Closed glossiness closed 2 years ago
omjadas
commented
2 years ago Thanks for the fix. I am wondering though if it would be better to simply assign an incrementing serial number to each generated certificate. That would ensure that each certificate in a session would definitely have a unique serial number, whereas with a random number it is possible (though probably very unlikely) that a serial number may be reused.
glossiness
commented
2 years ago Thanks for your reply.
Aside from other problems, the per session incremental serial number wouldn't work, for example, if the proxy is restarted while the browser is running.
The CA Browser Forum requires the following : "CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG" (section 7.1 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.1.pdf).
In this PR proposed implementation, there is 128 bit entropy. There should be no practical concern for duplicates. Maybe this can give you an idea why : https://en.wikipedia.org/wiki/Universally_unique_identifier#Collisions .
omjadas
commented
2 years ago I guess I hadn't considered the case where the proxy is restarted and the browser is still kept running. With that in mind I think this change looks good, just one typo to fix.
omjadas
commented
2 years ago Thanks again for the fix. I will most likely do a release with this later today or tomorrow.
omjadas
commented
2 years ago Released as part of https://github.com/omjadas/hudsucker/releases/tag/v0.14.1
glossiness
commented
2 years ago Thank you very much
Firefox seems to block certificates if they use an already seen serial number.
This generates a random serial number for each certificate generated by OpenSSL.