Merge branch 'martin61-master'

.gitignore

@@ -3,4 +3,5 @@
 /key.pem
 /_netdb
 i2pseeds.su3
-*.pem
+*.pem
+onion.key

CHANGELOG.md

@@ -1,3 +1,7 @@
+2019-04-21
+ * app.Version = "0.1.7"
+ * enabling TLS 1.3 *only*
+
 2016-12-21
  * deactivating previous random time delta, makes only sense when patching ri too
  * app.Version = "0.1.6"
@@ -27,4 +31,4 @@
  * numRi per su3 file: 75 --> 77
 
 2016-01
- * fork from https://github.com/MDrollette/i2p-tools
+ * fork from https://github.com/MDrollette/i2p-tools

history.txt

@@ -0,0 +1,34 @@
+2019-04-21
+ * app.Version = "0.1.7"
+ * enabling TLS 1.3 *only*
+
+2016-12-21
+ * deactivating previous random time delta, makes only sense when patching ri too
+ * app.Version = "0.1.6"
+
+2016-10-09
+ * seed the math random generator with time.Now().UnixNano()
+ * added 6h+6h random time delta at su3-age to increase anonymity
+ * app.Version = "0.1.5"
+
+
+2016-05-15
+ * README.md updated
+ * allowed routerInfos age increased from 96 to 192 hours
+ * app.Version = "0.1.4"
+
+2016-03-05
+ * app.Version = "0.1.3"
+ * CRL creation added
+
+2016-01-31
+ * allowed TLS ciphers updated (hardened)
+ * TLS certificate generation: RSA 4096 --> ECDSAWithSHA512 384bit secp384r1
+ * ECDHE handshake: only CurveP384 + CurveP521, default CurveP256 removed
+ * TLS certificate valid: 2y --> 5y
+ * throttled.PerDay(4) --> PerHour(4), to enable limited testing
+ * su3 RebuildInterval: 24h --> 90h, higher anonymity for the running i2p-router
+ * numRi per su3 file: 75 --> 77
+
+2016-01
+ * fork from https://github.com/MDrollette/i2p-tools

main.go

@@ -9,6 +9,11 @@ import (
 )
 
 func main() {
+	// TLS 1.3 is available only on an opt-in basis in Go 1.12. 
+	// To enable it, set the GODEBUG environment variable (comma-separated key=value options) such that it includes "tls13=1". 
+	// To enable it from within the process, set the environment variable before any use of TLS: 
+	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+
 	// use at most half the cpu cores
 	runtime.GOMAXPROCS(runtime.NumCPU() / 2)
 

reseed/server.go

@@ -15,10 +15,10 @@ import (
 
 	"github.com/cretz/bine/tor"
 	"github.com/cretz/bine/torutil/ed25519"
+	"github.com/throttled/throttled"
+	"github.com/throttled/throttled/store"
 	"github.com/gorilla/handlers"
 	"github.com/justinas/alice"
-	"gopkg.in/throttled/throttled.v2"
-	"gopkg.in/throttled/throttled.v2/store"
 )
 
 const (
@@ -34,17 +34,23 @@ type Server struct {
 
 func NewServer(prefix string, trustProxy bool) *Server {
 	config := &tls.Config{
-		MinVersion:               tls.VersionTLS10,
+//		MinVersion:               tls.VersionTLS10,
+//		PreferServerCipherSuites: true,
+//		CipherSuites: []uint16{
+//			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+//			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+//			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+//			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+//		},
+		MinVersion:               tls.VersionTLS13,
 		PreferServerCipherSuites: true,
 		CipherSuites: []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 		},
 		CurvePreferences: []tls.CurveID{tls.CurveP384, tls.CurveP521}, // default CurveP256 removed
 	}