Skip to content
This repository has been archived by the owner on Jun 30, 2021. It is now read-only.

Commit

Permalink
Added a more extensive SSL sandbox.
Browse files Browse the repository at this point in the history
After running `make examples`, if SSL is enabled, you
can quickly test HTTPS, with optional client-based
certificate authentication using the following process within
the build directory:

```
./examples/https/bin/generate.sh

-- Test without client auth

./examples/example_https              \
  -cert examples/https/server-crt.pem \
  -key  examples/https/server-key.pem

curl -vk https://localhost:4443/

-- Test WITH client auth

./examples/example_https              \
  -cert examples/https/server-crt.pem \
  -key  examples/https/server-key.pem \
  -ca   examples/https/ca-crt.pem     \
  -verify-peer                        \
  -verify-depth 2                     \
  -enforce-peer-cert

curl -kv \
  --key  examples/https/client1-key.pem \
  --cert examples/https/client1-crt.pem \
  https://localhost:4443/

```
  • Loading branch information
NathanFrench committed Dec 6, 2017
1 parent 282a1c9 commit 1e0c241
Show file tree
Hide file tree
Showing 7 changed files with 434 additions and 1 deletion.
12 changes: 11 additions & 1 deletion examples/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ add_executable(test_query EXCLUDE_FROM_ALL test_query.c)
add_executable(test_perf EXCLUDE_FROM_ALL test_perf.c)
add_executable(example_vhost EXCLUDE_FROM_ALL example_vhost.c)
add_executable(example_pause EXCLUDE_FROM_ALL example_pause.c)
add_executable(example_https EXCLUDE_FROM_ALL https/example_https.c)

if (NOT EVHTP_DISABLE_EVTHR)
add_executable(test_proxy EXCLUDE_FROM_ALL test_proxy.c)
Expand All @@ -23,7 +24,16 @@ target_link_libraries(test_query evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
target_link_libraries(test_perf evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
target_link_libraries(example_vhost evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
target_link_libraries(example_pause evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
target_link_libraries(example_https evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})

add_dependencies(examples example_pause example_vhost test_extensive test_basic test_vhost test_client test_query test_perf)
add_dependencies(examples example_https example_pause example_vhost test_extensive test_basic test_vhost test_client test_query test_perf)

file (COPY
https/etc/ca.cnf
https/etc/client1.cnf
https/etc/client2.cnf
https/etc/server.cnf
DESTINATION
https/etc/)

configure_file(https/bin/generate.sh.in https/bin/generate.sh @ONLY)
58 changes: 58 additions & 0 deletions examples/https/bin/generate.sh.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/usr/bin/env bash

CONFIG_DIR="@PROJECT_BINARY_DIR@/examples/https"

# Create new CA
openssl req -new -x509 -days 9999 \
-config "$CONFIG_DIR/etc/ca.cnf" \
-keyout "$CONFIG_DIR/ca-key.pem" \
-out "$CONFIG_DIR/ca-crt.pem"

# Generate private key for server
openssl genrsa -out "$CONFIG_DIR/server-key.pem" 4096

# Generate cert signing request
openssl req -new \
-config "$CONFIG_DIR/etc/server.cnf" \
-key "$CONFIG_DIR/server-key.pem" \
-out "$CONFIG_DIR/server-csr.pem"

# Sign the request
openssl x509 -req \
-extfile "$CONFIG_DIR/etc/server.cnf" \
-days 999 \
-passin "pass:password" \
-in "$CONFIG_DIR/server-csr.pem" \
-CA "$CONFIG_DIR/ca-crt.pem" \
-CAkey "$CONFIG_DIR/ca-key.pem" \
-CAcreateserial \
-out "$CONFIG_DIR/server-crt.pem"

# Generate a few client certs
openssl genrsa -out "$CONFIG_DIR/client1-key.pem" 4096
openssl genrsa -out "$CONFIG_DIR/client2-key.pem" 4096

# create two cert sign requests
openssl req -new -config "$CONFIG_DIR/etc/client1.cnf" -key $CONFIG_DIR/client1-key.pem -out $CONFIG_DIR/client1-csr.pem
openssl req -new -config $CONFIG_DIR/etc/client2.cnf -key $CONFIG_DIR/client2-key.pem -out $CONFIG_DIR/client2-csr.pem

# sign the above client certs
openssl x509 -req \
-extfile $CONFIG_DIR/etc/client1.cnf \
-days 999 \
-passin "pass:password" \
-in $CONFIG_DIR/client1-csr.pem \
-CA $CONFIG_DIR/ca-crt.pem \
-CAkey $CONFIG_DIR/ca-key.pem \
-CAcreateserial \
-out $CONFIG_DIR/client1-crt.pem

openssl x509 -req \
-extfile $CONFIG_DIR/etc/client2.cnf \
-days 999 \
-passin "pass:password" \
-in $CONFIG_DIR/client2-csr.pem \
-CA $CONFIG_DIR/ca-crt.pem \
-CAkey $CONFIG_DIR/ca-key.pem \
-CAcreateserial \
-out $CONFIG_DIR/client2-crt.pem
31 changes: 31 additions & 0 deletions examples/https/etc/ca.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
[ ca ]
default_ca = CA_default

[ CA_default ]
serial = ca-serial
crl = ca-crl.pem
database = ca-database.txt
name_opt = CA_default
cert_opt = CA_default
default_crl_days = 9999
default_md = md5

[ req ]
default_bits = 4096
days = 9999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = password

[ req_distinguished_name ]
C = US
ST = MA
L = Boston
O = Critical Stack
OU = evhtp
CN = ca
emailAddress = nate@cl0d.com

[ req_attributes ]
challengePassword = test
26 changes: 26 additions & 0 deletions examples/https/etc/client1.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[ req ]
default_bits = 4096
days = 9999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca

[ req_distinguished_name ]
C = US
ST = MA
L = Boston
O = Critical Stack
OU = evhtp
CN = client1
emailAddress = nate@cl0d.com

[ req_attributes ]
challengePassword = password

[ v3_ca ]
authorityInfoAccess = @issuer_info

[ issuer_info ]
OCSP;URI.0 = http://ocsp.example.com/
caIssuers;URI.0 = http://example.com/ca.cert
26 changes: 26 additions & 0 deletions examples/https/etc/client2.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[ req ]
default_bits = 4096
days = 9999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca

[ req_distinguished_name ]
C = US
ST = MA
L = Boston
O = Critical Stack
OU = evhtp
CN = client2
emailAddress = nate@cl0d.com

[ req_attributes ]
challengePassword = password

[ v3_ca ]
authorityInfoAccess = @issuer_info

[ issuer_info ]
OCSP;URI.0 = http://ocsp.example.com/
caIssuers;URI.0 = http://example.com/ca.cert
26 changes: 26 additions & 0 deletions examples/https/etc/server.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[ req ]
default_bits = 4096
days = 9999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca

[ req_distinguished_name ]
C = US
ST = MA
L = Boston
O = Critical Stack
OU = evhtp
CN = localhost
emailAddress = nate@cl0d.com

[ req_attributes ]
challengePassword = password

[ v3_ca ]
authorityInfoAccess = @issuer_info

[ issuer_info ]
OCSP;URI.0 = http://ocsp.example.com/
caIssuers;URI.0 = http://example.com/ca.cert
Loading

0 comments on commit 1e0c241

Please sign in to comment.