From 1e8f0d72481e3b5686c991293990eaaf17f1b761 Mon Sep 17 00:00:00 2001 From: kakwa Date: Sun, 11 Sep 2016 23:57:25 +0200 Subject: [PATCH] adding test configuration for ssl setup --- tests/cfg/pki/create_tsa_certs | 25 +++++- tests/cfg/uts-server-ssl.cnf | 138 +++++++++++++++++++++++++++++++++ 2 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 tests/cfg/uts-server-ssl.cnf diff --git a/tests/cfg/pki/create_tsa_certs b/tests/cfg/pki/create_tsa_certs index db6926e..e7416ca 100755 --- a/tests/cfg/pki/create_tsa_certs +++ b/tests/cfg/pki/create_tsa_certs @@ -28,7 +28,7 @@ create_tsa_cert () { export INDEX EXT=$2 TSDNSECT=ts_cert_dn - export TSDNSECT + export TSDNSECT openssl req -new \ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem @@ -41,13 +41,34 @@ echo Using extension $EXT test $? != 0 && error } +create_cert () { + + INDEX=$1 + export INDEX + TSDNSECT=ts_cert_dn + export TSDNSECT + + openssl req -new \ + -out tsa_req${INDEX}.pem -keyout ssl_key${INDEX}.pem + test $? != 0 && error + openssl x509 -req \ + -in tsa_req${INDEX}.pem -out ssl_cert${INDEX}.pem \ + -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ + -extensions server_cert + test $? != 0 && error + cat ssl_key${INDEX}.pem ssl_cert${INDEX}.pem >ssl_keycerts${INDEX}.pem +} + echo "Creating CA for TSA tests..." create_ca echo "Creating tsa_cert1.pem TSA server cert..." create_tsa_cert 1 tsa_cert -echo "Creating tsa_cert2.pem non-TSA server cert..." +echo "Creating tsa_cert2.pem TSA server cert..." create_tsa_cert 2 tsa_cert +echo "Creating ssl_keycerts1.pem for ssl" +create_cert 1 + exit 0 diff --git a/tests/cfg/uts-server-ssl.cnf b/tests/cfg/uts-server-ssl.cnf new file mode 100644 index 0000000..5eebecd --- /dev/null +++ b/tests/cfg/uts-server-ssl.cnf @@ -0,0 +1,138 @@ +[ oids ] + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ main ] + +# Comma-separated list of ips:ports to listen on. +# If the port is SSL, a letter s must be appended. +listening_ports = 127.0.0.1:2020s +#listening_ports = 80,443s + +# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance. +enable_keep_alive = no + +# Number of worker threads +num_threads = 10 + +# Switch to given user credentials after startup. +# Required to run on privileged ports and not be run as root. +#run_as_user = uts-server + +# Limit download speed for clients. throttle is a comma-separated list of key=value pairs: +# * limit speed for all connections +# x.x.x.x/mask limit speed for specified subnet +# The value is a floating-point number of bytes per second, optionally followed by a k or m character +# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate +throttle = *=0 +#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 + +# Timeout for network read and network write operations, in milliseconds. +request_timeout_ms = 30000 + +# Path to the SSL certificate file. (PEM format containing private key and certificate) +ssl_certificate = ./pki/ssl_keycerts1.pem + +# Enable client's certificate verification by the server. +ssl_verify_peer = no + +# Name of a directory containing trusted CA certificates +#ssl_ca_path = /etc/ssl/ca/ + +# Path to a .pem file containing trusted certificates. The file may contain more than one certificate. +ssl_ca_file = ./pki/tsaca.pem + +# Sets maximum depth of certificate chain. +# If client's certificate chain is longer than the depth set here connection is refused. +#ssl_verify_depth = 9 + +# Loads default trusted certificates locations set at openssl compile time. +#ssl_default_verify_paths = yes + +# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed +ssl_cipher_list = ALL:!eNULL + +# Sets the minimal accepted version of SSL/TLS protocol according to the table: +# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 +# SSL3+TLS1.0+TLS1.1+TLS1.2 1 +# TLS1.0+TLS1.1+TLS1.2 2 +# TLS1.1+TLS1.2 3 +# TLS1.2 4 + +ssl_protocol_version = 3 + +# Enables the use of short lived certificates +#ssl_short_trust = no + +# comma separated list of IP subnets to accept/deny +# deny all accesses, only allow 192.168/16 subnet +#access_control_allow_origin = -0.0.0.0/0,+192.168/16 + +# Enable TCP_NODELAY socket option on client connections. +tcp_nodelay = 0 + +# loglevel +# debug, info, notice, warn, err, emerg, crit +log_level = info + +#################################################################### +[ tsa ] + +# The default TSA section. +default_tsa = tsa_config1 + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. + +# TSA root directory +dir = ./pki + +# OpenSSL engine to use for signing +crypto_device = builtin + +# The TSA signing certificat +# (optional) +signer_cert = $dir/tsa_cert1.pem + +# Certificate chain to include in reply +# (optional) +certs = $dir/tsaca.pem + +# The TSA private key +# (optional) +signer_key = $dir/tsa_key1.pem + +# Policy if request did not specify it +# (optional) +default_policy = tsa_policy1 + +# Acceptable policies +# (optional) +other_policies = tsa_policy2, tsa_policy3 + +# Acceptable message digests +# (mandatory) +digests = md5, sha1 + +# (optional) +accuracy = secs:1, millisecs:500, microsecs:100 + +# Number of digits after dot. +# (optional) +clock_precision_digits = 0 + +# Is ordering defined for timestamps? +# (optional, default: no) +ordering = yes + +# Must the TSA name be included in the reply? +## (optional, default: no) +tsa_name = yes + +# Must the ESS cert id chain be included? +# (optional, default: no) +ess_cert_id_chain = no