summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--notes.txt4
-rwxr-xr-xopenssl-connect28
-rwxr-xr-xopenssl-listen52
3 files changed, 63 insertions, 21 deletions
diff --git a/notes.txt b/notes.txt
index ef0f7f3..dd00f24 100644
--- a/notes.txt
+++ b/notes.txt
@@ -59,7 +59,7 @@ rm ok.txt nok.txt;time while read url; do cipher="${url%%.*}";cipher="${cipher##
for url in $(cat res/ok.txt); do host="${url##*/}"; echo;echo;echo _____ $host;(printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs; done 2>&1 | tee s_client-all-res-ok.txt
-The following OpenSSL cipher suites do not connect to nginx:
+The following OpenSSL cipher suites do not connect to nginx (obsolete):
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
PSK-RC4-SHA
@@ -84,7 +84,7 @@ ECDH-RSA-AES256-GCM-SHA384
Groupable to:
- EXP-EDH-{DSS,RSA}
- PSK
-- ECDH-RSA
+- ECDH-RSA (obsolete, it is supported with correct cert)
- SRP
Not supported by GnuTLS (source:
diff --git a/openssl-connect b/openssl-connect
index 55e896e..ceb24b2 100755
--- a/openssl-connect
+++ b/openssl-connect
@@ -25,36 +25,50 @@ s_client_client_random() {
/ ClientHello|ServerHello$/{l=3;s=""}
END{
+ has_random = 0;
for (rnd in r) {
+ has_random = 1;
if (key)
print "CLIENT_RANDOM", rnd, key
else
print "# No master key for random", rnd
}
+ # should not be possible since the first thing we sent out is a
+ # ClientHello, but just to be sure...
+ if (!has_random) {
+ if (key)
+ print "# No random found for key", key
+ else
+ print "# No random nor key found"
+ }
}'
}
# When stdin is a TTY, try all ciphers
if [ -t 0 ]; then
- openssl ciphers -V | awk '{print $3, substr($6, 4)}'
+ openssl ciphers -V | awk '{print $3, substr($5, 4), substr($6, 4)}'
else
# otherwise if not TTY, pass-through
cat
fi |
-while read cipher auth; do
- case $auth in
- RSA)
+while read cipher keyex auth; do
+ case $keyex,$auth in
+ *,RSA)
port=$portbase ;;
- ECDH|ECDSA)
+ ECDH/ECDSA,ECDH|*,ECDSA)
port=$((portbase+1)) ;;
- DSS)
+ ECDH/RSA,ECDH)
port=$((portbase+2)) ;;
- PSK|*)
+ *,DSS)
+ port=$((portbase+3)) ;;
+ *,PSK|*)
echo "Skipping unsupported $auth" >&2
continue
;;
esac
+ echo "# Cipher Suite $cipher"
+
# It is expected that the other side closes the connection
printf "GET / HTTP/1.0\r\n\r\n" |
openssl s_client -connect "$host:$port" -ign_eof -cipher "$cipher" \
diff --git a/openssl-listen b/openssl-listen
index f4cf984..e45e3dd 100755
--- a/openssl-listen
+++ b/openssl-listen
@@ -6,8 +6,10 @@ rsa_prv=server.pem
rsa_pub=server.crt
dsa_prv=dsa.pem
dsa_pub=dsa.crt
-ecc_prv=secp384r1.pem
-ecc_pub=secp384r1.crt
+ecd_prv=secp384r1-dsa.pem
+ecd_pub=secp384r1-dsa.crt
+ecc_prv=secp384r1-rsa.pem
+ecc_pub=secp384r1-rsa.crt
pkdir=$1
portbase=${2:-4430}
@@ -27,13 +29,24 @@ if ! mkdir -p "$pkdir"; then
exit 1
fi
+set -u
+
pids=()
gen_pk() {
- local type keyfile crtfile
+ local type keyfile crtfile x509_opts ca_key ca_crt
type=$1
keyfile=$2
crtfile=$3
+ # only necessary
+ ca_key=$4
+ ca_crt=$5
+
+ if [ -n "$ca_key" ]; then
+ x509_opts=(-CA "$ca_crt" -CAkey "$ca_key" -set_serial 1$RANDOM)
+ else
+ x509_opts=(-signkey "$keyfile")
+ fi
case $type in
RSA)
@@ -42,18 +55,24 @@ gen_pk() {
DSS)
openssl dsaparam 1024 | openssl gendsa /dev/stdin -out "$keyfile"
;;
- ECDH|ECDSA)
- openssl ecparam -name prime192v1 -out "$keyfile" -genkey
+ ECDSA)
+ openssl ecparam -name secp384r1 -out "$keyfile" -genkey
+ ;;
+ ECDH)
+ openssl ecparam -name secp384r1 -out "$keyfile" -genkey
;;
*)
echo "Invalid cert type $type" >&2
return 1
esac
- openssl req -new -key "$keyfile" -x509 -days 3650 -out "$crtfile" -subj "/CN=Test Certificate $type"
+
+ openssl req -new -key "$keyfile" -subj "/CN=Test Certificate $type" |
+ openssl x509 -req -days 3650 -out "$crtfile" \
+ "${x509_opts[@]}"
}
start_server() {
- local keyfile crtfile port auth
+ local keyfile crtfile port auth ca_key= ca_crt=
auth=$1
case $auth in
@@ -62,15 +81,22 @@ start_server() {
keyfile=$rsa_prv
port=$portbase
;;
- ECDH|ECDSA)
+ ECDSA)
+ crtfile=$ecd_pub
+ keyfile=$ecd_prv
+ port=$((portbase+1))
+ ;;
+ ECDH)
crtfile=$ecc_pub
keyfile=$ecc_prv
- port=$((portbase+1))
+ ca_key=$pkdir$rsa_prv
+ ca_crt=$pkdir$rsa_pub
+ port=$((portbase+2))
;;
DSS)
crtfile=$dsa_pub
keyfile=$dsa_prv
- port=$((portbase+2))
+ port=$((portbase+3))
;;
*)
echo "Invalid cert type $auth" >&2
@@ -79,7 +105,9 @@ start_server() {
esac
if [ ! -e "$pkdir$crtfile" ]; then
- gen_pk "$auth" "$pkdir$keyfile" "$pkdir$crtfile" || return 1
+ gen_pk "$auth" \
+ "$pkdir$keyfile" "$pkdir$crtfile" \
+ "$ca_key" "$ca_crt" || return 1
fi
openssl s_server -accept $port \
@@ -95,7 +123,7 @@ cleanup() {
}
trap cleanup EXIT
-for auth in RSA ECDH DSS; do
+for auth in RSA ECDSA ECDH DSS; do
start_server $auth
done