pass lifetime in as an unsigned int, since