-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MITM: recreating private/public keys all the time #368
base: master
Are you sure you want to change the base?
Conversation
… code my own expiration, this one is "good enough"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm really thrilled to merge it, but can we not depend on external package go-cache?
That's the only blocker.
signer.go
Outdated
@@ -16,8 +16,10 @@ import ( | |||
"net" | |||
"sort" | |||
"time" | |||
"github.com/zond/gotomic" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we do that without introducing another depdendency?
@@ -77,6 +97,7 @@ func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err er | |||
} | |||
|
|||
var certpriv crypto.Signer | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we put the whitespace changes in a different commit?
@stiray @elazarl @engineering-this : see hazcod@152f865 and hazcod@578522f for a possibly better implementation. |
Ok, I am not using github and I dont even intend to as I have my own git server and I am quite happy with shell so I wont be clicking anything here any more... Regarding the "race condition" which was probably merged due to clicking to "resolve whatever" which was a mistake if "the semaphore fix" came into code. The race condition was put there deliberately to avoid synchronizing multiple threads using synchronization object at a cost that here and then the certificate is generated without any reason which is performance wise better decision. But nvm me, this was a drive by code, it have my own git server/repo/fork (ignore the one that is on github, wont be updated any more) so please do whatever feels appropriate for you. |
... has huge impact on speed of processing, with this change the RSA and ECDSA keys are created within "init()" and used when needed. This is quick fix, please set it to some configuration variable if you consider that it is useful to generate them on each request. I dont think this would impact the security on client side.