lnd: switch to using ECC certs for the rpcserver
In this commit, we modify our initial cert generation to *only* generate and advertise cipher suites that purely use ECC. We do this is as switching to ECC results in much faster startup time for a fresh installation, and is also more modern crypto. # Please enter the commit message for your changes. Lines starting
This commit is contained in:
parent
83b779dcdf
commit
f7eeea71e2
30
lnd.go
30
lnd.go
@ -6,8 +6,9 @@ package main
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
@ -72,23 +73,13 @@ var (
|
|||||||
* - Are available in the Go 1.7.6 standard library (more are
|
* - Are available in the Go 1.7.6 standard library (more are
|
||||||
* available in 1.8.3 and will be added after lnd no longer
|
* available in 1.8.3 and will be added after lnd no longer
|
||||||
* supports 1.7, including suites that support CBC mode)
|
* supports 1.7, including suites that support CBC mode)
|
||||||
*
|
|
||||||
* The cipher suites are ordered from strongest to weakest
|
|
||||||
* primitives, but the client's preference order has more
|
|
||||||
* effect during negotiation.
|
|
||||||
**/
|
**/
|
||||||
tlsCipherSuites = []uint16{
|
tlsCipherSuites = []uint16{
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
||||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -650,7 +641,7 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Generate a private key for the certificate.
|
// Generate a private key for the certificate.
|
||||||
priv, err := rsa.GenerateKey(rand.Reader, 4096)
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -672,10 +663,6 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
|
|
||||||
DNSNames: dnsNames,
|
DNSNames: dnsNames,
|
||||||
IPAddresses: ipAddresses,
|
IPAddresses: ipAddresses,
|
||||||
|
|
||||||
// This signature algorithm is most likely to be compatible
|
|
||||||
// with clients using less-common TLS libraries like BoringSSL.
|
|
||||||
SignatureAlgorithm: x509.SHA256WithRSA,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
derBytes, err := x509.CreateCertificate(rand.Reader, &template,
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template,
|
||||||
@ -691,9 +678,12 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
return fmt.Errorf("failed to encode certificate: %v", err)
|
return fmt.Errorf("failed to encode certificate: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
keybytes := x509.MarshalPKCS1PrivateKey(priv)
|
keybytes, err := x509.MarshalECPrivateKey(priv)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("unable to encode privkey: %v", err)
|
||||||
|
}
|
||||||
keyBuf := &bytes.Buffer{}
|
keyBuf := &bytes.Buffer{}
|
||||||
err = pem.Encode(keyBuf, &pem.Block{Type: "RSA PRIVATE KEY",
|
err = pem.Encode(keyBuf, &pem.Block{Type: "EC PRIVATE KEY",
|
||||||
Bytes: keybytes})
|
Bytes: keybytes})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to encode private key: %v", err)
|
return fmt.Errorf("failed to encode private key: %v", err)
|
||||||
|
Loading…
Reference in New Issue
Block a user