diff options
| -rwxr-xr-x | openssl-connect | 64 | ||||
| -rwxr-xr-x | openssl-listen | 104 |
2 files changed, 168 insertions, 0 deletions
diff --git a/openssl-connect b/openssl-connect new file mode 100755 index 0000000..55e896e --- /dev/null +++ b/openssl-connect @@ -0,0 +1,64 @@ +#!/bin/bash +# Connects to a SSL host for a list of ciphers +# Author: Peter Wu <lekensteyn@gmail.com> + +host=${1:-localhost} +portbase=${2:-4430} + +s_client_client_random() { + awk ' + # match Master-Key from SSL Session dump + /Master-Key:/{key=$2} + { + b=1;e=16; + if(l==3)b=7; + if(l==1)e=6; + for (i = b; i <= e; i++) + s=s$i; + + # at the end, save random value in map r + if (l--==1) + r[s]=1 + } + + # Match block containing Crandom bytes (over three lines) + / ClientHello|ServerHello$/{l=3;s=""} + + END{ + for (rnd in r) { + if (key) + print "CLIENT_RANDOM", rnd, key + else + print "# No master key for random", rnd + } + }' +} + +# When stdin is a TTY, try all ciphers +if [ -t 0 ]; then + openssl ciphers -V | awk '{print $3, substr($6, 4)}' +else + # otherwise if not TTY, pass-through + cat +fi | +while read cipher auth; do + case $auth in + RSA) + port=$portbase ;; + ECDH|ECDSA) + port=$((portbase+1)) ;; + DSS) + port=$((portbase+2)) ;; + PSK|*) + echo "Skipping unsupported $auth" >&2 + continue + ;; + esac + + # It is expected that the other side closes the connection + printf "GET / HTTP/1.0\r\n\r\n" | + openssl s_client -connect "$host:$port" -ign_eof -cipher "$cipher" \ + -msg 2>&1 | s_client_client_random +done + +# vim: set et sw=4 ts=4: diff --git a/openssl-listen b/openssl-listen new file mode 100755 index 0000000..f4cf984 --- /dev/null +++ b/openssl-listen @@ -0,0 +1,104 @@ +#!/bin/bash +# Set-up OpenSSL servers with test keys for EC, DSA and RSA. +# Author: Peter Wu <lekensteyn@gmail.com> + +rsa_prv=server.pem +rsa_pub=server.crt +dsa_prv=dsa.pem +dsa_pub=dsa.crt +ecc_prv=secp384r1.pem +ecc_pub=secp384r1.crt + +pkdir=$1 +portbase=${2:-4430} + +if [ -z "$pkdir" ]; then + cat <<EOF +Usage: $0 path-to-certsdir [port base]" +openssl s_client will listen on three ports, +starting at 'port base' (default 4430) +EOF + exit 1 +fi +[[ $pkdir == */ ]] || pkdir+=/ + +if ! mkdir -p "$pkdir"; then + echo "Could not create directory $pkdir" >&2 + exit 1 +fi + +pids=() + +gen_pk() { + local type keyfile crtfile + type=$1 + keyfile=$2 + crtfile=$3 + + case $type in + RSA) + openssl genrsa -out "$keyfile" + ;; + DSS) + openssl dsaparam 1024 | openssl gendsa /dev/stdin -out "$keyfile" + ;; + ECDH|ECDSA) + openssl ecparam -name prime192v1 -out "$keyfile" -genkey + ;; + *) + echo "Invalid cert type $type" >&2 + return 1 + esac + openssl req -new -key "$keyfile" -x509 -days 3650 -out "$crtfile" -subj "/CN=Test Certificate $type" +} + +start_server() { + local keyfile crtfile port auth + auth=$1 + + case $auth in + RSA) + crtfile=$rsa_pub + keyfile=$rsa_prv + port=$portbase + ;; + ECDH|ECDSA) + crtfile=$ecc_pub + keyfile=$ecc_prv + port=$((portbase+1)) + ;; + DSS) + crtfile=$dsa_pub + keyfile=$dsa_prv + port=$((portbase+2)) + ;; + *) + echo "Invalid cert type $auth" >&2 + return 1 + ;; + esac + + if [ ! -e "$pkdir$crtfile" ]; then + gen_pk "$auth" "$pkdir$keyfile" "$pkdir$crtfile" || return 1 + fi + + openssl s_server -accept $port \ + -cert "$pkdir$crtfile" -key "$pkdir$keyfile" -www & + pids+=($!) +} + +cleanup() { + if [ ${#pids[@]} -gt 0 ]; then + echo "Killing: ${pids[*]}" + kill "${pids[@]}" + fi +} +trap cleanup EXIT + +for auth in RSA ECDH DSS; do + start_server $auth +done + +wait + +# vim: set et sw=4 ts=4: |