Generate ECDSA keys instead of RSA

This replaces the current 3072 bit RSA certificates with 384 bit ECDSA certificates. The advantage is these certificates are smaller and essentially instantaneous to generate. According to RFC4492 (ECC Cipher Suites for TLS), Table 1: Comparable Key Sizes, ECC has comparable strength to 3072 bit RSA at 283 bits - so we exceed that. There is no compatibility issue with existing Syncthing code - this is verified by the integration test ("h2" instance has the new certificate). There are browsers out there that don't understand ECC certificates yet, although I think they're dying out. In the meantime, I've retained the RSA code for the HTTPS certificate, but pulled it down to 2048 bits. I don't think a higher security level there is motivated, is this matches current industry standard for HTTPS certificates.
2015-11-27 09:09:39 +01:00
parent e5b33ce9f6
commit 6d11006b54
11 changed files with 122 additions and 139 deletions
--- a/test/h2/cert.pem
+++ b/test/h2/cert.pem
@@ -1,23 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIID3jCCAkigAwIBAgIBADALBgkqhkiG9w0BAQUwFDESMBAGA1UEAxMJc3luY3Ro
-aW5nMB4XDTE0MDMxNDA3MDEwNFoXDTQ5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ
-c3luY3RoaW5nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsIV0syyR
-O56BvIOro4bIqB6iFJsNc4zX8MiM4QPTWgqGlYwsKSVmNppTdlACZCJIqyzoscrF
-qJPto8/e2Fc3oaTdEREGIs7cmc7LSXfot/mAgPpy71SVWtb7xNmXro2JJPZjRBCS
-pl1ulPug+/8w7fSKQdLMjh4Hp2YlwVBfVu0bYEEW+7Vl9PZVTv+NbTqXYvYVc9R6
-QFIbN/njWAuo2wpjJlY7vqNnSYZyskAaaAC17fFJkVQKKblTeTk1C9PxTmVTB1j9
-yOoD3+V/6IrTYKXdTHGJ1MqdieTHj1jHXe5TOeSB+Hjgq4tr25mPfQ4ixXqDqIcx
-5390DAjInuSKNUJ5pqiFrVe9eIDmySZCg5/JIL3c8phy6g1bxiJN14+Dn0om/0+9
-UrHK8LVzWMmtFRVycWVUYmARWFY3EE10k0RXU2HtzmjfnBkRrl13b0ExizlA1qJ3
-3ngxF5rNEDSMpwf4og5uYOjRUPYuvCL9XtQKr254NFO/sg/qqPV4hFWTAgMBAAGj
-PzA9MA4GA1UdDwEB/wQEAwIAoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQUDggGBAAZSU08zAzyuGqKqqU/c
-Pr+xML8oKiJqko5pb3ETDQC+uVw+qUHwiGYsvHI1cih4ix+tKvf+Yaiizp/35VkP
-qwls3a4ljq1Ww0Sf7J87QX0DumYpBGOfoCpmV4MacyjLhpLRKRGZHwIbOeFsmEu9
-oO38co+GvDy4CiAt3tuOdjBNs0gNOAdTTxqgm97raB9oXeg2i4Fb4MCT4UBUdXLM
-ZNLCifza+PWkBxmfBORvlKGeJBruLpXHBWnWEigZSLXIFjn3JJUy4fKd+/JMp063
-8Pjo6zUOckBCH8Lv90vzfrmdlQK555jWpcebN0l9neESEXw19l0OlqkJGVTr6JKq
-w5kjiL4eP7kpKKwCezhDSX3jf4P36wdF8MpOUBxVqfM+Oh5tHIcZctnurhYV7rXs
-jR70FMqWjHBmwemsXGrObNVt8c75yB+19U6DAulr2RhRw5GD74U1znP00eGZ8TJf
-RN1FYilUPCawMYeQoB8WIn9So7zIm0MfOl4KXNWDX02+Kw==
+MIIBmzCCASCgAwIBAgIIawvqtXNSqBQwCgYIKoZIzj0EAwMwFDESMBAGA1UEAxMJ
+c3luY3RoaW5nMB4XDTE1MTEyNzA4MDA1N1oXDTQ5MTIzMTIzNTk1OVowFDESMBAG
+A1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7iI2E5etAs53
+6s+SUV3HKZeK55iHUY6X4PHePjyvNxOCZ6GvbErOXWqumU4+vzVREW1wvNtGXAtv
+z/hsHIPJ7EdKIX0QPATms2NplCbaFlUxHBpUzhlNulhsoV5ajn7yoz8wPTAOBgNV
+HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
+EwEB/wQCMAAwCgYIKoZIzj0EAwMDaQAwZgIxAPe+pj6NrQiK720v/9IMDPWIRxqt
+hxgy03YGzbQskXRDJVvLU49HCHV+8JNL6WwgKgIxALA+RdYb0qDxhcdtt57Zu3A1
+eQZEvsJg9FGJOjYDnxZYqEpNZSgTwgcRvGH1Srt37w==
 -----END CERTIFICATE-----