Skip to content

Commit b34ddbd

Browse files
wchen-r7wchen-r7
committed
Land rapid7#4247 - Auto-generated SSL certs now match "snakeoil" defaults
2 parents 3ac1f7d + ba9c763 commit b34ddbd

File tree

1 file changed

+16
-29
lines changed

1 file changed

+16
-29
lines changed

lib/rex/socket/ssl_tcp_server.rb

Lines changed: 16 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -138,44 +138,31 @@ def ssl_parse_pem(ssl_cert)
138138

139139
#
140140
# Generate a realistic-looking but obstensibly fake SSL
141-
# certificate.
141+
# certificate. This matches a typical "snakeoil" cert.
142142
#
143143
# @return [String, String, Array]
144144
def self.ssl_generate_certificate
145-
key = OpenSSL::PKey::RSA.new(1024){ }
145+
yr = 24*3600*365
146+
vf = Time.at(Time.now.to_i - rand(yr * 3) - yr)
147+
vt = Time.at(vf.to_i + (10 * yr))
148+
cn = Rex::Text.rand_text_alpha_lower(rand(8)+2)
149+
key = OpenSSL::PKey::RSA.new(2048){ }
146150
cert = OpenSSL::X509::Certificate.new
147-
cert.version = 2
148-
cert.serial = rand(0xFFFFFFFF)
149-
subject = OpenSSL::X509::Name.new([
150-
["C","US"],
151-
['ST', Rex::Text.rand_state()],
152-
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
153-
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
154-
["CN", Rex::Text.rand_hostname],
155-
])
156-
issuer = OpenSSL::X509::Name.new([
157-
["C","US"],
158-
['ST', Rex::Text.rand_state()],
159-
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
160-
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
161-
["CN", Rex::Text.rand_hostname],
162-
])
163-
164-
cert.subject = subject
165-
cert.issuer = issuer
166-
cert.not_before = Time.now - (3600 * 365)
167-
cert.not_after = Time.now + (3600 * 365)
151+
cert.version = 2
152+
cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF)
153+
cert.subject = OpenSSL::X509::Name.new([["CN", cn]])
154+
cert.issuer = OpenSSL::X509::Name.new([["CN", cn]])
155+
cert.not_before = vf
156+
cert.not_after = vt
168157
cert.public_key = key.public_key
158+
169159
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
170160
cert.extensions = [
171-
ef.create_extension("basicConstraints","CA:FALSE"),
172-
ef.create_extension("subjectKeyIdentifier","hash"),
173-
ef.create_extension("extendedKeyUsage","serverAuth"),
174-
ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
161+
ef.create_extension("basicConstraints","CA:FALSE")
175162
]
176163
ef.issuer_certificate = cert
177-
cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
178-
cert.sign(key, OpenSSL::Digest::SHA1.new)
164+
165+
cert.sign(key, OpenSSL::Digest::SHA256.new)
179166

180167
[key, cert, nil]
181168
end

0 commit comments

Comments
 (0)