fred icon indicating copy to clipboard operation
fred copied to clipboard

Published 20 hours ago verified publisher icon freenet

Fix SSL self-signed certificate, update cipher suite

Open torusrxxx opened this issue 1 year ago • 2 comments
trafficstars

Old self-signed certificate generation doesn't always work with Oracle JVM, so I replaced it with the one which use bouncycastle. Also the node does not try to create a self-signed certificate on start up, because the entropy collection has not yet started when initializing SSL. The self-signed certificate is created when the user turns on SSL. Finally, SSL cipher suites with weak CBC methods are removed, and SSL cipher suites with AES 256 are added. In the future, we should allow to import valid SSL certificate and private key.

torusrxxx avatar Oct 04 '24 04:10 torusrxxx

Old self-signed certificate generation doesn't always work with Oracle JVM

When does it not work? Can we have a unit test for that particular case?

bertm avatar Oct 05 '24 19:10 bertm

Old self-signed certificate generation doesn't always work with Oracle JVM

When does it not work? Can we have a unit test for that particular case?

It's because Oracle doesn't want to let it work in all J2SE run-times. See https://stackoverflow.com/questions/29060064/sun-security-x509-certandkeygen-and-sun-security-pkcs-pkcs10-missing-in-jdk8

torusrxxx avatar Oct 06 '24 08:10 torusrxxx

Looks good to me — merged! Thank you!

ArneBab avatar Nov 30 '24 18:11 ArneBab