diff --git a/.gitignore b/.gitignore index 6d0541c..0272687 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ /key.pem /_netdb i2pseeds.su3 -*.pem \ No newline at end of file +*.pem +onion.key diff --git a/CHANGELOG.md b/CHANGELOG.md index 78c4d9c..0cd9171 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +2019-04-21 + * app.Version = "0.1.7" + * enabling TLS 1.3 *only* + 2016-12-21 * deactivating previous random time delta, makes only sense when patching ri too * app.Version = "0.1.6" @@ -27,4 +31,4 @@ * numRi per su3 file: 75 --> 77 2016-01 - * fork from https://github.com/MDrollette/i2p-tools \ No newline at end of file + * fork from https://github.com/MDrollette/i2p-tools diff --git a/history.txt b/history.txt new file mode 100644 index 0000000..0cd9171 --- /dev/null +++ b/history.txt @@ -0,0 +1,34 @@ +2019-04-21 + * app.Version = "0.1.7" + * enabling TLS 1.3 *only* + +2016-12-21 + * deactivating previous random time delta, makes only sense when patching ri too + * app.Version = "0.1.6" + +2016-10-09 + * seed the math random generator with time.Now().UnixNano() + * added 6h+6h random time delta at su3-age to increase anonymity + * app.Version = "0.1.5" + + +2016-05-15 + * README.md updated + * allowed routerInfos age increased from 96 to 192 hours + * app.Version = "0.1.4" + +2016-03-05 + * app.Version = "0.1.3" + * CRL creation added + +2016-01-31 + * allowed TLS ciphers updated (hardened) + * TLS certificate generation: RSA 4096 --> ECDSAWithSHA512 384bit secp384r1 + * ECDHE handshake: only CurveP384 + CurveP521, default CurveP256 removed + * TLS certificate valid: 2y --> 5y + * throttled.PerDay(4) --> PerHour(4), to enable limited testing + * su3 RebuildInterval: 24h --> 90h, higher anonymity for the running i2p-router + * numRi per su3 file: 75 --> 77 + +2016-01 + * fork from https://github.com/MDrollette/i2p-tools diff --git a/main.go b/main.go index be67457..5b4c87d 100644 --- a/main.go +++ b/main.go @@ -9,6 +9,11 @@ import ( ) func main() { + // TLS 1.3 is available only on an opt-in basis in Go 1.12. + // To enable it, set the GODEBUG environment variable (comma-separated key=value options) such that it includes "tls13=1". + // To enable it from within the process, set the environment variable before any use of TLS: + os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") + // use at most half the cpu cores runtime.GOMAXPROCS(runtime.NumCPU() / 2) diff --git a/reseed/server.go b/reseed/server.go index 687042e..7c6c49d 100644 --- a/reseed/server.go +++ b/reseed/server.go @@ -15,10 +15,10 @@ import ( "github.com/cretz/bine/tor" "github.com/cretz/bine/torutil/ed25519" + "github.com/throttled/throttled" + "github.com/throttled/throttled/store" "github.com/gorilla/handlers" "github.com/justinas/alice" - "gopkg.in/throttled/throttled.v2" - "gopkg.in/throttled/throttled.v2/store" ) const ( @@ -34,17 +34,23 @@ type Server struct { func NewServer(prefix string, trustProxy bool) *Server { config := &tls.Config{ - MinVersion: tls.VersionTLS10, +// MinVersion: tls.VersionTLS10, +// PreferServerCipherSuites: true, +// CipherSuites: []uint16{ +// tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +// tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +// tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +// tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +// tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +// tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +// tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +// tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +// }, + MinVersion: tls.VersionTLS13, PreferServerCipherSuites: true, CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_AES_256_GCM_SHA384, + tls.TLS_CHACHA20_POLY1305_SHA256, }, CurvePreferences: []tls.CurveID{tls.CurveP384, tls.CurveP521}, // default CurveP256 removed }