Meek HTTPS tweaks

- Fix (and vary) the self-signed certificate validity periods
- Vary the minimum supported TLS version
- Retire RC4/3DES cipher suites supported in the FRONTED case

psiphon/common/certificate.go

@@ -54,14 +54,21 @@ func GenerateWebServerCertificate(commonName string) (string, string, error) {
 		return "", "", ContextError(err)
 	}
 
-	// Validity period is ~10 years, starting some number of ~months
-	// back in the last year.
-
-	ageLimit := new(big.Int).Lsh(big.NewInt(1), 12)
-	age := int(ageLimit.Int64()) + 1
-	validityPeriod := 10 * 365 * 24 * time.Hour
-	notBefore := time.Now().Add(time.Duration(-age) * 30 * 24 * time.Hour).UTC()
-	notAfter := notBefore.Add(validityPeriod).UTC()
+	// Validity period is 1 or 2 years, starting 1 to 6 months ago.
+	validityPeriodYears := 1
+	delta, err := rand.Int(rand.Reader, big.NewInt(2))
+	if err != nil {
+		return "", "", ContextError(err)
+	}
+	validityPeriodYears += int(delta.Int64())
+	retroactiveMonths := 1
+	delta, err = rand.Int(rand.Reader, big.NewInt(6))
+	if err != nil {
+		return "", "", ContextError(err)
+	}
+	retroactiveMonths += int(delta.Int64())
+	notBefore := time.Now().Truncate(time.Hour).UTC().AddDate(0, -retroactiveMonths, 0)
+	notAfter := notBefore.AddDate(validityPeriodYears, 0, 0)
 
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)

psiphon/server/meek.go

@@ -948,15 +948,20 @@ func makeMeekTLSConfig(
 		return nil, common.ContextError(err)
 	}
 
+	// Vary the minimum version to frustrate scanning/fingerprinting of unfronted servers.
+	// Limitation: like the certificate, this value changes on restart.
+	minVersionCandidates := []uint16{tris.VersionTLS10, tris.VersionTLS11, tris.VersionTLS12}
+	minVersion := minVersionCandidates[prng.Intn(len(minVersionCandidates))]
+
 	config := &tris.Config{
 		Certificates:            []tris.Certificate{tlsCertificate},
 		NextProtos:              []string{"http/1.1"},
-		MinVersion:              tris.VersionTLS10,
+		MinVersion:              minVersion,
 		UseExtendedMasterSecret: true,
 	}
 
 	if isFronted {
-		// This is a reordering of the supported CipherSuites in golang 1.6. Non-ephemeral key
+		// This is a reordering of the supported CipherSuites in golang 1.6[*]. Non-ephemeral key
 		// CipherSuites greatly reduce server load, and we try to select these since the meek
 		// protocol is providing obfuscation, not privacy/integrity (this is provided by the
 		// tunneled SSH), so we don't benefit from the perfect forward secrecy property provided
@@ -965,24 +970,21 @@ func makeMeekTLSConfig(
 		//
 		// This optimization is applied only when there's a CDN in front of the meek server; in
 		// unfronted cases we prefer a more natural TLS handshake.
+		//
+		// [*] the list has since been updated, removing CipherSuites using RC4 and 3DES.
 		config.CipherSuites = []uint16{
 			tris.TLS_RSA_WITH_AES_128_GCM_SHA256,
 			tris.TLS_RSA_WITH_AES_256_GCM_SHA384,
-			tris.TLS_RSA_WITH_RC4_128_SHA,
 			tris.TLS_RSA_WITH_AES_128_CBC_SHA,
 			tris.TLS_RSA_WITH_AES_256_CBC_SHA,
-			tris.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 			tris.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 			tris.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			tris.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 			tris.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tris.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-			tris.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
 			tris.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 			tris.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 			tris.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 			tris.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-			tris.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 		}
 		config.PreferServerCipherSuites = true
 	}