fix(certs): increase strength

tests/certs/clientA.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
 
 copy clientAcert.pem + rootA.pem clientA.pem
 

tests/certs/clientA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientAkey.pem -out clientAreq.pem \
   -nodes -config ./clientA.cnf -days 365 -batch
 
-openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+openssl x509 -req -in clientAreq.pem -sha256 -extfile ./clientA.cnf \
   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
   -out clientAcert.pem -days 365
 

tests/certs/clientB.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
 
 copy clientBcert.pem + rootB.pem clientB.pem
 

tests/certs/clientB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+openssl req -newkey rsa:2048 -sha256 -keyout clientBkey.pem -out clientBreq.pem \
   -nodes -config ./clientB.cnf -days 365 -batch
 
-openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+openssl x509 -req -in clientBreq.pem -sha256 -extfile ./clientB.cnf \
   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
   -out clientBcert.pem -days 365
 

tests/certs/rootA.bat

@@ -1,7 +1,7 @@
 REM #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

tests/certs/rootA.sh

@@ -1,7 +1,6 @@
 #!/bin/sh
+openssl req -newkey rsa:2048 -sha256 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
-
-openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+openssl x509 -req -in rootAreq.pem -sha256 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootA.pem

tests/certs/rootB.bat

@@ -1,7 +1,7 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

tests/certs/rootB.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+openssl req -newkey rsa:2048 -sha256 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
 
-openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+openssl x509 -req -in rootBreq.pem -sha256 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
 
 openssl x509 -subject -issuer -noout -in rootB.pem

tests/certs/serverA.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
 
 copy serverAcert.pem + rootA.pem serverA.pem
 

tests/certs/serverA.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+openssl req -newkey rsa:2048 -keyout serverAkey.pem -out serverAreq.pem \
    -config ./serverA.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+openssl x509 -req -in serverAreq.pem -sha256 -extfile ./serverA.cnf \
    -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
    -out serverAcert.pem -days 365
 

tests/certs/serverB.bat

@@ -1,8 +1,8 @@
 rem #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
 
 copy serverBcert.pem + rootB.pem serverB.pem
 

tests/certs/serverB.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+openssl req -newkey rsa:2048 -keyout serverBkey.pem -out serverBreq.pem \
    -config ./serverB.cnf -nodes -days 365 -batch
 
-openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+openssl x509 -req -in serverBreq.pem -sha256 -extfile ./serverB.cnf \
    -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
    -out serverBcert.pem -days 365
 

tests/largetransfer.lua

@@ -97,22 +97,22 @@ runtest()   -- run test using regular connection (s/cparams == nil)
 -- set ssl parameters and do it again
 sparams = {
    mode = "server",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "tests/certs/serverAkey.pem",
    certificate = "tests/certs/serverA.pem",
    cafile = "tests/certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
-}
+   options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  }
 cparams = {
    mode = "client",
-   protocol = "tlsv1",
+   protocol = "any",
    key = "tests/certs/clientAkey.pem",
    certificate = "tests/certs/clientA.pem",
    cafile = "tests/certs/rootA.pem",
    verify = {"peer", "fail_if_no_peer_cert"},
-   options = {"all", "no_sslv2"},
-}
+   options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
+  }
 done = 0
 start = socket.gettime()
 runtest()

tests/tls-sni.lua

@@ -16,12 +16,12 @@ end
 local server_params = {
   wrap = {
     mode = "server",
-    protocol = "tlsv1",
+    protocol = "any",
     key = "tests/certs/serverAkey.pem",
     certificate = "tests/certs/serverA.pem",
     cafile = "tests/certs/rootA.pem",
     verify = {"peer", "fail_if_no_peer_cert"},
-    options = {"all", "no_sslv2"},
+    options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   },
   sni = {
     strict = true, -- only allow connection 'myhost.com'
@@ -33,12 +33,12 @@ server_params.sni.names["myhost.com"] = ssl.newcontext(server_params.wrap)
 local client_params = {
   wrap = {
     mode = "client",
-    protocol = "tlsv1",
+    protocol = "any",
     key = "tests/certs/clientAkey.pem",
     certificate = "tests/certs/clientA.pem",
     cafile = "tests/certs/rootA.pem",
     verify = {"peer", "fail_if_no_peer_cert"},
-    options = {"all", "no_sslv2"},
+    options = {"all", "no_sslv2", "no_sslv3", "no_tlsv1"},
   },
   sni = {
     names = "" -- will be added in test below
@@ -63,7 +63,7 @@ local function echoHandler(skt)
       return -- close this client connection, after stopping the server
 
     end
-    skt:send(data)
+    skt:send(data.."\n")
   end
 end
 
@@ -92,12 +92,16 @@ copas.addthread(function()
   local skt = copas.wrap(socket.tcp(), client_params)
   local success, ok = pcall(skt.connect, skt, "localhost", port)
   if not (success and ok) then
-    print "expected connection to be completed"
+    print("expected connection to be completed", success, ok)
     os.exit(1)
   end
 
+  assert(skt:send("hello world\n"))
+  assert(skt:receive() == "hello world")
   print "succesfully completed test"
-  os.exit(0)
+
+  -- send exit signal to server
+  skt:send("exit\n")
 end)
 
 -- no ugly errors please, comment out when debugging