Added a more extensive SSL sandbox.

After running `make examples`, if SSL is enabled, you can quickly test HTTPS, with optional client-based certificate authentication using the following process within the build directory: ``` ./examples/https/bin/generate.sh -- Test without client auth ./examples/example_https \ -cert examples/https/server-crt.pem \ -key examples/https/server-key.pem curl -vk https://localhost:4443/ -- Test WITH client auth ./examples/example_https \ -cert examples/https/server-crt.pem \ -key examples/https/server-key.pem \ -ca examples/https/ca-crt.pem \ -verify-peer \ -verify-depth 2 \ -enforce-peer-cert curl -kv \ --key examples/https/client1-key.pem \ --cert examples/https/client1-crt.pem \ https://localhost:4443/ ```
Yellow-Camper · Dec 6, 2017 · 1e0c241 · 1e0c241
1 parent 282a1c9
commit 1e0c241
Show file tree

Hide file tree

Showing 7 changed files with 434 additions and 1 deletion.
diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt
@@ -8,6 +8,7 @@ add_executable(test_query EXCLUDE_FROM_ALL test_query.c)
 add_executable(test_perf EXCLUDE_FROM_ALL test_perf.c)
 add_executable(example_vhost EXCLUDE_FROM_ALL example_vhost.c)
 add_executable(example_pause EXCLUDE_FROM_ALL example_pause.c)
+add_executable(example_https EXCLUDE_FROM_ALL https/example_https.c)
 
 if (NOT EVHTP_DISABLE_EVTHR)
 	add_executable(test_proxy EXCLUDE_FROM_ALL test_proxy.c)
@@ -23,7 +24,16 @@ target_link_libraries(test_query   evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
 target_link_libraries(test_perf    evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
 target_link_libraries(example_vhost evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
 target_link_libraries(example_pause evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
+target_link_libraries(example_https evhtp ${LIBEVHTP_EXTERNAL_LIBS} ${SYS_LIBS})
 
-add_dependencies(examples example_pause example_vhost test_extensive test_basic test_vhost test_client test_query test_perf)
+add_dependencies(examples example_https example_pause example_vhost test_extensive test_basic test_vhost test_client test_query test_perf)
 
+file (COPY
+    https/etc/ca.cnf
+    https/etc/client1.cnf
+    https/etc/client2.cnf
+    https/etc/server.cnf
+    DESTINATION
+    https/etc/)
 
+configure_file(https/bin/generate.sh.in https/bin/generate.sh @ONLY)
diff --git a/examples/https/bin/generate.sh.in b/examples/https/bin/generate.sh.in
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+CONFIG_DIR="@PROJECT_BINARY_DIR@/examples/https"
+
+# Create new CA
+openssl req -new -x509 -days 9999    \
+    -config "$CONFIG_DIR/etc/ca.cnf" \
+    -keyout "$CONFIG_DIR/ca-key.pem" \
+    -out    "$CONFIG_DIR/ca-crt.pem"
+
+# Generate private key for server
+openssl genrsa -out "$CONFIG_DIR/server-key.pem" 4096
+
+# Generate cert signing request
+openssl req -new \
+    -config "$CONFIG_DIR/etc/server.cnf" \
+    -key    "$CONFIG_DIR/server-key.pem" \
+    -out    "$CONFIG_DIR/server-csr.pem"
+
+# Sign the request
+openssl x509 -req                         \
+    -extfile "$CONFIG_DIR/etc/server.cnf" \
+    -days 999                             \
+    -passin "pass:password"               \
+    -in "$CONFIG_DIR/server-csr.pem"      \
+    -CA "$CONFIG_DIR/ca-crt.pem"          \
+    -CAkey "$CONFIG_DIR/ca-key.pem"       \
+    -CAcreateserial                       \
+    -out "$CONFIG_DIR/server-crt.pem"
+
+# Generate a few client certs
+openssl genrsa -out "$CONFIG_DIR/client1-key.pem" 4096
+openssl genrsa -out "$CONFIG_DIR/client2-key.pem" 4096
+
+# create two cert sign requests
+openssl req -new -config "$CONFIG_DIR/etc/client1.cnf" -key $CONFIG_DIR/client1-key.pem -out $CONFIG_DIR/client1-csr.pem
+openssl req -new -config $CONFIG_DIR/etc/client2.cnf -key $CONFIG_DIR/client2-key.pem -out $CONFIG_DIR/client2-csr.pem
+
+# sign the above client certs
+openssl x509 -req            \
+    -extfile $CONFIG_DIR/etc/client1.cnf \
+    -days 999                \
+    -passin "pass:password"  \
+    -in $CONFIG_DIR/client1-csr.pem      \
+    -CA $CONFIG_DIR/ca-crt.pem           \
+    -CAkey $CONFIG_DIR/ca-key.pem        \
+    -CAcreateserial          \
+    -out $CONFIG_DIR/client1-crt.pem
+
+openssl x509 -req            \
+    -extfile $CONFIG_DIR/etc/client2.cnf \
+    -days 999                \
+    -passin "pass:password"  \
+    -in $CONFIG_DIR/client2-csr.pem      \
+    -CA $CONFIG_DIR/ca-crt.pem           \
+    -CAkey $CONFIG_DIR/ca-key.pem        \
+    -CAcreateserial          \
+    -out $CONFIG_DIR/client2-crt.pem
diff --git a/examples/https/etc/ca.cnf b/examples/https/etc/ca.cnf
@@ -0,0 +1,31 @@
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+serial = ca-serial
+crl = ca-crl.pem
+database = ca-database.txt
+name_opt = CA_default
+cert_opt = CA_default
+default_crl_days = 9999
+default_md = md5
+
+[ req ]
+default_bits           = 4096
+days                   = 9999
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+output_password        = password
+
+[ req_distinguished_name ]
+C                      = US
+ST                     = MA
+L                      = Boston
+O                      = Critical Stack
+OU                     = evhtp
+CN                     = ca
+emailAddress           = nate@cl0d.com
+
+[ req_attributes ]
+challengePassword      = test
diff --git a/examples/https/etc/client1.cnf b/examples/https/etc/client1.cnf
@@ -0,0 +1,26 @@
+[ req ]
+default_bits           = 4096
+days                   = 9999
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+x509_extensions        = v3_ca
+
+[ req_distinguished_name ]
+C                      = US
+ST                     = MA
+L                      = Boston
+O                      = Critical Stack
+OU                     = evhtp
+CN                     = client1
+emailAddress           = nate@cl0d.com
+
+[ req_attributes ]
+challengePassword      = password
+
+[ v3_ca ]
+authorityInfoAccess = @issuer_info
+
+[ issuer_info ]
+OCSP;URI.0 = http://ocsp.example.com/
+caIssuers;URI.0 = http://example.com/ca.cert
diff --git a/examples/https/etc/client2.cnf b/examples/https/etc/client2.cnf
@@ -0,0 +1,26 @@
+[ req ]
+default_bits           = 4096
+days                   = 9999
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+x509_extensions        = v3_ca
+
+[ req_distinguished_name ]
+C                      = US
+ST                     = MA
+L                      = Boston
+O                      = Critical Stack
+OU                     = evhtp
+CN                     = client2
+emailAddress           = nate@cl0d.com
+
+[ req_attributes ]
+challengePassword      = password
+
+[ v3_ca ]
+authorityInfoAccess = @issuer_info
+
+[ issuer_info ]
+OCSP;URI.0 = http://ocsp.example.com/
+caIssuers;URI.0 = http://example.com/ca.cert
diff --git a/examples/https/etc/server.cnf b/examples/https/etc/server.cnf
@@ -0,0 +1,26 @@
+[ req ]
+default_bits           = 4096
+days                   = 9999
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+x509_extensions        = v3_ca
+
+[ req_distinguished_name ]
+C                      = US
+ST                     = MA
+L                      = Boston
+O                      = Critical Stack
+OU                     = evhtp
+CN                     = localhost
+emailAddress           = nate@cl0d.com
+
+[ req_attributes ]
+challengePassword      = password
+
+[ v3_ca ]
+authorityInfoAccess = @issuer_info
+
+[ issuer_info ]
+OCSP;URI.0 = http://ocsp.example.com/
+caIssuers;URI.0 = http://example.com/ca.cert