From 30b4bce87d4ca90b1037e0a5a44b19ae6280eb59 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 24 Mar 2026 15:49:44 +0000 Subject: [PATCH] rate limit old submission by default, fix extKeyUsage description --- cmd/tesseract/README.md | 2 +- cmd/tesseract/aws/main.go | 4 ++-- cmd/tesseract/gcp/main.go | 2 +- cmd/tesseract/posix/main.go | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/tesseract/README.md b/cmd/tesseract/README.md index d522e82f..8fc74c2b 100644 --- a/cmd/tesseract/README.md +++ b/cmd/tesseract/README.md @@ -83,7 +83,7 @@ per-second rate limit, and `` defines how old a given submission's `notBefore` date must be for that submission to be subject to the rate limit. `` must be formatted per Go's [time.ParseDuration](https://pkg.go.dev/time#ParseDuration), and `` is a positive real number. -E.g. `28h=500` means that a rate-limit of 500 submissions/s will be applied to any +E.g. `28h:500` means that a rate-limit of 500 submissions/s will be applied to any certificate, or precertificate, whose `notBefore` date is at least 28 hours old at the time of submission. diff --git a/cmd/tesseract/aws/main.go b/cmd/tesseract/aws/main.go index 3847e798..f0ab5717 100644 --- a/cmd/tesseract/aws/main.go +++ b/cmd/tesseract/aws/main.go @@ -71,13 +71,13 @@ var ( rootsRemoteFetchInterval = flag.Duration("roots_remote_fetch_interval", time.Duration(0), "Interval between two fetches from roots_fetch_url, e.g. \"1h\". Set to \"0s\" to disable.") rejectExpired = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.") rejectUnexpired = flag.Bool("reject_unexpired", false, "If true then TesseraCT rejects certificates that are either currently valid or not yet valid.") - extKeyUsages = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.") + extKeyUsages = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default only 'ServerAuth' certs are accepted. Set to 'Any' to accept all chain. Accepted values are defined in internal/ct.") rejectExtensions = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.") acceptSHA1 = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.") enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.") witnessPolicyFile = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format described at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md") witnessTimeout = flag.Duration("witness_timeout", tessera.DefaultWitnessTimeout, "Maximum time to wait for witness responses.") - notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") + notBeforeRL = flag.String("rate_limit_old_not_before", "28h:500", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") // Performance flags httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.") diff --git a/cmd/tesseract/gcp/main.go b/cmd/tesseract/gcp/main.go index 39ce896b..bafcb66f 100644 --- a/cmd/tesseract/gcp/main.go +++ b/cmd/tesseract/gcp/main.go @@ -84,7 +84,7 @@ var ( enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.") witnessPolicyFile = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format described at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md") witnessTimeout = flag.Duration("witness_timeout", tessera.DefaultWitnessTimeout, "Maximum time to wait for witness responses.") - notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") + notBeforeRL = flag.String("rate_limit_old_not_before", "28h:500", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") // Performance flags httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.") diff --git a/cmd/tesseract/posix/main.go b/cmd/tesseract/posix/main.go index a00c77d0..d4e03fc0 100644 --- a/cmd/tesseract/posix/main.go +++ b/cmd/tesseract/posix/main.go @@ -74,13 +74,13 @@ var ( rootsRemoteFetchInterval = flag.Duration("roots_remote_fetch_interval", time.Duration(0), "Interval between two fetches from roots_fetch_url, e.g. \"1h\". Set to \"0s\" to disable.") rejectExpired = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.") rejectUnexpired = flag.Bool("reject_unexpired", false, "If true then TesseraCT rejects certificates that are either currently valid or not yet valid.") - extKeyUsages = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.") + extKeyUsages = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default only 'ServerAuth' certs are accepted. Set to 'Any' to accept all chain. Accepted values are defined in internal/ct.") rejectExtensions = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.") acceptSHA1 = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.") enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.") witnessPolicyFile = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format described at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md") witnessTimeout = flag.Duration("witness_timeout", tessera.DefaultWitnessTimeout, "Maximum time to wait for witness responses.") - notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") + notBeforeRL = flag.String("rate_limit_old_not_before", "28h:500", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \":\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.") // Performance flags httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")