From e0e0e0f7cc64d24a9c2e21754172df64490c3d10 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Fri, 4 Oct 2024 23:27:41 +0100 Subject: [PATCH] expand the insecurities section --- README.md | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 32351f8..be20efc 100644 --- a/README.md +++ b/README.md @@ -96,25 +96,27 @@ curl --cacert certs/ca.crt -v -H 'content-type: application/x-pem-file' --data ## Reasons this is not secure * the CA key is readable by and present in the memory of the process -that reads and parses network requests. Bearing in mind the the whole -point is to automate signing we can only do so much about this, but at -least we could move the actual signing to a separate process which is -only invoked once an acceptable request has been received. + that reads and parses network requests. Bearing in mind the the + whole point is to automate signing we can only do so much about + this, but at least we could move the actual signing to a separate + process which is only invoked once an acceptable request has been + received. -* there is no intermediate key - the requests are signed directly by the root CA +* on that note, in the setup that this README describes there is no + intermediate key - the requests are signed directly by the root + CA. For a robust setup you might consider ignoring my instructions + for generating a self-signed root cert, and instead create a CA + signed by an existing (offline?) root CA * I haven't checked that the protocols or the ciphers are restricted to modern and sensible defaults -* doesn't set 4.2.1.6. Subject Alternative Name +* doesn't call SSL shutdown at the end of the response, so you may get + "unexpected EOF" errors -* doesn't set Key Usage extension (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3) - -* probably has wrong basicConstraints in CA cert - -* doesn't call SSL shutdown at the end of the response - -* likewise other TLS best practices +* it has _not_ been reviewed by anyone who knows about TLS best + practices. If you are that person, please look at the new-crt + function in [main.fnl](main.fnl) and let me know :-) ## Background @@ -122,4 +124,3 @@ only invoked once an acceptable request has been received. * [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967) * [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/) - openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr