In testing don't depend on strong primes for DH param generation.

Author: d-w-moore

irods/test/login_auth_test.py

@@ -513,15 +513,12 @@ def test_ssl_with_server_verify_set_to_none_281(self):
             with open(env_file) as env_file_handle:
                 env = json.load( env_file_handle )
             my_ssl_directory = os.path.expanduser("~/some")
-            create_ssl_dir(ssl_dir = my_ssl_directory)
+            # Elect for efficiency in DH param generation, eg. when setting up for testing.
+            create_ssl_dir(ssl_dir = my_ssl_directory, use_strong_primes_for_dh_generation = False)
             keys_to_update = {key:value.replace("/etc/irods/ssl",my_ssl_directory)
                               for key,value in env.items() if type(value) is str and value.startswith("/etc/irods/ssl")}
             keys_to_update["irods_ssl_verify_server"] = "none"
             env.update( keys_to_update )
-            # --- TODO: remove these lines
-            import pprint
-            print ("Updated = \n", pprint.pformat(env))
-            # ---
             with open(env_file,'w') as f:
                 json.dump(env,f)
             with helpers.make_session() as session:

irods/test/setupssl.py

@@ -25,7 +25,8 @@ def create_server_cert(process_output = sys.stdout, irods_key_path = 'irods.key'
     p.wait()
     return p.returncode
 
-def create_ssl_dir(irods_key_path = 'irods.key', ssl_dir = ''):
+
+def create_ssl_dir(irods_key_path = 'irods.key', ssl_dir = '', use_strong_primes_for_dh_generation = True):
     ssl_dir = ssl_dir or IRODS_SSL_DIR
     save_cwd = os.getcwd()
     silent_run =  { 'shell': True, 'stderr' : PIPE, 'stdout' : PIPE }
@@ -39,9 +40,13 @@ def create_ssl_dir(irods_key_path = 'irods.key', ssl_dir = ''):
         with open("/dev/null","wb") as dev_null:
             if 0 == create_server_cert(process_output = dev_null, irods_key_path = irods_key_path):
                 if not keep_old:
-                    # TODO : verify SSL still works ok in iRODS with -dsaparam
-                    # TODO : possibly drive use of -dsaparam from a global command switch eg. --params-for-test-only
-                    Popen('openssl dhparam -dsaparam -out dhparams.pem 4096',**silent_run).communicate()
+                    # https://www.openssl.org/docs/man1.0.2/man1/dhparam.html#:~:text=DH%20parameter%20generation%20with%20the,that%20may%20be%20possible%20otherwise.
+                    if use_strong_primes_for_dh_generation:
+                        dhparam_generation_command = 'openssl dhparam -2 -out dhparams.pem'
+                    else:
+                        dhparam_generation_command = 'openssl dhparam -dsaparam -out dhparams.pem 4096'
+                    print('cmd=',dhparam_generation_command )
+                    Popen(dhparam_generation_command,**silent_run).communicate()
         return os.listdir(".")
     finally:
         os.chdir(save_cwd)
@@ -60,14 +65,17 @@ def test(options, args=()):
     if affirm[:1].lower() == 'y':
         if not keep_old:
             shutil.rmtree(IRODS_SSL_DIR,ignore_errors=True)
-        print("Generating new '{}'. This may take a while.".format(IRODS_SSL_DIR), file=sys.stderr)
-        ssl_dir_files = create_ssl_dir()
-        print('ssl_dir_files=', ssl_dir_files,file=sys.stderr)
+        dh_strong_primes = not options.has_key('-q')
+        wait_warning = (' This may take a while.' if dh_strong_primes else '')
+        print("Generating new '{}'.{}".format(IRODS_SSL_DIR, wait_warning), file = sys.stderr)
+        ssl_dir_files = create_ssl_dir(use_strong_primes_for_dh_generation = dh_strong_primes)
+        print('ssl_dir_files=', ssl_dir_files, file = sys.stderr)
 
 if __name__ == '__main__':
     import getopt
-    opt, arg_list = getopt.getopt(sys.argv[1:],'x:fh:k')
+    opt, arg_list = getopt.getopt(sys.argv[1:],'x:fh:kq')
     opt_lookup = dict(opt)
+
     ext = opt_lookup.get('-x','')
     if ext:
         ext = '.' + ext.lstrip('.')