mirror of
https://github.com/XRPLF/rippled.git
synced 2025-12-06 17:27:55 +00:00
0ecfc7cb1a
When starting, the code generates a new ephemeral private key and a corresponding certificate to go along with it. This process can take time and, while this is unlikely to matter for normal server operations, it can have a significant impact for unit testing and development. Profiling data suggests that ~20% of the time needed for a unit test run can be attributed to this. This commit does several things: 1. It restructures the code so that a new self-signed certificate and its corresponding private key are only initialized once at startup; this has minimal impact on the operation of a regular server. 2. It provides new default DH parameters. This doesn't impact the security of the connection, but those who compile from scratch can generate new parameters if they so choose. 3. It properly sets the version number in the certificate, fixing issue #4007; thanks to @donovanhide for the report. 4. It uses SHA-256 instead of SHA-1 as the hash algorithm for the certificate and adds some X.509 extensions as well as a random 128-bit serial number. 5. It rounds the certificate's "start of validity" period so that the server's precise startup time cannot be easily deduced and limits the validity period to two years, down from ten years. 6. It removes some CBC-based ciphers from the default cipher list to avoid some potential security issues, such as CVE-2016-2107 and CVE-2013-0169.
Basics
Utility functions and classes.
ripple/basic should contain no dependencies on other modules.
Choosing a rippled container.
-
std::vector- For ordered containers with most insertions or erases at the end.
-
std::deque- For ordered containers with most insertions or erases at the start or end.
-
std::list- For ordered containers with inserts and erases to the middle.
- For containers with iterators stable over insert and erase.
- Generally slower and bigger than
std::vectororstd::dequeexcept for those cases.
-
std::set- For sorted containers.
-
ripple::hash_set- Where inserts and contains need to be O(1).
- For "small" sets,
std::setmight be faster and smaller.
-
ripple::hardened_hash_set- For data sets where the key could be manipulated by an attacker in an attempt to mount an algorithmic complexity attack: see http://en.wikipedia.org/wiki/Algorithmic_complexity_attack
The following container is deprecated
std::unordered_set- Use
ripple::hash_setinstead, which uses a better hashing algorithm. - Or use
ripple::hardened_hash_setto prevent algorithmic complexity attacks.