diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-09-25 09:12:00 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-10-02 16:51:56 -0400 |
| commit | 15af3be170f05b64a967f4f7755a90608033c374 (patch) | |
| tree | d0448ee439e6229580459fc55d532e807856da9b /gencert.in | |
| parent | 00fe09480dfd28674661830d8a045e0f560bbe51 (diff) | |
| download | mod_nss-15af3be170f05b64a967f4f7755a90608033c374.tar.gz mod_nss-15af3be170f05b64a967f4f7755a90608033c374.tar.xz mod_nss-15af3be170f05b64a967f4f7755a90608033c374.zip | |
Add test suite for SNI
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
Diffstat (limited to 'gencert.in')
| -rwxr-xr-x | gencert.in | 71 |
1 files changed, 68 insertions, 3 deletions
@@ -61,7 +61,7 @@ ALPHA_CERTDN="E=alpha@${FQDN}, CN=Frank Alpha, UID=alpha, OU=People, O=example.c BETA_CERTDN="E=beta@${FQDN}, CN=Anna Beta, UID=beta, OU=People, O=example.com, C=US" # size of the keys -KEYSIZE=1024 +KEYSIZE=2048 # validity of the certs in months VALIDITY=48 @@ -84,9 +84,65 @@ then fi DBDIR=$1 +shift + +if [ $# > 0 ]; then + SNI=$1 +else + SNI=0 +fi echo "httptest" > $DEST/pw.txt +function generate_server_sni_cert { + hostname=$1 + + local SERVER_DN="CN=${hostname}, O=SNI, O=example.com, C=US" + local NICKNAME="Server-Cert-${hostname}" + + echo "" + echo "#####################################################################" + echo "Generating $NICKNAME server certificate request" + echo "#####################################################################" + (ps -elf; date; netstat -a) > $DEST/noise + $CERTUTIL -R -d $DBDIR \ + -s "$SERVER_DN" \ + -o $DEST/tmpcertreq \ + -g $KEYSIZE \ + -z $DEST/noise \ + -f $DEST/pw.txt + + echo "" + echo "#####################################################################" + echo "Generating $NICKNAME server certificate" + echo "#####################################################################" + let CERTSERIAL=CERTSERIAL+1 + echo -e "2\n9\nn\n1\n9\nn\n" | \ + $CERTUTIL -C -d $DBDIR \ + -c cacert \ + -i $DEST/tmpcertreq \ + -o $DEST/tmpcert.der \ + -m $CERTSERIAL \ + -v $VALIDITY \ + -f $DEST/pw.txt \ + -1 \ + -5 \ + -8 $hostname + + rm $DEST/tmpcertreq + + echo "" + echo "#####################################################################" + echo "Importing $NICKNAME certificate into server cert DB" + echo "#####################################################################" + $CERTUTIL -A -d $DBDIR -n $NICKNAME \ + -t u,u,u \ + -i $DEST/tmpcert.der \ + -f $DEST/pw.txt + + rm $DEST/tmpcert.der +} + echo "" echo "#####################################################################" echo "Generating new server certificate and key database. The password" @@ -115,7 +171,6 @@ $CERTUTIL -S -d $DBDIR -n cacert \ -z $DEST/noise \ -2 \ -1 \ - -5 echo "" echo "#####################################################################" @@ -185,7 +240,8 @@ $CERTUTIL -C -d $DBDIR \ -v $VALIDITY \ -f $DEST/pw.txt \ -1 \ - -5 + -5 \ + -8 $FQDN rm $DEST/tmpcertreq @@ -200,6 +256,15 @@ $CERTUTIL -A -d $DBDIR -n Server-Cert \ rm $DEST/tmpcert.der +if [ $SNI > 0 ]; then + SNI=`expr $SNI + 1` + count=1 + while test $count -lt $SNI ; do + generate_server_sni_cert www$count.example.com + count=`expr $count + 1` + done +fi + echo "" echo "#####################################################################" echo "Cleaning up" |