| #!/bin/sh |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # This script will populate a directory 'sni' with 3 sites, httpd.conf |
| # and certificates as to facilitate testing of TLS server name |
| # indication support (RFC 4366) or SNI. |
| # |
| # |
| OPENSSL=${OPENSSL:-openssl} |
| DOMAIN=${DOMAIN:-my-sni-test.org} |
| DIR=${DIR:-$PWD/sni} |
| |
| # List of hostnames automatically created by default. |
| NAMES=${NAMES:-ape nut pear apple banana} |
| |
| # IP address these hostnames are bound to. |
| IP=${IP:-127.0.0.1} |
| |
| # A certificate password for the .p12 files of the client |
| # authentication test. Normally not set. However some browsers |
| # require a password of at least 4 characters. |
| # |
| PASSWD=${PASSWD:-} |
| |
| args=`getopt a:fd:D:p: $*` |
| if [ $? != 0 ]; then |
| echo "Syntax: $0 [-f] [-a IPaddress] [-d outdir] [-D domain ] [two or more vhost names ]" |
| echo " -f Force overwriting of outdir (default is $DIR)" |
| echo " -d dir Directory to create the SNI test server in (default is $DIR)" |
| echo " -D domain Domain name to use for this test (default is $DOMAIN)" |
| echo " -a IP IP address to use for this virtual host (default is $IP)" |
| echo " -p str Password for the client certificate test (some browsers require a set password)" |
| echo " [names] List of optional vhost names (default is $NAMES)" |
| echo |
| echo "Example:" |
| echo " $0 -D SecureBlogsAreUs.com peter fred mary jane ardy" |
| echo |
| echo "Which will create peter.SecureBlogsAreUs.com, fred.SecureBlogsAreUs.com and" |
| echo "so on. Note that the _first_ FQDN is also the default for non SNI hosts. It" |
| echo "may make sense to give this host a generic name - and allow each of the real" |
| echo "SNI site as sub directories/URI's of this generic name; thus allowing the " |
| echo "few non-SNI browsers access." |
| exit 1 |
| fi |
| set -- $args |
| for i |
| do |
| case "$i" |
| in |
| -f) |
| FORCE=1 |
| shift;; |
| -a) |
| IP=$2; shift |
| shift;; |
| -d) |
| DIR=$2; shift |
| shift;; |
| -p) |
| PASSWD=$2; shift |
| shift;; |
| -D) |
| DOMAIN=$2; shift |
| shift;; |
| --) |
| shift; break; |
| esac |
| done |
| |
| if [ $# = 1 ]; then |
| echo "Aborted - just specifying one vhost makes no sense for SNI testing. Go wild !" |
| exit 1 |
| fi |
| |
| if [ $# -gt 0 ]; then |
| NAMES=$* |
| fi |
| |
| if ! openssl version | grep -q OpenSSL; then |
| echo Aborted - your openssl is very old or misconfigured. |
| exit 1 |
| fi |
| |
| set `openssl version` |
| if test "0$2" \< "00.9"; then |
| echo Aborted - version of openssl too old, 0.9 or up required. |
| exit 1 |
| fi |
| |
| if test -d ${DIR} -a "x$FORCE" != "x1"; then |
| echo Aborted - already an ${DIR} directory. Use the -f flag to overwrite. |
| exit 1 |
| fi |
| |
| mkdir -p ${DIR} || exit 1 |
| mkdir -p ${DIR}/ssl ${DIR}/htdocs ${DIR}/logs || exit 1 |
| |
| # Create a 'CA' - keep using different serial numbers |
| # as the browsers get upset if they see an identical |
| # serial with a different pub-key. |
| # |
| # Note that we're not relying on the 'v3_ca' section as |
| # in the default openssl.conf file - so the certificate |
| # will be without the basicConstraints = CA:true and |
| # keyUsage = cRLSign, keyCertSign values. This is fine |
| # for most browsers. |
| # |
| serial=$RANDOM$$ |
| |
| openssl req -new -nodes -batch \ |
| -x509 \ |
| -days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial $serial \ |
| -keyout ${DIR}/root.key -out ${DIR}/root.pem \ |
| || exit 2 |
| |
| CDIR=${DIR}/client-xs-control |
| mkdir -p ${CDIR} |
| # Create some certificate authorities for testing client controls |
| # |
| openssl req -new -nodes -batch \ |
| -x509 \ |
| -days 10 -subj '/CN=Da Second Root/O=SNI user access I/' -set_serial 2$serial$$\ |
| -keyout ${CDIR}/xs-root-1.key -out ${CDIR}/xs-root-1.pem \ |
| || exit 2 |
| |
| openssl req -new -nodes -batch \ |
| -x509 \ |
| -days 10 -subj '/CN=Da Second Root/O=SNI user access II/' -set_serial 3$serial$$ \ |
| -keyout ${CDIR}/xs-root-2.key -out ${CDIR}/xs-root-2.pem \ |
| || exit 2 |
| |
| # Create a chain of just the two access authorites: |
| cat ${CDIR}/xs-root-2.pem ${CDIR}/xs-root-1.pem > ${CDIR}/xs-root-chain.pem |
| |
| # And likewise a directory with the same information (using the |
| # required 'hash' naming format |
| # |
| mkdir -p ${CDIR}/xs-root-dir || exit 1 |
| rm -f {$CDIR}/*.0 |
| ln ${CDIR}/xs-root-1.pem ${CDIR}/xs-root-dir/`openssl x509 -noout -hash -in ${CDIR}/xs-root-1.pem`.0 |
| ln ${CDIR}/xs-root-2.pem ${CDIR}/xs-root-dir/`openssl x509 -noout -hash -in ${CDIR}/xs-root-2.pem`.0 |
| |
| # Use the above two client certificate authorities to make a few users |
| for i in 1 2 |
| do |
| # Create a certificate request for a test user. |
| # |
| openssl req -new -nodes -batch \ |
| -days 9 -subj "/CN=User $i/O=SNI Test Crash Dummy Dept/" \ |
| -keyout ${CDIR}/client-$i.key -out ${CDIR}/client-$i.req -batch \ |
| || exit 3 |
| |
| # And get it signed by either our client cert issuing root authority. |
| # |
| openssl x509 -text -req \ |
| -CA ${CDIR}/xs-root-$i.pem -CAkey ${CDIR}/xs-root-$i.key \ |
| -set_serial 3$serial$$ -in ${CDIR}/client-$i.req -out ${CDIR}/client-$i.pem \ |
| || exit 4 |
| |
| # And create a pkcs#12 version for easy browser import. |
| # |
| openssl pkcs12 -export \ |
| -inkey ${CDIR}/client-$i.key -in ${CDIR}/client-$i.pem -name "Client $i" \ |
| -caname "Issuing client root $i" -certfile ${CDIR}/xs-root-$i.pem \ |
| -out ${CDIR}/client.p12 -passout pass:"$PASSWD" || exit 5 |
| |
| rm ${CDIR}/client-$i.req |
| done |
| |
| # Create the header for the example '/etc/hosts' file. |
| # |
| echo '# To append to your hosts file' > ${DIR}/hosts |
| |
| # Create a header for the httpd.conf snipped. |
| # |
| cat > ${DIR}/httpd-sni.conf << EOM |
| # To append to your httpd.conf file' |
| Listen ${IP}:443 |
| NameVirtualHost ${IP}:443 |
| |
| LoadModule ssl_module modules/mod_ssl.so |
| |
| SSLRandomSeed startup builtin |
| SSLRandomSeed connect builtin |
| |
| LogLevel debug |
| TransferLog ${DIR}/logs/access_log |
| ErrorLog ${DIR}/logs/error_log |
| |
| # You'll get a warning about this. |
| # |
| SSLSessionCache none |
| |
| # Note that this SSL configuration is far |
| # from complete - you propably will want |
| # to configure SSLSession Caches at the |
| # very least. |
| |
| <Directory /> |
| Options None |
| AllowOverride None |
| Require all denied |
| </Directory> |
| |
| <Directory "${DIR}/htdocs"> |
| allow from all |
| Require all granted |
| </Directory> |
| |
| # This first entry is also the default for non SNI |
| # supporting clients. |
| # |
| EOM |
| |
| # Create the header of a sample BIND zone file. |
| # |
| ( |
| echo "; Configuration sample to be added to the $DOMAIN zone file of BIND." |
| echo "\$ORIGIN $DOMAIN." |
| ) > ${DIR}/zone-file |
| |
| ZADD="IN A $IP" |
| INFO="and also the site you see when the browser does not support SNI." |
| |
| set -- ${NAMES} |
| DEFAULT=$1 |
| |
| for n in ${NAMES} |
| do |
| FQDN=$n.$DOMAIN |
| serial=`expr $serial + 1` |
| |
| # Create a certificate request for this host. |
| # |
| openssl req -new -nodes -batch \ |
| -days 9 -subj "/CN=$FQDN/O=SNI Testing/" \ |
| -keyout ${DIR}/$n.key -out ${DIR}/$n.req -batch \ |
| || exit 3 |
| |
| # And get it signed by our root authority. |
| # |
| openssl x509 -text -req \ |
| -CA ${DIR}/root.pem -CAkey ${DIR}/root.key \ |
| -set_serial $serial -in ${DIR}/$n.req -out ${DIR}/$n.pem \ |
| || exit 4 |
| |
| # Combine the key and certificate in one file. |
| # |
| cat ${DIR}/$n.pem ${DIR}/$n.key > ${DIR}/ssl/$n.crt |
| rm ${DIR}/$n.req ${DIR}/$n.key ${DIR}/$n.pem |
| |
| LST="$LST |
| https://$FQDN/index.html" |
| |
| # Create a /etc/host and bind-zone file example |
| # |
| echo "${IP} $FQDN $n" >> ${DIR}/hosts |
| echo "$n $ZADD" >> ${DIR}/zone-file |
| ZADD="IN CNAME $DEFAULT" |
| |
| # Create and populate a docroot for this host. |
| # |
| mkdir -p ${DIR}/htdocs/$n || exit 1 |
| echo We are $FQDN $INFO > ${DIR}/htdocs/$n/index.html || exit 1 |
| |
| # And change the info text - so that only the default/fallback site |
| # gets marked as such. |
| # |
| INFO="and you'd normally only see this site when there is proper SNI support." |
| |
| # And create a configuration snipped. |
| # |
| cat >> ${DIR}/httpd-sni.conf << EOM |
| <VirtualHost ${IP}:443> |
| SSLEngine On |
| ServerName $FQDN:443 |
| DocumentRoot ${DIR}/htdocs/$n |
| SSLCertificateChainFile ${DIR}/root.pem |
| SSLCertificateFile ${DIR}/ssl/$n.crt |
| |
| # Uncomment the following lines if you |
| # want to only allow access to clients with |
| # a certificate issued/signed by some |
| # selection of the issuing authorites |
| # |
| # SSLCACertificate ${CDIR}/xs-root-1.pem # just root 1 |
| # SSLCACertificate ${CDIR}/xs-root-2.pem # just root 2 |
| # SSLCACertificate ${CDIR}/xs-root-chain.pem # 1 & 2 |
| # SSLCACertificateDir ${CDIR}/xs-root-dir # 1 & 2 - but as a directory. |
| # |
| # SSLVerifyClient require |
| # SSLVerifyDepth 2 |
| # |
| TransferLog ${DIR}/logs/access_$n |
| </VirtualHost> |
| |
| EOM |
| |
| done |
| |
| cat << EOM |
| SNI Files generated |
| =================== |
| |
| The directory ${DIR}/sni has been populated with the following |
| |
| - root.key|pem Certificate authority root and key. (You could |
| import the root.pem key into your browser to |
| quell warnings about an unknown authority). |
| |
| - hosts /etc/hosts file with fake entries for the hosts |
| |
| - htdocs directory with one docroot for each domain, |
| each with a small sample file. |
| |
| - ssl directory with an ssl cert (signed by root) |
| for each of the domains). |
| |
| - logs logfiles, one for each domain and an |
| access_log for any misses. |
| |
| The directory ${CDIR} contains optional test files to allow client |
| authentication testing: |
| |
| - client*pem/p12 Files for client authentication testing. These |
| need to be imported into the browser. |
| |
| - xs-root-1/2 Certificate authority which has issued above |
| client authentication certificates. |
| |
| - xs-root-dir A directory specific for the SSLCACertificateDir |
| directive. |
| |
| - xs-root-chain A chain of the two client xs authorities for the |
| SSLCACertificate directive. |
| |
| SNI Test |
| ======== |
| |
| A directory ${DIR}/sni has been created. Run an apache |
| server against it with |
| |
| .../httpd -f ${DIR}/httpd-sni.conf |
| |
| and keep an eye on ${DIR}/logs/error_log. When everything |
| is fine you will see entries like: |
| |
| Feb 11 16:12:26 2008] [debug] Init: |
| SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs. jane.*:443 (httpd-sni.conf:42) |
| |
| for each vhost configured and a concluding warning: |
| |
| [Mon Feb 11 16:12:26 2008] [warn] Init: |
| Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) |
| |
| HOWEVER - If you see an entry like: |
| |
| [Mon Feb 11 15:41:41 2008] [warn] Init: |
| You should not use name-based virtual hosts in conjunction with SSL!! |
| |
| then you are either using an OpenSSL which is too old and/or you need to ensure that the |
| TLS Extensions are compiled into openssl with the 'enable-tlsext' flag. Once you have |
| recompiled or reinstalled OpenSSL with TLS Extensions you will have to recompile mod_ssl |
| to allow it to recognize SNI support. |
| |
| Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts |
| or /etc/hosts file as to point the various URL's to your server: |
| $LST |
| |
| and verify that each returns its own name (and an entry in its |
| own ${DIR}/logs) file). |
| |
| NOTE |
| ==== |
| |
| Note that in the generated example the 'first' domain is special - and is the |
| catch all for non-SNI browsers. Depending on your circumstances it may make |
| sense to use a generic name - and have each of the SNI domains as subdirectories |
| (and hence URI's under this generic name). Thus allowing non SNI browsers also |
| access to those sites. |
| EOM |
| exit 0 |