blob: b501c43e422f60e81d614bcc0ecc3c2179c37188 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
|
#!/bin/sh
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will populate a directory 'sni' with 3 sites, httpd.conf
# and certificates as to facilitate testing of TLS server name
# indication support (RFC 4366) or SNI.
#
#
OPENSSL=${OPENSSL:-openssl}
DOMAIN=${DOMAIN:-my-sni-test.org}
DIR=${DIR:-$PWD/sni}
# List of hostnames automatically created by default.
NAMES=${NAMES:-ape nut pear apple banana}
# IP address these hostnames are bound to.
IP=${IP:-127.0.0.1}
# A certificate password for the .p12 files of the client
# authentication test. Normally not set. However some browsers
# require a password of at least 4 characters.
#
PASSWD=${PASSWD:-}
args=`getopt a:fd:D:p: $*`
if [ $? != 0 ]; then
echo "Syntax: $0 [-f] [-a IPaddress] [-d outdir] [-D domain ] [two or more vhost names ]"
echo " -f Force overwriting of outdir (default is $DIR)"
echo " -d dir Directory to create the SNI test server in (default is $DIR)"
echo " -D domain Domain name to use for this test (default is $DOMAIN)"
echo " -a IP IP address to use for this virtual host (default is $IP)"
echo " -p str Password for the client certificate test (some browsers require a set password)"
echo " [names] List of optional vhost names (default is $NAMES)"
echo
echo "Example:"
echo " $0 -D SecureBlogsAreUs.com peter fred mary jane ardy"
echo
echo "Which will create peter.SecureBlogsAreUs.com, fred.SecureBlogsAreUs.com and"
echo "so on. Note that the _first_ FQDN is also the default for non SNI hosts. It"
echo "may make sense to give this host a generic name - and allow each of the real"
echo "SNI site as sub directories/URI's of this generic name; thus allowing the "
echo "few non-SNI browsers access."
exit 1
fi
set -- $args
for i
do
case "$i"
in
-f)
FORCE=1
shift;;
-a)
IP=$2; shift
shift;;
-d)
DIR=$2; shift
shift;;
-p)
PASSWD=$2; shift
shift;;
-D)
DOMAIN=$2; shift
shift;;
--)
shift; break;
esac
done
if [ $# = 1 ]; then
echo "Aborted - just specifying one vhost makes no sense for SNI testing. Go wild !"
exit 1
fi
if [ $# -gt 0 ]; then
NAMES=$*
fi
if ! openssl version | grep -Eq 'LibreSSL|OpenSSL'; then
echo Aborted - your openssl is very old or misconfigured.
exit 1
fi
set `openssl version`
if test "0$2" \< "00.9"; then
echo Aborted - version of openssl too old, 0.9 or up required.
exit 1
fi
if test -d ${DIR} -a "x$FORCE" != "x1"; then
echo Aborted - already an ${DIR} directory. Use the -f flag to overwrite.
exit 1
fi
mkdir -p ${DIR} || exit 1
mkdir -p ${DIR}/ssl ${DIR}/htdocs ${DIR}/logs || exit 1
# Create a 'CA' - keep using different serial numbers
# as the browsers get upset if they see an identical
# serial with a different pub-key.
#
# Note that we're not relying on the 'v3_ca' section as
# in the default openssl.conf file - so the certificate
# will be without the basicConstraints = CA:true and
# keyUsage = cRLSign, keyCertSign values. This is fine
# for most browsers.
#
serial=$RANDOM$$
openssl req -new -nodes -batch \
-x509 \
-days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial $serial \
-keyout ${DIR}/root.key -out ${DIR}/root.pem \
|| exit 2
CDIR=${DIR}/client-xs-control
mkdir -p ${CDIR}
# Create some certificate authorities for testing client controls
#
openssl req -new -nodes -batch \
-x509 \
-days 10 -subj '/CN=Da Second Root/O=SNI user access I/' -set_serial 2$serial$$\
-keyout ${CDIR}/xs-root-1.key -out ${CDIR}/xs-root-1.pem \
|| exit 2
openssl req -new -nodes -batch \
-x509 \
-days 10 -subj '/CN=Da Second Root/O=SNI user access II/' -set_serial 3$serial$$ \
-keyout ${CDIR}/xs-root-2.key -out ${CDIR}/xs-root-2.pem \
|| exit 2
# Create a chain of just the two access authorities:
cat ${CDIR}/xs-root-2.pem ${CDIR}/xs-root-1.pem > ${CDIR}/xs-root-chain.pem
# And likewise a directory with the same information (using the
# required 'hash' naming format
#
mkdir -p ${CDIR}/xs-root-dir || exit 1
rm -f {$CDIR}/*.0
ln ${CDIR}/xs-root-1.pem ${CDIR}/xs-root-dir/`openssl x509 -noout -hash -in ${CDIR}/xs-root-1.pem`.0
ln ${CDIR}/xs-root-2.pem ${CDIR}/xs-root-dir/`openssl x509 -noout -hash -in ${CDIR}/xs-root-2.pem`.0
# Use the above two client certificate authorities to make a few users
for i in 1 2
do
# Create a certificate request for a test user.
#
openssl req -new -nodes -batch \
-days 9 -subj "/CN=User $i/O=SNI Test Crash Dummy Dept/" \
-keyout ${CDIR}/client-$i.key -out ${CDIR}/client-$i.req -batch \
|| exit 3
# And get it signed by either our client cert issuing root authority.
#
openssl x509 -text -req \
-CA ${CDIR}/xs-root-$i.pem -CAkey ${CDIR}/xs-root-$i.key \
-set_serial 3$serial$$ -in ${CDIR}/client-$i.req -out ${CDIR}/client-$i.pem \
|| exit 4
# And create a pkcs#12 version for easy browser import.
#
openssl pkcs12 -export \
-inkey ${CDIR}/client-$i.key -in ${CDIR}/client-$i.pem -name "Client $i" \
-caname "Issuing client root $i" -certfile ${CDIR}/xs-root-$i.pem \
-out ${CDIR}/client.p12 -passout pass:"$PASSWD" || exit 5
rm ${CDIR}/client-$i.req
done
# Create the header for the example '/etc/hosts' file.
#
echo '# To append to your hosts file' > ${DIR}/hosts
# Create a header for the httpd.conf snipped.
#
cat > ${DIR}/httpd-sni.conf << EOM
# To append to your httpd.conf file'
Listen ${IP}:443
NameVirtualHost ${IP}:443
LoadModule ssl_module modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
LogLevel debug
TransferLog ${DIR}/logs/access_log
ErrorLog ${DIR}/logs/error_log
# You'll get a warning about this.
#
SSLSessionCache none
# Note that this SSL configuration is far
# from complete - you probably will want
# to configure SSLSession Caches at the
# very least.
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
<Directory "${DIR}/htdocs">
allow from all
Require all granted
</Directory>
# This first entry is also the default for non SNI
# supporting clients.
#
EOM
# Create the header of a sample BIND zone file.
#
(
echo "; Configuration sample to be added to the $DOMAIN zone file of BIND."
echo "\$ORIGIN $DOMAIN."
) > ${DIR}/zone-file
ZADD="IN A $IP"
INFO="and also the site you see when the browser does not support SNI."
set -- ${NAMES}
DEFAULT=$1
for n in ${NAMES}
do
FQDN=$n.$DOMAIN
serial=`expr $serial + 1`
# Create a certificate request for this host.
#
openssl req -new -nodes -batch \
-days 9 -subj "/CN=$FQDN/O=SNI Testing/" \
-keyout ${DIR}/$n.key -out ${DIR}/$n.req -batch \
|| exit 3
# And get it signed by our root authority.
#
openssl x509 -text -req \
-CA ${DIR}/root.pem -CAkey ${DIR}/root.key \
-set_serial $serial -in ${DIR}/$n.req -out ${DIR}/$n.pem \
|| exit 4
# Combine the key and certificate in one file.
#
cat ${DIR}/$n.pem ${DIR}/$n.key > ${DIR}/ssl/$n.crt
rm ${DIR}/$n.req ${DIR}/$n.key ${DIR}/$n.pem
LST="$LST
https://$FQDN/index.html"
# Create a /etc/host and bind-zone file example
#
echo "${IP} $FQDN $n" >> ${DIR}/hosts
echo "$n $ZADD" >> ${DIR}/zone-file
ZADD="IN CNAME $DEFAULT"
# Create and populate a docroot for this host.
#
mkdir -p ${DIR}/htdocs/$n || exit 1
echo We are $FQDN $INFO > ${DIR}/htdocs/$n/index.html || exit 1
# And change the info text - so that only the default/fallback site
# gets marked as such.
#
INFO="and you'd normally only see this site when there is proper SNI support."
# And create a configuration snipped.
#
cat >> ${DIR}/httpd-sni.conf << EOM
<VirtualHost ${IP}:443>
SSLEngine On
ServerName $FQDN:443
DocumentRoot ${DIR}/htdocs/$n
SSLCertificateChainFile ${DIR}/root.pem
SSLCertificateFile ${DIR}/ssl/$n.crt
# Uncomment the following lines if you
# want to only allow access to clients with
# a certificate issued/signed by some
# selection of the issuing authorities
#
# SSLCACertificate ${CDIR}/xs-root-1.pem # just root 1
# SSLCACertificate ${CDIR}/xs-root-2.pem # just root 2
# SSLCACertificate ${CDIR}/xs-root-chain.pem # 1 & 2
# SSLCACertificateDir ${CDIR}/xs-root-dir # 1 & 2 - but as a directory.
#
# SSLVerifyClient require
# SSLVerifyDepth 2
#
TransferLog ${DIR}/logs/access_$n
</VirtualHost>
EOM
done
cat << EOM
SNI Files generated
===================
The directory ${DIR}/sni has been populated with the following
- root.key|pem Certificate authority root and key. (You could
import the root.pem key into your browser to
quell warnings about an unknown authority).
- hosts /etc/hosts file with fake entries for the hosts
- htdocs directory with one docroot for each domain,
each with a small sample file.
- ssl directory with an ssl cert (signed by root)
for each of the domains).
- logs logfiles, one for each domain and an
access_log for any misses.
The directory ${CDIR} contains optional test files to allow client
authentication testing:
- client*pem/p12 Files for client authentication testing. These
need to be imported into the browser.
- xs-root-1/2 Certificate authority which has issued above
client authentication certificates.
- xs-root-dir A directory specific for the SSLCACertificateDir
directive.
- xs-root-chain A chain of the two client xs authorities for the
SSLCACertificate directive.
SNI Test
========
A directory ${DIR}/sni has been created. Run an apache
server against it with
.../httpd -f ${DIR}/httpd-sni.conf
and keep an eye on ${DIR}/logs/error_log. When everything
is fine you will see entries like:
Feb 11 16:12:26 2008] [debug] Init:
SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs. jane.*:443 (httpd-sni.conf:42)
for each vhost configured and a concluding warning:
[Mon Feb 11 16:12:26 2008] [warn] Init:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
HOWEVER - If you see an entry like:
[Mon Feb 11 15:41:41 2008] [warn] Init:
You should not use name-based virtual hosts in conjunction with SSL!!
then you are either using an OpenSSL which is too old and/or you need to ensure that the
TLS Extensions are compiled into openssl with the 'enable-tlsext' flag. Once you have
recompiled or reinstalled OpenSSL with TLS Extensions you will have to recompile mod_ssl
to allow it to recognize SNI support.
Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
or /etc/hosts file as to point the various URL's to your server:
$LST
and verify that each returns its own name (and an entry in its
own ${DIR}/logs) file).
NOTE
====
Note that in the generated example the 'first' domain is special - and is the
catch all for non-SNI browsers. Depending on your circumstances it may make
sense to use a generic name - and have each of the SNI domains as subdirectories
(and hence URI's under this generic name). Thus allowing non SNI browsers also
access to those sites.
EOM
exit 0
|