diff --git a/README.md b/README.md index b36d344..993ed7f 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,60 @@ # wolfssl-nginx -Adds wolfSSL support to Nginx. + +## wolfSSL Support in Nginx + +wolfSSL is supported in Nginx. There are minor changes to the Nginx code base +and recompilation is required. + +The tested versions: + - wolfSSL 3.11 + - Nginx 1.12.0 + - Nginx 1.11.13 + - Nginx 1.11.10 + - Nginx 1.11.7 + - Nginx 1.10.3 + +### Building + +First you will need Nginx source package and wolfSSL source code. + +Now build and install wolfSSL. The default installation directory is: + /usr/local. + +To enable wolfSSL support in Nginx the source code must be patched: + 1. Change into the Nginx source directory. + 2. Apply patch: patch -p1 < /nginx--wolfssl.patch + +Now rebuild Nginx: + 1. Configure Nginx with this command (extra options may be added as required): + - ./configure --with-wolfssl=/usr/local --with-http_ssl_module + 2. Build Nginx: make + +### Testing + +Nginx has a repository of tests that can be obtained with the following command: + - git clone https://github.com/nginx/nginx-tests.git + +To run the tests see the README. Tests are expected to pass with exceptions. An example of runnning the tests: + 1. Change into nginx-tests directory. + 2. Run tests: TEST_NGINX_BINARY=../nginx--wolfssl/objs/nginx prove . + +There will be skips of SSL tests for the following reasons: + - no multiple certificates (ssl_certificate.t) + - many not work, leaves coredump (ssl_engine_keys.t) + +-There will be failures of SSL tests for the following reasons: +- - no support for setting verification depth +- - no support for certificate authorities in certificate request ("no trusted sent") + +Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test +system. + +There are additional tests available in wolfssl-nginx. These are in addition +to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling +testing. To test: + 1. Change into wolfssl-nginx directory. + 2. Run the script: ./test.sh (If using IPv6 then set IPV6=yes.) + 3. When working, the number of FAIL and UNKNOWN will be 0. + +Testing is only supported on Linux with bash. + diff --git a/conf/ca-cert-ecc.pem b/conf/ca-cert-ecc.pem new file mode 100644 index 0000000..9c92c53 --- /dev/null +++ b/conf/ca-cert-ecc.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ef:46:c7:a4:9b:bb:60:d3 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:38 2016 GMT + Not After : May 8 20:07:38 2019 GMT + Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de: + 9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c: + 16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92: + 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: + 0b:80:34:89:d8 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Subject Key Identifier: + 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + X509v3 Authority Key Identifier: + keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:EF:46:C7:A4:9B:BB:60:D3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e: + bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e: + 50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4: + b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20 +-----BEGIN CERTIFICATE----- +MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G +A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx +MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx +DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI +hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih +f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr +SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk +gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV +BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh +APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj +JdSwySV9ynpdusSy9n0Ex71iySA= +-----END CERTIFICATE----- diff --git a/conf/ca-cert.pem b/conf/ca-cert.pem new file mode 100644 index 0000000..8b34ea4 --- /dev/null +++ b/conf/ca-cert.pem @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b7:b6:90:33:66:1b:6b:23 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:37 2016 GMT + Not After : May 8 20:07:37 2019 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a: + f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac: + de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98: + 21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77: + 32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1: + 8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3: + a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed: + a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95: + 82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c: + 3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db: + 76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc: + 73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98: + de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68: + cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2: + b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3: + 13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98: + ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed: + 36:79 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 + X509v3 Authority Key Identifier: + keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 + DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:B7:B6:90:33:66:1B:6B:23 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 0e:93:48:44:4a:72:96:60:71:25:82:a9:2c:ca:60:5b:f2:88: + 3e:cf:11:74:5a:11:4a:dc:d9:d8:f6:58:2c:05:d3:56:d9:e9: + 8f:37:ef:8e:3e:3b:ff:22:36:00:ca:d8:e2:96:3f:a7:d1:ed: + 1f:de:7a:b0:d7:8f:36:bd:41:55:1e:d4:b9:86:3b:87:25:69: + 35:60:48:d6:e4:5a:94:ce:a2:fa:70:38:36:c4:85:b4:4b:23: + fe:71:9e:2f:db:06:c7:b5:9c:21:f0:3e:7c:eb:91:f8:5c:09: + fd:84:43:a4:b3:4e:04:0c:22:31:71:6a:48:c8:ab:bb:e8:ce: + fa:67:15:1a:3a:82:98:43:33:b5:0e:1f:1e:89:f8:37:de:1b: + e6:b5:a0:f4:a2:8b:b7:1c:90:ba:98:6d:94:21:08:80:5d:f3: + bf:66:ad:c9:72:28:7a:6a:48:ee:cf:63:69:31:8c:c5:8e:66: + da:4b:78:65:e8:03:3a:4b:f8:cc:42:54:d3:52:5c:2d:04:ae: + 26:87:e1:7e:40:cb:45:41:16:4b:6e:a3:2e:4a:76:bd:29:7f: + 1c:53:37:06:ad:e9:5b:6a:d6:b7:4e:94:a2:7c:e8:ac:4e:a6: + 50:3e:2b:32:9e:68:42:1b:e4:59:67:61:ea:c7:9a:51:9c:1c: + 55:a3:77:76 +-----BEGIN CERTIFICATE----- +MIIEqjCCA5KgAwIBAgIJALe2kDNmG2sjMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G +A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3 +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe +Fw0xNjA4MTEyMDA3MzdaFw0xOTA1MDgyMDA3MzdaMIGUMQswCQYDVQQGEwJVUzEQ +MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3 +dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns +LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D +mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx +i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J +XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc +/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI +/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOB/DCB ++TAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUwgckGA1UdIwSBwTCBvoAU +J45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYD +VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADpNIREpylmBxJYKpLMpgW/KI +Ps8RdFoRStzZ2PZYLAXTVtnpjzfvjj47/yI2AMrY4pY/p9HtH956sNePNr1BVR7U +uYY7hyVpNWBI1uRalM6i+nA4NsSFtEsj/nGeL9sGx7WcIfA+fOuR+FwJ/YRDpLNO +BAwiMXFqSMiru+jO+mcVGjqCmEMztQ4fHon4N94b5rWg9KKLtxyQuphtlCEIgF3z +v2atyXIoempI7s9jaTGMxY5m2kt4ZegDOkv4zEJU01JcLQSuJofhfkDLRUEWS26j +Lkp2vSl/HFM3Bq3pW2rWt06UonzorE6mUD4rMp5oQhvkWWdh6seaUZwcVaN3dg== +-----END CERTIFICATE----- diff --git a/conf/cert-ecc-p8.key b/conf/cert-ecc-p8.key new file mode 100644 index 0000000..82791b9 --- /dev/null +++ b/conf/cert-ecc-p8.key @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCBFtmkCc5xshaE4W3Lo +6MesxAONUzUE+mwo3DSN4agJjA== +-----END PRIVATE KEY----- diff --git a/conf/cert-ecc-priv.key b/conf/cert-ecc-priv.key new file mode 100644 index 0000000..1d46e90 --- /dev/null +++ b/conf/cert-ecc-priv.key @@ -0,0 +1,4 @@ +-----BEGIN EC PRIVATE KEY----- +MDECAQEEIEW2aQJznGyFoThbcujox6zEA41TNQT6bCjcNI3hqAmMoAoGCCqGSM49 +AwEH +-----END EC PRIVATE KEY----- diff --git a/conf/cert-ecc.key b/conf/cert-ecc.key new file mode 100644 index 0000000..03e7a61 --- /dev/null +++ b/conf/cert-ecc.key @@ -0,0 +1,9 @@ +ASN1 OID: prime256v1 +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEW2aQJznGyFoThbcujox6zEA41TNQT6bCjcNI3hqAmMoAoGCCqGSM49 +AwEHoUQDQgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKT +mjFbl5Ihf/DPGNqREQI0huggWDMLgDSJ2A== +-----END EC PRIVATE KEY----- diff --git a/conf/cert-ecc.pem b/conf/cert-ecc.pem new file mode 100644 index 0000000..9c92c53 --- /dev/null +++ b/conf/cert-ecc.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + ef:46:c7:a4:9b:bb:60:d3 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:38 2016 GMT + Not After : May 8 20:07:38 2019 GMT + Subject: C=US, ST=Washington, L=Seattle, O=Eliptic, OU=ECC, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de: + 9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c: + 16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92: + 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: + 0b:80:34:89:d8 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Subject Key Identifier: + 5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + X509v3 Authority Key Identifier: + keyid:5D:5D:26:EF:AC:7E:36:F9:9B:76:15:2B:4A:25:02:23:EF:B2:89:30 + DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:EF:46:C7:A4:9B:BB:60:D3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:f1:d0:a6:3e:83:33:24:d1:7a:05:5f:1e:0e: + bd:7d:6b:33:e9:f2:86:f3:f3:3d:a9:ef:6a:87:31:b3:b7:7e: + 50:02:21:00:f0:60:dd:ce:a2:db:56:ec:d9:f4:e4:e3:25:d4: + b0:c9:25:7d:ca:7a:5d:ba:c4:b2:f6:7d:04:c7:bd:62:c9:20 +-----BEGIN CERTIFICATE----- +MIIDEDCCArWgAwIBAgIJAO9Gx6Sbu2DTMAoGCCqGSM49BAMCMIGPMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4G +A1UECgwHRWxpcHRpYzEMMAoGA1UECwwDRUNDMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx +MjAwNzM4WhcNMTkwNTA4MjAwNzM4WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB0VsaXB0aWMx +DDAKBgNVBAsMA0VDQzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZI +hvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEuzOsTCdQSsZKpQTDPN6fNttyLc6U6iv6yyAJOSwW6GEC6a9N0wKTmjFbl5Ih +f/DPGNqREQI0huggWDMLgDSJ2KOB9zCB9DAdBgNVHQ4EFgQUXV0m76x+NvmbdhUr +SiUCI++yiTAwgcQGA1UdIwSBvDCBuYAUXV0m76x+NvmbdhUrSiUCI++yiTChgZWk +gZIwgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMQwwCgYDVQQLDANFQ0MxGDAWBgNV +BAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbYIJAO9Gx6Sbu2DTMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh +APHQpj6DMyTRegVfHg69fWsz6fKG8/M9qe9qhzGzt35QAiEA8GDdzqLbVuzZ9OTj +JdSwySV9ynpdusSy9n0Ex71iySA= +-----END CERTIFICATE----- diff --git a/conf/cert.key b/conf/cert.key new file mode 100644 index 0000000..d1627f4 --- /dev/null +++ b/conf/cert.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAwJUI4VdB8nFtt9JFQScBZcZFrvK8JDC4lc4vTtb2HIi8fJ/7 +qGd//lycUXX3isoH5zUvj+G9e8AvfKtkqBf8yl17uuAh5XIuby6G2JVz2qwbU7lf +P9cZDSVP4WNjUYsLZD+tQ7ilHFw0s64AoGPF9n8LWWh4c6aMGKkCba/DGQEuuBDj +xsxAtGmjRjNph27Euxem8+jdrXO8ey8htf1mUQy9VLPhbV8cvCNz0QkDiRTSELlk +wyrQoZZKvOHUGlvHoMDBY3gPRDcwMpaAMiOVoXe6E9KXc+JdJclqDcM5YKS0sGlC +Qgnp2Ai8MyCzWCKnquvE4eZhg8XSlt/Z0E+t1wIDAQABAoIBAQCa0DQPUmIFUAHv +n+1kbsLE2hryhNeSEEiSxOlq64t1bMZ5OPLJckqGZFSVd8vDmp231B2kAMieTuTd +x7pnFsF0vKnWlI8rMBr77d8hBSPZSjm9mGtlmrjcxH3upkMVLj2+HSJgKnMw1T7Y +oqyGQy7E9WReP4l1DxHYUSVOn9iqo85gs+KK2X4b8GTKmlsFC1uqy+XjP24yIgXz +0PrvdFKB4l90073/MYNFdfpjepcu1rYZxpIm5CgGUFAOeC6peA0Ul7QS2DFAq6EB +QcIw+AdfFuRhd9Jg8p+N6PS662PeKpeB70xs5lU0USsoNPRTHMRYCj+7r7X3SoVD +LTzxWFiBAoGBAPIsVHY5I2PJEDK3k62vvhl1loFk5rW4iUJB0W3QHBv4G6xpyzY8 +ZH3c9Bm4w2CxV0hfUk9ZOlV/MsAZQ1A/rs5vF/MOn0DKTq0VO8l56cBZOHNwnAp8 +yTpIMqfYSXUKhcLC/RVz2pkJKmmanwpxv7AEpox6Wm9IWlQ7xrFTF9/nAoGBAMuT +3ncVXbdcXHzYkKmYLdZpDmOzo9ymzItqpKISjI57SCyySzfcBhh96v52odSh6T8N +zRtfr1+elltbD6F8r7ObkNtXczrtsCNErkFPHwdCEyNMy/r0FKTV9542fFufqDzB +hV900jkt/9CE3/uzIHoumxeu5roLrl9TpFLtG8SRAoGBAOyY2rvV/vlSSn0CVUlv +VW5SL4SjK7OGYrNU0mNS2uOIdqDvixWl0xgUcndex6MEH54ZYrUbG57D8rUy+UzB +qusMJn3UX0pRXKRFBnBEp1bA1CIUdp7YY1CJkNPiv4GVkjFBhzkaQwsYpVMfORpf +H0O8h2rfbtMiAP4imHBOGhkpAoGBAIpBVihRnl/Ungs7mKNU8mxW1KrpaTOFJAza +1AwtxL9PAmk4fNTm3Ezt1xYRwz4A58MmwFEC3rt1nG9WnHrzju/PisUr0toGakTJ +c/5umYf4W77xfOZltU9s8MnF/xbKixsX4lg9ojerAby/QM5TjI7t7+5ZneBj5nxe +9Y5L8TvBAoGATUX5QIzFW/QqGoq08hysa+kMVja3TnKW1eWK0uL/8fEYEz2GCbjY +dqfJHHFSlDBD4PF4dP1hG0wJzOZoKnGtHN9DvFbbpaS+NXCkXs9P/ABVmTo9I89n +WvUi+LUp0EQR6zUuRr79jhiyX6i/GTKh9dwD5nyaHwx8qbAOITc78bA= +-----END RSA PRIVATE KEY----- diff --git a/conf/cert.pem b/conf/cert.pem new file mode 100644 index 0000000..5504c82 --- /dev/null +++ b/conf/cert.pem @@ -0,0 +1,173 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:37 2016 GMT + Not After : May 8 20:07:37 2019 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27: + 01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6: + f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75: + f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab: + 64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e: + 86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25: + 4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c: + 34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6: + 8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc: + 40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8: + dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3: + e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9: + 64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0: + c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77: + ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4: + b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22: + a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f: + ad:d7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B3:11:32:C9:92:98:84:E2:C9:F8:D0:3B:6E:03:42:CA:1F:0E:8E:3C + X509v3 Authority Key Identifier: + keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 + DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:B7:B6:90:33:66:1B:6B:23 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 51:fe:2a:df:07:7e:43:ca:66:8d:15:c4:2b:db:57:b2:06:6d: + 0d:90:66:ff:a5:24:9c:14:ef:81:f2:a4:ab:99:a9:6a:49:20: + a5:d2:71:e7:1c:3c:99:07:c7:47:fc:e8:96:b4:f5:42:30:ce: + 39:01:4b:d1:c2:e8:bc:95:84:87:ce:55:5d:97:9f:cf:78:f3: + 56:9b:a5:08:6d:ac:f6:a5:5c:c4:ef:3e:2a:39:a6:48:26:29: + 7b:2d:e0:cd:a6:8c:57:48:0b:bb:31:32:c2:bf:d9:43:4c:47: + 25:18:81:a8:c9:33:82:41:9b:ba:61:86:d7:84:93:17:24:25: + 36:ca:4d:63:6b:4f:95:79:d8:60:e0:1e:f5:ac:c1:8a:a1:b1: + 7e:85:8e:87:20:2f:08:31:ad:5e:c6:4a:c8:61:f4:9e:07:1e: + a2:22:ed:73:7c:85:ee:fa:62:dc:50:36:aa:fd:c7:9d:aa:18: + 04:fb:ea:cc:2c:68:9b:b3:a9:c2:96:d8:c1:cc:5a:7e:f7:0d: + 9e:08:e0:9d:29:8b:84:46:8f:d3:91:6a:b5:b8:7a:5c:cc:4f: + 55:01:b8:9a:48:a0:94:43:ca:25:47:52:0a:f7:f4:be:b0:d1: + 71:6d:a5:52:4a:65:50:b2:ad:4e:1d:e0:6c:01:d8:fb:43:80: + e6:e4:0c:37 +-----BEGIN CERTIFICATE----- +MIIEnjCCA4agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh +d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz +bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTYwODEx +MjAwNzM3WhcNMTkwNTA4MjAwNzM3WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM +B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO +BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG +SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn +f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X +GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM +QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq +0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ +6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOB/DCB+TAdBgNVHQ4EFgQU +sxEyyZKYhOLJ+NA7bgNCyh8OjjwwgckGA1UdIwSBwTCBvoAUJ45nEXTDJh0/7TNj +s6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5h +MRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwK +Q29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcN +AQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQsFAAOCAQEAUf4q3wd+Q8pmjRXEK9tXsgZtDZBm/6UknBTvgfKk +q5mpakkgpdJx5xw8mQfHR/zolrT1QjDOOQFL0cLovJWEh85VXZefz3jzVpulCG2s +9qVcxO8+KjmmSCYpey3gzaaMV0gLuzEywr/ZQ0xHJRiBqMkzgkGbumGG14STFyQl +NspNY2tPlXnYYOAe9azBiqGxfoWOhyAvCDGtXsZKyGH0ngceoiLtc3yF7vpi3FA2 +qv3HnaoYBPvqzCxom7OpwpbYwcxafvcNngjgnSmLhEaP05Fqtbh6XMxPVQG4mkig +lEPKJUdSCvf0vrDRcW2lUkplULKtTh3gbAHY+0OA5uQMNw== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b7:b6:90:33:66:1b:6b:23 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:37 2016 GMT + Not After : May 8 20:07:37 2019 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a: + f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac: + de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98: + 21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77: + 32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1: + 8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3: + a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed: + a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95: + 82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c: + 3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db: + 76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc: + 73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98: + de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68: + cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2: + b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3: + 13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98: + ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed: + 36:79 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 + X509v3 Authority Key Identifier: + keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 + DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:B7:B6:90:33:66:1B:6B:23 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 0e:93:48:44:4a:72:96:60:71:25:82:a9:2c:ca:60:5b:f2:88: + 3e:cf:11:74:5a:11:4a:dc:d9:d8:f6:58:2c:05:d3:56:d9:e9: + 8f:37:ef:8e:3e:3b:ff:22:36:00:ca:d8:e2:96:3f:a7:d1:ed: + 1f:de:7a:b0:d7:8f:36:bd:41:55:1e:d4:b9:86:3b:87:25:69: + 35:60:48:d6:e4:5a:94:ce:a2:fa:70:38:36:c4:85:b4:4b:23: + fe:71:9e:2f:db:06:c7:b5:9c:21:f0:3e:7c:eb:91:f8:5c:09: + fd:84:43:a4:b3:4e:04:0c:22:31:71:6a:48:c8:ab:bb:e8:ce: + fa:67:15:1a:3a:82:98:43:33:b5:0e:1f:1e:89:f8:37:de:1b: + e6:b5:a0:f4:a2:8b:b7:1c:90:ba:98:6d:94:21:08:80:5d:f3: + bf:66:ad:c9:72:28:7a:6a:48:ee:cf:63:69:31:8c:c5:8e:66: + da:4b:78:65:e8:03:3a:4b:f8:cc:42:54:d3:52:5c:2d:04:ae: + 26:87:e1:7e:40:cb:45:41:16:4b:6e:a3:2e:4a:76:bd:29:7f: + 1c:53:37:06:ad:e9:5b:6a:d6:b7:4e:94:a2:7c:e8:ac:4e:a6: + 50:3e:2b:32:9e:68:42:1b:e4:59:67:61:ea:c7:9a:51:9c:1c: + 55:a3:77:76 +-----BEGIN CERTIFICATE----- +MIIEqjCCA5KgAwIBAgIJALe2kDNmG2sjMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G +A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3 +dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe +Fw0xNjA4MTEyMDA3MzdaFw0xOTA1MDgyMDA3MzdaMIGUMQswCQYDVQQGEwJVUzEQ +MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3 +dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns +LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D +mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx +i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J +XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc +/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI +/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOB/DCB ++TAdBgNVHQ4EFgQUJ45nEXTDJh0/7TNjs6TYHTDl6NUwgckGA1UdIwSBwTCBvoAU +J45nEXTDJh0/7TNjs6TYHTDl6NWhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tggkAt7aQM2YbayMwDAYD +VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEADpNIREpylmBxJYKpLMpgW/KI +Ps8RdFoRStzZ2PZYLAXTVtnpjzfvjj47/yI2AMrY4pY/p9HtH956sNePNr1BVR7U +uYY7hyVpNWBI1uRalM6i+nA4NsSFtEsj/nGeL9sGx7WcIfA+fOuR+FwJ/YRDpLNO +BAwiMXFqSMiru+jO+mcVGjqCmEMztQ4fHon4N94b5rWg9KKLtxyQuphtlCEIgF3z +v2atyXIoempI7s9jaTGMxY5m2kt4ZegDOkv4zEJU01JcLQSuJofhfkDLRUEWS26j +Lkp2vSl/HFM3Bq3pW2rWt06UonzorE6mUD4rMp5oQhvkWWdh6seaUZwcVaN3dg== +-----END CERTIFICATE----- diff --git a/conf/cliCrl.pem b/conf/cliCrl.pem new file mode 100644 index 0000000..99f6396 --- /dev/null +++ b/conf/cliCrl.pem @@ -0,0 +1,39 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Aug 11 20:07:38 2016 GMT + Next Update: May 8 20:07:38 2019 GMT + CRL extensions: + X509v3 CRL Number: + 3 +No Revoked Certificates. + Signature Algorithm: sha256WithRSAEncryption + 14:85:d5:c8:db:62:74:48:94:5e:dc:52:0f:5e:43:8b:29:83: + 32:e0:7a:4c:5c:76:e3:7e:c1:87:74:40:b2:6f:f8:33:4c:2c: + 32:08:f0:5f:d9:85:b3:20:05:34:5d:15:4d:ba:45:bc:2d:9c: + ae:40:d0:d8:9a:b3:a1:4f:0b:94:ce:c4:23:c6:bf:a2:f8:a6: + 02:4c:6d:ad:5a:59:b3:83:55:dd:37:91:f6:75:d4:6f:83:5f: + 1c:29:94:cd:01:09:dc:38:d8:6c:c0:9f:1e:76:9d:f9:8f:70: + 0d:48:e5:99:82:90:3a:36:f1:33:17:69:73:8a:ee:a7:22:4c: + 58:93:a1:dc:59:b9:44:8f:88:99:0b:c4:d3:74:aa:02:9a:84: + 36:48:d8:a0:05:73:bc:14:32:1e:76:23:85:c5:94:56:b2:2c: + 61:3b:07:d7:bd:0c:27:f7:d7:23:40:bd:0c:6c:c7:e0:f7:28: + 74:67:98:20:93:72:16:b6:6e:67:3f:9e:c9:34:c5:64:09:bf: + b1:ab:87:0c:80:b6:1f:89:d8:0e:67:c2:c7:19:df:ee:9f:b2: + e6:fb:64:3d:82:7a:47:e2:8d:a3:93:1d:29:f6:94:db:83:2f: + b6:0a:a0:da:77:e3:56:ec:d7:d2:22:3c:88:4d:4a:87:de:b5: + 1c:eb:7b:08 +-----BEGIN X509 CRL----- +MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV +BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf +MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv +bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0xNjA4 +MTEyMDA3MzhaFw0xOTA1MDgyMDA3MzhaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG +9w0BAQsFAAOCAQEAFIXVyNtidEiUXtxSD15DiymDMuB6TFx2437Bh3RAsm/4M0ws +MgjwX9mFsyAFNF0VTbpFvC2crkDQ2JqzoU8LlM7EI8a/ovimAkxtrVpZs4NV3TeR +9nXUb4NfHCmUzQEJ3DjYbMCfHnad+Y9wDUjlmYKQOjbxMxdpc4rupyJMWJOh3Fm5 +RI+ImQvE03SqApqENkjYoAVzvBQyHnYjhcWUVrIsYTsH170MJ/fXI0C9DGzH4Pco +dGeYIJNyFrZuZz+eyTTFZAm/sauHDIC2H4nYDmfCxxnf7p+y5vtkPYJ6R+KNo5Md +KfaU24Mvtgqg2nfjVuzX0iI8iE1Kh961HOt7CA== +-----END X509 CRL----- diff --git a/conf/client-cert.pem b/conf/client-cert.pem new file mode 100644 index 0000000..9262ad6 --- /dev/null +++ b/conf/client-cert.pem @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + b9:bc:90:ed:ad:aa:0a:8c + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Validity + Not Before: Aug 11 20:07:37 2016 GMT + Not After : May 8 20:07:37 2019 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b: + 2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07: + 32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d: + 68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b: + ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf: + 65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5: + b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6: + 13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b: + 0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e: + bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14: + c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83: + ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19: + cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d: + 3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9: + 54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71: + d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86: + 2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1: + ba:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + X509v3 Authority Key Identifier: + keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 + DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + serial:B9:BC:90:ED:AD:AA:0A:8C + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 33:85:08:b4:58:0e:a2:00:03:74:de:77:fb:d1:2b:76:9c:97: + 90:20:21:a2:e8:2e:22:50:26:04:76:ba:5b:47:79:e5:52:f7: + c4:0d:79:ff:62:3f:05:7c:c3:08:6c:e0:b7:81:d0:ce:c6:c9: + 46:b9:8e:4b:5f:56:79:4b:13:b6:d1:6b:66:4b:ce:00:0d:e3: + 76:5e:fb:cb:b5:5d:12:31:05:f1:bb:39:f6:86:90:ca:92:56: + a4:a0:75:21:b6:1d:4c:96:c3:45:eb:5a:91:94:32:d3:59:b8: + c9:73:1f:03:a9:81:63:e0:43:c0:1e:c8:65:be:3b:a7:53:c3: + 44:ff:b3:fb:47:84:a8:b6:9d:00:d5:6b:ae:87:f8:bb:35:b2: + 6c:66:0b:11:ee:6f:fe:12:ed:59:79:f1:3e:f2:d3:61:27:8b: + 95:7e:99:75:8d:a4:9f:34:85:f1:25:4d:48:1e:9b:6b:70:f6: + 66:cc:56:b1:a3:02:52:8a:7c:aa:af:07:da:97:c6:0c:a5:8f: + ed:cb:f5:d8:04:5d:97:0a:5d:5a:2b:49:f5:bd:93:e5:23:9b: + 99:b5:0c:ff:0c:7e:38:82:b2:6e:ab:8a:c9:a7:45:ab:d6:d7: + 93:35:70:07:7e:c8:3d:a5:fe:33:8f:d9:85:c0:c7:5a:02:e4: + 7c:d6:35:9e +-----BEGIN CERTIFICATE----- +MIIEyjCCA7KgAwIBAgIJALm8kO2tqgqMMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG +A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw +FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb20wHhcNMTYwODExMjAwNzM3WhcNMTkwNTA4MjAwNzM3WjCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT +BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45 +pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs +StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW +kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF +dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj +mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/ +wK71/Fvl+6G60wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR +xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh +MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96 +ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu +Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW +EGluZm9Ad29sZnNzbC5jb22CCQC5vJDtraoKjDAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQAzhQi0WA6iAAN03nf70St2nJeQICGi6C4iUCYEdrpbR3nl +UvfEDXn/Yj8FfMMIbOC3gdDOxslGuY5LX1Z5SxO20WtmS84ADeN2XvvLtV0SMQXx +uzn2hpDKklakoHUhth1MlsNF61qRlDLTWbjJcx8DqYFj4EPAHshlvjunU8NE/7P7 +R4Sotp0A1Wuuh/i7NbJsZgsR7m/+Eu1ZefE+8tNhJ4uVfpl1jaSfNIXxJU1IHptr +cPZmzFaxowJSinyqrwfal8YMpY/ty/XYBF2XCl1aK0n1vZPlI5uZtQz/DH44grJu +q4rJp0Wr1teTNXAHfsg9pf4zj9mFwMdaAuR81jWe +-----END CERTIFICATE----- diff --git a/conf/client-key.pem b/conf/client-key.pem new file mode 100644 index 0000000..c4e7ad2 --- /dev/null +++ b/conf/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwwPRK/45pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvG +w0Se1IFI/S1oootnu6F1yDYsStIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJ +W+Q098WwFJP1Z3s6enjhAVZWkaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbf +G36/TpfQEOioCDCBryALQxTFdGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnN +rv94bHvAEgPUTnINUG07ozujmV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAY +E7BjtXJOMMSXhIYtVi/XFfd/wK71/Fvl+6G60wIDAQABAoIBAQCi5thfEHFkCJ4u +bdFtHoXSCrGMR84sUWqgEp5T3pFMHW3qWXvyd6rZxtmKq9jhFuRjJv+1bBNZuOOl +yHIXLgyfb+VZP3ZvSbERwlouFikN3reO3EDVou7gHqH0vpfbhmOWFM2YCWAtMHac +PM3miO5HknkLWgDiXl8RfH35CLcgBokqXf0AqyLh8LO8JKleJg4fAC3+IZpTW23T +K6uUgmhDNtj2L8Yi/LVBXQ0zYOqkfX7oS1WRVtNcV48flBcvqt7pnqj0z4pMjqDk +VnOyz0+GxWk88yQgi1yWDPprEjuaZ8HfxpaypdWSDZsJQmgkEEXUUOQXOUjQNYuU +bRHej8pZAoGBAOokp/lpM+lx3FJ9iCEoL0neunIW6cxHeogNlFeEWBY6gbA/os+m +bB6wBikAj+d3dqzbysfZXps/JpBSrvw4kAAUu7QPWJTnL2p+HE9BIdQxWR9OihqN +p1dsItjl9H4yphDLZKVVA4emJwWMw9e2J7JNujDaR49U0z2LhI2UmFilAoGBANU4 +G8OPxZMMRwtvNZLFsI1GyJIYj/WACvfvof6AubUqusoYsF2lB9CTjdicBBzUYo6m +JoEB/86KKmM0NUCqbYDeiSNqV02ebq2TTlaQC22dc4sMric93k7wqsVseGdslFKc +N2dsLe+7r9+mkDzER8+Nlp6YqbSfxaZQ3LPw+3QXAoGAXoMJYr26fKK/QnT1fBzS +ackEDYV+Pj0kEsMYe/Mp818OdmxZdeRBhGmdMvPNIquwNbpKsjzl2Vi2Yk9d3uWe +CspTsiz3nrNrClt5ZexukU6SIPb8/Bbt03YM4ux/smkTa3gOWkZktF63JaBadTpL +78c8Pvf9JrggxJkKmnO+wxkCgYEAukSTFKw0GTtfkWCs97TWgQU2UVM96GXcry7c +YT7Jfbh/h/A7mwOCKTfOck4R1bHBDAegmZFKjX/sec/xObXphexi99p9vGRNIjwO +8tZR9YfYmcARIF0PKf1b4q7ZHNkhVm38hNBf7RAVHBgh58Q9S9fQnmqVzyLJA3ue +42AB/C8CgYAR0EvPG2e5nxB1R4ZlrjHCxjCsWQZQ2Q+1cAb38NPIYnyo2m72IT/T +f1/qiqs/2Spe81HSwjA34y2jdQ0eTSE01VdwXIm/cuxKbmjVzRh0M06MOkWP5pZA +62P5GYY6Ud2JS7Dz+Z9dKJU4vjWrylznk1M0oUVdEzllQkahn831vw== +-----END RSA PRIVATE KEY----- diff --git a/conf/crl-revoked.pem b/conf/crl-revoked.pem new file mode 100644 index 0000000..7cbbce5 --- /dev/null +++ b/conf/crl-revoked.pem @@ -0,0 +1,44 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Aug 11 20:07:38 2016 GMT + Next Update: May 8 20:07:38 2019 GMT + CRL extensions: + X509v3 CRL Number: + 2 +Revoked Certificates: + Serial Number: 01 + Revocation Date: Aug 11 20:07:38 2016 GMT + Serial Number: 02 + Revocation Date: Aug 11 20:07:38 2016 GMT + Signature Algorithm: sha256WithRSAEncryption + 91:67:3d:34:8f:85:87:cd:11:0f:e2:af:cd:77:3f:d8:f2:15: + cb:c3:0d:49:02:87:13:f5:82:9e:a9:6f:ed:6a:aa:28:b7:6c: + 61:7b:ac:90:d0:e5:a1:3d:80:2c:31:6f:4e:0b:e9:9a:44:db: + 6b:24:71:34:9f:d1:51:53:8a:bd:bd:1c:20:e0:96:73:7b:29: + 1c:e3:56:97:46:a2:5e:db:ae:fe:1f:4a:c1:5c:5b:30:74:a4: + 70:dc:7e:70:7f:42:9f:48:d3:99:16:ff:34:f9:a7:db:ad:3d: + bc:a6:9d:ee:6a:ed:e7:e0:2f:ef:24:ab:4c:9b:44:d8:fc:1c: + 48:9f:f4:3c:14:f3:6c:a2:0f:a7:93:00:32:29:96:7e:98:5d: + c9:85:fa:94:4c:e2:03:7e:fb:bf:f0:0e:93:52:3b:8a:e1:43: + fe:3f:f2:57:02:21:e8:ff:43:da:3e:f0:3d:1a:eb:96:7a:0a: + d8:27:56:e2:30:2a:3c:a3:93:ff:1e:3f:98:6b:4e:ea:78:90: + 8b:d7:24:0a:98:b8:c1:e8:f5:02:d2:18:07:17:c3:6c:b5:db: + a7:61:c5:5d:8e:36:80:f5:aa:c1:a7:5b:66:4a:dd:17:62:da: + 80:70:83:4d:69:fa:c4:f4:2d:27:90:8d:7f:28:34:19:e0:a3: + 8a:6b:73:55 +-----BEGIN X509 CRL----- +MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0xNjA4MTEyMDA3Mzha +Fw0xOTA1MDgyMDA3MzhaMCgwEgIBARcNMTYwODExMjAwNzM4WjASAgECFw0xNjA4 +MTEyMDA3MzhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAQEAkWc9 +NI+Fh80RD+KvzXc/2PIVy8MNSQKHE/WCnqlv7WqqKLdsYXuskNDloT2ALDFvTgvp +mkTbayRxNJ/RUVOKvb0cIOCWc3spHONWl0aiXtuu/h9KwVxbMHSkcNx+cH9Cn0jT +mRb/NPmn2609vKad7mrt5+Av7ySrTJtE2PwcSJ/0PBTzbKIPp5MAMimWfphdyYX6 +lEziA377v/AOk1I7iuFD/j/yVwIh6P9D2j7wPRrrlnoK2CdW4jAqPKOT/x4/mGtO +6niQi9ckCpi4wej1AtIYBxfDbLXbp2HFXY42gPWqwadbZkrdF2LagHCDTWn6xPQt +J5CNfyg0GeCjimtzVQ== +-----END X509 CRL----- diff --git a/conf/crl.pem b/conf/crl.pem new file mode 100644 index 0000000..f9e8562 --- /dev/null +++ b/conf/crl.pem @@ -0,0 +1,41 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com + Last Update: Aug 11 20:07:38 2016 GMT + Next Update: May 8 20:07:38 2019 GMT + CRL extensions: + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 02 + Revocation Date: Aug 11 20:07:38 2016 GMT + Signature Algorithm: sha256WithRSAEncryption + 35:c6:7f:57:9a:e5:86:5a:15:1a:e2:e5:2b:9f:54:79:2a:58: + 51:a2:12:0c:4e:53:58:eb:99:e3:c2:ee:2b:d7:23:e4:3c:4d: + 0a:ab:ae:71:9b:ce:b1:c1:75:a1:b6:e5:32:5f:10:b0:72:28: + 2e:74:b1:99:dd:47:53:20:f6:9a:83:5c:bd:20:b0:aa:df:32: + f6:95:54:98:9e:59:96:55:7b:0a:74:be:94:66:44:b7:32:82: + f0:eb:16:f8:30:86:16:9f:73:43:98:82:b5:5e:ad:58:c0:c8: + 79:da:ad:b1:b4:d7:fb:34:c1:cc:3a:67:af:a4:56:5a:70:5c: + 2d:1f:73:16:78:92:01:06:e3:2c:fb:f1:ba:d5:8f:f9:be:dd: + e1:4a:ce:de:ca:e6:2d:96:09:24:06:40:9e:10:15:2e:f2:cd: + 85:d6:84:88:db:9c:4a:7b:75:7a:06:0e:40:02:20:60:7e:91: + f7:92:53:1e:34:7a:ea:ee:df:e7:cd:a8:9e:a6:61:b4:56:50: + 4d:dc:b1:78:0d:86:cf:45:c3:a6:0a:b9:88:2c:56:a7:b1:d3: + d3:0d:44:aa:93:a4:05:4d:ce:9f:01:b0:c6:1e:e4:ea:6b:92: + 6f:93:dd:98:cf:fb:1d:06:72:ac:d4:99:e7:f2:b4:11:57:bd: + 9d:63:e5:dc +-----BEGIN X509 CRL----- +MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV +BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro +MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTE2MDgxMTIwMDczOFoX +DTE5MDUwODIwMDczOFowFDASAgECFw0xNjA4MTEyMDA3MzhaoA4wDDAKBgNVHRQE +AwIBATANBgkqhkiG9w0BAQsFAAOCAQEANcZ/V5rlhloVGuLlK59UeSpYUaISDE5T +WOuZ48LuK9cj5DxNCquucZvOscF1obblMl8QsHIoLnSxmd1HUyD2moNcvSCwqt8y +9pVUmJ5ZllV7CnS+lGZEtzKC8OsW+DCGFp9zQ5iCtV6tWMDIedqtsbTX+zTBzDpn +r6RWWnBcLR9zFniSAQbjLPvxutWP+b7d4UrO3srmLZYJJAZAnhAVLvLNhdaEiNuc +Snt1egYOQAIgYH6R95JTHjR66u7f582onqZhtFZQTdyxeA2Gz0XDpgq5iCxWp7HT +0w1EqpOkBU3OnwGwxh7k6muSb5PdmM/7HQZyrNSZ5/K0EVe9nWPl3A== +-----END X509 CRL----- diff --git a/conf/dhparams.pem b/conf/dhparams.pem new file mode 100644 index 0000000..1e2b848 --- /dev/null +++ b/conf/dhparams.pem @@ -0,0 +1,29 @@ +Diffie-Hellman-Parameters: (2048 bit) + prime: + 00:b0:a1:08:06:9c:08:13:ba:59:06:3c:bc:30:d5: + f5:00:c1:4f:44:a7:d6:ef:4a:c6:25:27:1c:e8:d2: + 96:53:0a:5c:91:dd:a2:c2:94:84:bf:7d:b2:44:9f: + 9b:d2:c1:8a:c5:be:72:5c:a7:e7:91:e6:d4:9f:73: + 07:85:5b:66:48:c7:70:fa:b4:ee:02:c9:3d:9a:4a: + da:3d:c1:46:3e:19:69:d1:17:46:07:a3:4d:9f:2b: + 96:17:39:6d:30:8d:2a:f3:94:d3:75:cf:a0:75:e6: + f2:92:1f:1a:70:05:aa:04:83:57:30:fb:da:76:93: + 38:50:e8:27:fd:63:ee:3c:e5:b7:c8:09:ae:6f:50: + 35:8e:84:ce:4a:00:e9:12:7e:5a:31:d7:33:fc:21: + 13:76:cc:16:30:db:0c:fc:c5:62:a7:35:b8:ef:b7: + b0:ac:c0:36:f6:d9:c9:46:48:f9:40:90:00:2b:1b: + aa:6c:e3:1a:c3:0b:03:9e:1b:c2:46:e4:48:4e:22: + 73:6f:c3:5f:d4:9a:d6:30:07:48:d6:8c:90:ab:d4: + f6:f1:e3:48:d3:58:4b:a6:b9:cd:29:bf:68:1f:08: + 4b:63:86:2f:5c:6b:d6:b6:06:65:f7:a6:dc:00:67: + 6b:bb:c3:a9:41:83:fb:c7:fa:c8:e2:1e:7e:af:00: + 3f:93 + generator: 2 (0x2) +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAsKEIBpwIE7pZBjy8MNX1AMFPRKfW70rGJScc6NKWUwpckd2iwpSE +v32yRJ+b0sGKxb5yXKfnkebUn3MHhVtmSMdw+rTuAsk9mkraPcFGPhlp0RdGB6NN +nyuWFzltMI0q85TTdc+gdebykh8acAWqBINXMPvadpM4UOgn/WPuPOW3yAmub1A1 +joTOSgDpEn5aMdcz/CETdswWMNsM/MVipzW477ewrMA29tnJRkj5QJAAKxuqbOMa +wwsDnhvCRuRITiJzb8Nf1JrWMAdI1oyQq9T28eNI01hLprnNKb9oHwhLY4YvXGvW +tgZl96bcAGdru8OpQYP7x/rI4h5+rwA/kwIBAg== +-----END DH PARAMETERS----- diff --git a/conf/ecc-3-ca.crt b/conf/ecc-3-ca.crt new file mode 100644 index 0000000..5993fcb --- /dev/null +++ b/conf/ecc-3-ca.crt @@ -0,0 +1,52 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN=ecc-3-root + Validity + Not Before: Apr 13 04:17:19 2017 GMT + Not After : Apr 11 04:17:19 2027 GMT + Subject: CN=ecc-3-ca + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9a:3c:72:c0:55:c5:61:97:d1:04:8d:44:92:31: + fc:d8:92:3d:58:fa:11:af:e3:ba:b5:4a:62:00:06: + 0f:11:ff:c8:b6:50:12:4d:15:ed:67:6f:c8:af:6c: + 5e:26:8c:d4:23:fc:38:e2:9f:d6:c5:6a:4a:ac:76: + a7:e2:10:f5:d9 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Subject Key Identifier: + A2:7D:87:7F:41:EE:FC:77:91:7F:8C:21:EA:22:83:FA:3A:05:C0:97 + X509v3 Authority Key Identifier: + keyid:AA:4F:85:4C:EB:3E:30:B9:88:84:0F:E4:81:17:EB:51:85:38:D7:F4 + DirName:/CN=ecc-3-root + serial:8F:9F:50:14:32:87:37:CD + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Certificate Sign + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:70:8c:84:94:5a:94:02:ca:00:d2:53:94:58:21: + aa:4c:58:2b:fa:bb:f6:89:e5:f0:06:33:97:49:02:bb:d5:a1: + 02:21:00:83:79:23:a7:49:40:1f:17:2d:65:17:62:8e:7f:3c: + 69:15:d7:1b:ce:e9:99:9a:e0:b4:ba:0c:c0:8b:97:05:be +-----BEGIN CERTIFICATE----- +MIIBsjCCAVigAwIBAgICEAAwCgYIKoZIzj0EAwIwFTETMBEGA1UEAwwKZWNjLTMt +cm9vdDAeFw0xNzA0MTMwNDE3MTlaFw0yNzA0MTEwNDE3MTlaMBMxETAPBgNVBAMM +CGVjYy0zLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmjxywFXFYZfRBI1E +kjH82JI9WPoRr+O6tUpiAAYPEf/ItlASTRXtZ2/Ir2xeJozUI/w44p/WxWpKrHan +4hD12aOBmTCBljAdBgNVHQ4EFgQUon2Hf0Hu/HeRf4wh6iKD+joFwJcwRQYDVR0j +BD4wPIAUqk+FTOs+MLmIhA/kgRfrUYU41/ShGaQXMBUxEzARBgNVBAMMCmVjYy0z +LXJvb3SCCQCPn1AUMoc3zTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwICxDATBgNV +HSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNIADBFAiBwjISUWpQCygDSU5RY +IapMWCv6u/aJ5fAGM5dJArvVoQIhAIN5I6dJQB8XLWUXYo5/PGkV1xvO6Zma4LS6 +DMCLlwW+ +-----END CERTIFICATE----- diff --git a/conf/ecc-3-ca.key b/conf/ecc-3-ca.key new file mode 100644 index 0000000..dc500af --- /dev/null +++ b/conf/ecc-3-ca.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOdvdNBuIVhOGFNlp1XpaEGHx86yC+80/v1fWlX++8V5oAoGCCqGSM49 +AwEHoUQDQgAEmjxywFXFYZfRBI1EkjH82JI9WPoRr+O6tUpiAAYPEf/ItlASTRXt +Z2/Ir2xeJozUI/w44p/WxWpKrHan4hD12Q== +-----END EC PRIVATE KEY----- diff --git a/conf/ecc-3-caleaf.crt b/conf/ecc-3-caleaf.crt new file mode 100644 index 0000000..410c82f --- /dev/null +++ b/conf/ecc-3-caleaf.crt @@ -0,0 +1,96 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4097 (0x1001) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN=ecc-3-ca + Validity + Not Before: Apr 13 04:17:19 2017 GMT + Not After : Apr 11 04:17:19 2027 GMT + Subject: CN=ecc-3-leaf + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:fb:29:bb:9d:a4:5a:05:a4:ee:3b:fc:e5:2a:29: + 50:6b:65:9c:c8:dc:64:0a:e8:66:58:fe:8c:fe:cc: + 16:de:02:fb:8a:08:29:d0:57:2d:96:48:04:06:e3: + 06:4a:bf:ad:e1:ae:6e:01:3d:ee:40:ed:97:5e:3d: + 93:eb:bb:d4:e4 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + FB:85:93:45:F4:E7:12:B2:03:E9:13:36:B3:A8:83:6A:71:AE:9A:84 + X509v3 Authority Key Identifier: + keyid:A2:7D:87:7F:41:EE:FC:77:91:7F:8C:21:EA:22:83:FA:3A:05:C0:97 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:06:e5:65:fc:50:08:94:24:47:32:99:c2:42:3e: + 74:1a:85:6a:be:4f:b1:ef:26:65:b3:1a:3f:dc:94:5e:ab:9e: + 02:20:4a:c6:0b:f2:95:da:fa:be:48:d8:f1:e8:21:03:9e:fb: + e4:4f:1b:9a:87:e0:96:4e:ef:a3:c8:ac:63:95:f0:c6 +-----BEGIN CERTIFICATE----- +MIIBZDCCAQugAwIBAgICEAEwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwIZWNjLTMt +Y2EwHhcNMTcwNDEzMDQxNzE5WhcNMjcwNDExMDQxNzE5WjAVMRMwEQYDVQQDDApl +Y2MtMy1sZWFmMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+ym7naRaBaTuO/zl +KilQa2WcyNxkCuhmWP6M/swW3gL7iggp0FctlkgEBuMGSr+t4a5uAT3uQO2XXj2T +67vU5KNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU+4WTRfTnErID6RM2s6iDanGu +moQwHwYDVR0jBBgwFoAUon2Hf0Hu/HeRf4wh6iKD+joFwJcwCgYIKoZIzj0EAwID +RwAwRAIgBuVl/FAIlCRHMpnCQj50GoVqvk+x7yZlsxo/3JReq54CIErGC/KV2vq+ +SNjx6CEDnvvkTxuah+CWTu+jyKxjlfDG +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN=ecc-3-root + Validity + Not Before: Apr 13 04:17:19 2017 GMT + Not After : Apr 11 04:17:19 2027 GMT + Subject: CN=ecc-3-ca + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9a:3c:72:c0:55:c5:61:97:d1:04:8d:44:92:31: + fc:d8:92:3d:58:fa:11:af:e3:ba:b5:4a:62:00:06: + 0f:11:ff:c8:b6:50:12:4d:15:ed:67:6f:c8:af:6c: + 5e:26:8c:d4:23:fc:38:e2:9f:d6:c5:6a:4a:ac:76: + a7:e2:10:f5:d9 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Subject Key Identifier: + A2:7D:87:7F:41:EE:FC:77:91:7F:8C:21:EA:22:83:FA:3A:05:C0:97 + X509v3 Authority Key Identifier: + keyid:AA:4F:85:4C:EB:3E:30:B9:88:84:0F:E4:81:17:EB:51:85:38:D7:F4 + DirName:/CN=ecc-3-root + serial:8F:9F:50:14:32:87:37:CD + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Certificate Sign + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:70:8c:84:94:5a:94:02:ca:00:d2:53:94:58:21: + aa:4c:58:2b:fa:bb:f6:89:e5:f0:06:33:97:49:02:bb:d5:a1: + 02:21:00:83:79:23:a7:49:40:1f:17:2d:65:17:62:8e:7f:3c: + 69:15:d7:1b:ce:e9:99:9a:e0:b4:ba:0c:c0:8b:97:05:be +-----BEGIN CERTIFICATE----- +MIIBsjCCAVigAwIBAgICEAAwCgYIKoZIzj0EAwIwFTETMBEGA1UEAwwKZWNjLTMt +cm9vdDAeFw0xNzA0MTMwNDE3MTlaFw0yNzA0MTEwNDE3MTlaMBMxETAPBgNVBAMM +CGVjYy0zLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmjxywFXFYZfRBI1E +kjH82JI9WPoRr+O6tUpiAAYPEf/ItlASTRXtZ2/Ir2xeJozUI/w44p/WxWpKrHan +4hD12aOBmTCBljAdBgNVHQ4EFgQUon2Hf0Hu/HeRf4wh6iKD+joFwJcwRQYDVR0j +BD4wPIAUqk+FTOs+MLmIhA/kgRfrUYU41/ShGaQXMBUxEzARBgNVBAMMCmVjYy0z +LXJvb3SCCQCPn1AUMoc3zTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwICxDATBgNV +HSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNIADBFAiBwjISUWpQCygDSU5RY +IapMWCv6u/aJ5fAGM5dJArvVoQIhAIN5I6dJQB8XLWUXYo5/PGkV1xvO6Zma4LS6 +DMCLlwW+ +-----END CERTIFICATE----- diff --git a/conf/ecc-3-leaf.crt b/conf/ecc-3-leaf.crt new file mode 100644 index 0000000..a39892c --- /dev/null +++ b/conf/ecc-3-leaf.crt @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4097 (0x1001) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN=ecc-3-ca + Validity + Not Before: Apr 13 04:17:19 2017 GMT + Not After : Apr 11 04:17:19 2027 GMT + Subject: CN=ecc-3-leaf + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:fb:29:bb:9d:a4:5a:05:a4:ee:3b:fc:e5:2a:29: + 50:6b:65:9c:c8:dc:64:0a:e8:66:58:fe:8c:fe:cc: + 16:de:02:fb:8a:08:29:d0:57:2d:96:48:04:06:e3: + 06:4a:bf:ad:e1:ae:6e:01:3d:ee:40:ed:97:5e:3d: + 93:eb:bb:d4:e4 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + FB:85:93:45:F4:E7:12:B2:03:E9:13:36:B3:A8:83:6A:71:AE:9A:84 + X509v3 Authority Key Identifier: + keyid:A2:7D:87:7F:41:EE:FC:77:91:7F:8C:21:EA:22:83:FA:3A:05:C0:97 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:06:e5:65:fc:50:08:94:24:47:32:99:c2:42:3e: + 74:1a:85:6a:be:4f:b1:ef:26:65:b3:1a:3f:dc:94:5e:ab:9e: + 02:20:4a:c6:0b:f2:95:da:fa:be:48:d8:f1:e8:21:03:9e:fb: + e4:4f:1b:9a:87:e0:96:4e:ef:a3:c8:ac:63:95:f0:c6 +-----BEGIN CERTIFICATE----- +MIIBZDCCAQugAwIBAgICEAEwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwIZWNjLTMt +Y2EwHhcNMTcwNDEzMDQxNzE5WhcNMjcwNDExMDQxNzE5WjAVMRMwEQYDVQQDDApl +Y2MtMy1sZWFmMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+ym7naRaBaTuO/zl +KilQa2WcyNxkCuhmWP6M/swW3gL7iggp0FctlkgEBuMGSr+t4a5uAT3uQO2XXj2T +67vU5KNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU+4WTRfTnErID6RM2s6iDanGu +moQwHwYDVR0jBBgwFoAUon2Hf0Hu/HeRf4wh6iKD+joFwJcwCgYIKoZIzj0EAwID +RwAwRAIgBuVl/FAIlCRHMpnCQj50GoVqvk+x7yZlsxo/3JReq54CIErGC/KV2vq+ +SNjx6CEDnvvkTxuah+CWTu+jyKxjlfDG +-----END CERTIFICATE----- diff --git a/conf/ecc-3-leaf.key b/conf/ecc-3-leaf.key new file mode 100644 index 0000000..404a537 --- /dev/null +++ b/conf/ecc-3-leaf.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGG5W4DVYxQGUlQCFVF6knJBJhIpyxlQn3oOC0b+XMK+oAoGCCqGSM49 +AwEHoUQDQgAE+ym7naRaBaTuO/zlKilQa2WcyNxkCuhmWP6M/swW3gL7iggp0Fct +lkgEBuMGSr+t4a5uAT3uQO2XXj2T67vU5A== +-----END EC PRIVATE KEY----- diff --git a/conf/ecc-3-root.crt b/conf/ecc-3-root.crt new file mode 100644 index 0000000..fe8b1c4 --- /dev/null +++ b/conf/ecc-3-root.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBljCCAT2gAwIBAgIJAI+fUBQyhzfNMAoGCCqGSM49BAMCMBUxEzARBgNVBAMM +CmVjYy0zLXJvb3QwHhcNMTcwNDEzMDQxNzE5WhcNMTcwNTEzMDQxNzE5WjAVMRMw +EQYDVQQDDAplY2MtMy1yb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu5gb +zk5/vNactCMgdIockN9P9W3QTazRkMRGdSdjV2mvc9rXBitFvxcJNVD3G+biakdu +W/TfwO1i6c3j04jPFaN2MHQwHQYDVR0OBBYEFKpPhUzrPjC5iIQP5IEX61GFONf0 +MEUGA1UdIwQ+MDyAFKpPhUzrPjC5iIQP5IEX61GFONf0oRmkFzAVMRMwEQYDVQQD +DAplY2MtMy1yb290ggkAj59QFDKHN80wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD +AgNHADBEAiAjK8/tUwXXbbWGhuPXwNfia6u8xX375sjle3aPw3E8WwIgE8YEwq3G +Hca5vKPwkbpe8IrfC0GLfs4wBnlPOsZApZU= +-----END CERTIFICATE----- diff --git a/conf/ecc-3-root.key b/conf/ecc-3-root.key new file mode 100644 index 0000000..4c6ff83 --- /dev/null +++ b/conf/ecc-3-root.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEmIgFcBGNFjUcXURgcXgKa3Wdr2GoUK1MufLO5/fal1oAoGCCqGSM49 +AwEHoUQDQgAEu5gbzk5/vNactCMgdIockN9P9W3QTazRkMRGdSdjV2mvc9rXBitF +vxcJNVD3G+biakduW/TfwO1i6c3j04jPFQ== +-----END EC PRIVATE KEY----- diff --git a/conf/fastcgi.conf b/conf/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/conf/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/conf/fastcgi_params b/conf/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/conf/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/conf/gen-certs.sh b/conf/gen-certs.sh new file mode 100755 index 0000000..2b22f5a --- /dev/null +++ b/conf/gen-certs.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +OPENSSL_CONF="./ca/openssl.conf" +CA_CONF="./ca/ca.conf" + +if [ -d ca ]; then + rm -rf ca +fi + +mkdir ca +echo "1000" >./ca/certserial +echo -n >./ca/certindex +cat << EOF >$OPENSSL_CONF +[ req ] +encrypt_key = no +distinguished_name = req_distinguished_name +[ req_distinguished_name ] +[ ca ] +default_ca = myca +[ myca ] +default_days = 3650 +[ usr_cert ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +EOF +cat << EOF >$CA_CONF +[ ca ] +default_ca = myca + +[ myca ] +new_certs_dir = ca +database = ca/certindex +default_md = sha256 +policy = myca_policy +serial = ca/certserial +default_days = 3650 + +[ myca_policy ] +commonName = supplied + +[ usr_cert ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = nonRepudiation,digitalSignature,keyCertSign +extendedKeyUsage = serverAuth +EOF + +ISSUER= +for NAME in "ecc-3-root" "ecc-3-ca" "ecc-3-leaf" +do + openssl ecparam -genkey -name prime256v1 -out "./${NAME}.key" + RET=$? + if [ "$RET" != "0" ]; then + echo "Can't create ECC public key for ${NAME}: $RET" + exit 1 + fi + + EXT=v3_ca + if [ $NAME = "ecc-3-leaf" ]; then + EXT=usr_cert + fi + + if [ "$ISSUER" = "" ]; then + openssl req -x509 -new \ + -config $OPENSSL_CONF -subj "/CN=${NAME}/" \ + -out "./${NAME}.crt" -key "./${NAME}.key" \ + -extensions $EXT \ + >/dev/null 2>&1 + RET=$? + if [ "$RET" != "0" ]; then + echo "Can't create certificate for ${NAME}: $RET" + exit 1 + fi + else + openssl req -new \ + -config $OPENSSL_CONF -subj "/CN=${NAME}/" \ + -out "./ca/${NAME}.csr" -key "./${NAME}.key" \ + >/dev/null 2>&1 + RET=$? + if [ "$RET" != "0" ]; then + echo "Can't create certificate for ${NAME}: $RET" + exit 1 + fi + + openssl req -x509 -new \ + -config $OPENSSL_CONF -subj "/CN=${NAME}/" \ + -out "./${NAME}.crt" -key "./${NAME}.key" \ + -extensions $EXT \ + >/dev/null 2>&1 + RET=$? + if [ "$RET" != "0" ]; then + echo "Can't create certificate for ${NAME}: $RET" + exit 1 + fi + openssl ca -batch -config $CA_CONF \ + -keyfile "./${ISSUER}.key" -cert "./${ISSUER}.crt" \ + -subj "/CN=${NAME}/" -in "./ca/${NAME}.csr" -out "./${NAME}.crt" \ + -extensions $EXT \ + >/dev/null 2>&1 + RET=$? + if [ "$RET" != "0" ]; then + echo "Can't sign certificate for ${NAME}: $RET" + exit 1 + fi + + BUNDLE="$NAME.crt $BUNDLE" + fi + + echo "${NAME}.crt" + ISSUER=$NAME +done + +rm -f ecc-3-caleaf.crt +for FILE in $BUNDLE +do + cat $FILE >>ecc-3-caleaf.crt +done + diff --git a/conf/koi-utf b/conf/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/conf/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/conf/koi-win b/conf/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/conf/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/conf/mime.types b/conf/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/conf/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/conf/nginx.conf b/conf/nginx.conf new file mode 100644 index 0000000..d289aeb --- /dev/null +++ b/conf/nginx.conf @@ -0,0 +1,592 @@ + +worker_processes 1; + +events { +} + + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + + keepalive_timeout 65; + + ssl_session_tickets off; + + + # HTTPS server + + # Using DH parameters + server { + listen 11443 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Verify client + server { + listen 11444 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_client_certificate client-cert.pem; + ssl_verify_client on; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # P384 curve with ECDHE + server { + listen 11445 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_ecdh_curve secp384r1; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Default curve with ECDHE and ECDSA + server { + listen 11446 ssl; + server_name localhost; + + ssl_certificate cert-ecc.pem; + ssl_certificate_key cert-ecc-p8.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + + # Session ticket + server { + listen 11450 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + ssl_session_ticket_key ticket_keys; + ssl_session_tickets on; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + + # Session cache off + server { + listen 11455 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache off; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Session cache none + server { + listen 11456 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache none; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Session cache builtin + server { + listen 11457 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache builtin:100; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + + # Proxy to wolfSSL server + upstream backend { + server 127.0.0.1:12443; + } + server { + listen 127.0.0.1:12443 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_ecdhe_rsa { + server 127.0.0.1:12444; + } + server { + listen 127.0.0.1:12444 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_ecdhe_ecdsa { + server 127.0.0.1:12445; + } + server { + listen 127.0.0.1:12445 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert-ecc.pem; + ssl_certificate_key cert-ecc-priv.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_crl_rev { + server 127.0.0.1:12446; + } + server { + listen 127.0.0.1:12446 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_chain { + server 127.0.0.1:12447; + } + server { + listen 127.0.0.1:12447 ssl; + server_name ecc-3-leaf; + + ssl_certificate ecc-3-caleaf.crt; + ssl_certificate_key ecc-3-leaf.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_bad_chain { + server 127.0.0.1:12448; + } + server { + listen 127.0.0.1:12448 ssl; + server_name ecc-3-leaf; + + ssl_certificate ecc-3-leaf.crt; + ssl_certificate_key ecc-3-leaf.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + + # Proxy using DHE cipher suites and CRL + server { + listen 11460 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; + proxy_ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + proxy_ssl_trusted_certificate ca-cert.pem; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_crl crl.pem; + } + } + # Proxy using ECDHE cipher suites and CRL + server { + listen 11461 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend_ecdhe_rsa; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; + proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + proxy_ssl_trusted_certificate ca-cert.pem; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_crl crl.pem; + } + } + # Proxy using ECDHE and ECDSA cipher suites + server { + listen 11462 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend_ecdhe_ecdsa; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; + proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + proxy_ssl_trusted_certificate ca-cert-ecc.pem; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_session_reuse on; + } + } + # Proxy using complete chain + server { + listen 11463 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend_chain; + proxy_ssl_name ecc-3-leaf; + proxy_ssl_server_name on; + proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + proxy_ssl_trusted_certificate ecc-3-root.crt; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_session_reuse on; + } + } + # Proxy using incomplete chain + server { + listen 11464 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend_bad_chain; + proxy_ssl_name ecc-3-leaf; + proxy_ssl_server_name on; + proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + proxy_ssl_trusted_certificate ecc-3-root.crt; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_session_reuse on; + } + } + + + # Proxy using revoked CRL + server { + listen 11465 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + ssl_dhparam dhparams.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass https://backend_crl_rev; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; + proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + proxy_ssl_trusted_certificate ca-cert.pem; + proxy_ssl_certificate client-cert.pem; + proxy_ssl_certificate_key client-key.pem; + proxy_ssl_verify on; + proxy_ssl_crl crl-revoked.pem; + proxy_ssl_session_reuse on; + } + } + # OCSP Stapling + # Valid server certificate - using OCSP responder + server { + listen 11470 ssl; + server_name localhost; + + ssl_certificate ocsp-good-cert.pem; + ssl_certificate_key ocsp-good-key.pem; + ssl_stapling on; + ssl_stapling_responder http://127.0.0.1:22221; + ssl_stapling_verify on; + ssl_trusted_certificate ocsp-root-resp-cert.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Revoked server certificate - using OCSP responder + server { + listen 11471 ssl; + server_name localhost; + + ssl_certificate ocsp-bad-cert.pem; + ssl_certificate_key ocsp-bad-key.pem; + ssl_stapling on; + ssl_stapling_responder http://127.0.0.1:22221; + ssl_trusted_certificate ocsp-root-resp-cert.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Valid server certificate in fixed OCSP response + server { + listen 11472 ssl; + server_name localhost; + + ssl_certificate ocsp-good-cert.pem; + ssl_certificate_key ocsp-good-key.pem; + ssl_stapling on; + ssl_stapling_file ocsp-good-status.der; + ssl_trusted_certificate ocsp-root-resp-cert.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # Revoked server certificate in fixed OCSP response + server { + listen 11473 ssl; + server_name localhost; + + ssl_certificate ocsp-bad-cert.pem; + ssl_certificate_key ocsp-bad-key.pem; + ssl_stapling on; + ssl_stapling_file ocsp-bad-status.der; + ssl_trusted_certificate ocsp-root-resp-cert.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } + # No CA to check responder certificate - using OCSP responder + server { + listen 11474 ssl; + server_name localhost; + + ssl_certificate ocsp-good-cert.pem; + ssl_certificate_key ocsp-good-key.pem; + ssl_stapling on; + ssl_stapling_responder http://127.0.0.1:22221; + ssl_stapling_verify on; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } +} diff --git a/conf/ocsp-bad-cert.pem b/conf/ocsp-bad-cert.pem new file mode 100644 index 0000000..0caefea --- /dev/null +++ b/conf/ocsp-bad-cert.pem @@ -0,0 +1,186 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c6:35:8a:e8:aa:bd:33:c9:5e:84:43:67:42:65: + 2a:3c:e3:89:b4:a6:67:a1:3b:ee:6d:85:d1:d3:2b: + 6e:b1:62:d4:f1:22:43:a0:d5:b7:a5:7d:b5:f5:6c: + 09:06:7c:8c:ef:87:af:4f:34:ce:27:eb:f3:4a:37: + 57:c3:d7:d8:ee:e4:a0:77:65:2c:a7:c2:10:65:6b: + 7b:48:c4:d8:28:fe:4c:4e:4f:7e:2f:20:c4:49:5b: + 71:38:40:0d:36:a3:57:b3:44:da:be:cd:54:14:15: + 66:0f:d3:05:08:f2:2e:03:67:2e:5c:5d:e1:b0:e6: + c0:25:8f:58:77:5b:d3:d7:a8:22:ea:56:d3:0e:01: + 6d:38:34:56:47:aa:12:c4:ba:2a:ef:ec:18:f5:d4: + db:b9:fa:6f:dc:50:eb:ee:10:a2:14:b5:9a:12:e1: + e3:85:0f:79:14:b8:70:6d:0d:1c:1d:38:57:85:6a: + 82:0c:d6:bd:2c:bf:20:f1:28:2e:f6:34:80:a7:0d: + 32:82:35:4f:c1:b1:e5:9e:26:d5:f8:b9:39:57:43: + ef:ed:f1:10:5c:3e:32:ba:d9:e4:9e:40:cd:28:ea: + 26:46:9b:a9:34:8d:9f:b9:fd:45:7d:14:f7:ce:ca: + 3b:85:87:a7:64:74:9c:65:29:18:b3:f5:b1:ad:92: + 62:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 7D:6D:FD:F6:0B:4F:3F:4A:62:91:F5:F3:13:60:51:86:C3:5A:9F:D6 + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://127.0.0.1:22221 + + Signature Algorithm: sha256WithRSAEncryption + dd:b6:17:51:62:83:8d:32:7f:2f:21:2f:0a:ea:6b:3f:f0:c9: + 59:9d:1e:4b:82:7d:aa:1d:6d:a8:f5:c0:20:78:a8:fd:a3:ca: + cb:1f:2b:99:28:97:d2:ce:71:48:95:82:ee:e4:a4:d9:32:75: + 7f:1d:b2:97:8d:5c:3c:96:9a:b9:4c:05:fe:d1:af:81:4a:25: + c5:66:a1:f3:c7:0e:f3:76:db:3d:a2:87:7e:5c:c4:0a:d3:d3: + 97:a1:7c:46:fc:94:2c:dc:0a:7e:a1:b2:f2:7f:c7:cb:d9:7a: + c2:fa:8d:5b:4a:75:c0:e4:dc:57:4b:84:2a:5a:84:35:13:7b: + 15:49:a0:e8:9e:d8:1d:90:a4:99:4e:a4:dd:fc:ba:d3:f5:12: + aa:36:f2:87:04:b4:09:04:6f:94:a1:18:3e:46:ce:ae:55:f4: + 0f:d8:26:ee:11:cf:d4:8e:e5:33:da:17:e2:ad:43:05:50:e2: + 38:c7:d2:15:18:23:f0:fa:cd:cc:b3:e9:ea:00:5a:af:29:90: + 6a:69:8c:ba:c8:f7:84:84:57:0d:80:b1:10:2c:bd:9d:33:42: + 6d:f1:58:d5:b4:6a:79:e4:26:8f:41:ef:a2:b5:84:6b:c2:6d: + be:5e:76:8f:29:25:13:e8:ba:dd:aa:64:3e:74:bc:90:2d:aa: + bb:1a:cd:c9 +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMY1iuiqvTPJXoRDZ0JlKjzj +ibSmZ6E77m2F0dMrbrFi1PEiQ6DVt6V9tfVsCQZ8jO+Hr080zifr80o3V8PX2O7k +oHdlLKfCEGVre0jE2Cj+TE5Pfi8gxElbcThADTajV7NE2r7NVBQVZg/TBQjyLgNn +Llxd4bDmwCWPWHdb09eoIupW0w4BbTg0VkeqEsS6Ku/sGPXU27n6b9xQ6+4QohS1 +mhLh44UPeRS4cG0NHB04V4VqggzWvSy/IPEoLvY0gKcNMoI1T8Gx5Z4m1fi5OVdD +7+3xEFw+MrrZ5J5AzSjqJkabqTSNn7n9RX0U987KO4WHp2R0nGUpGLP1sa2SYjkC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFH1t/fYLTz9KYpH18xNg +UYbDWp/WMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQDdthdRYoONMn8vIS8K6ms/8MlZnR5Lgn2qHW2o9cAgeKj9o8rLHyuZKJfSznFI +lYLu5KTZMnV/HbKXjVw8lpq5TAX+0a+BSiXFZqHzxw7zdts9ood+XMQK09OXoXxG +/JQs3Ap+obLyf8fL2XrC+o1bSnXA5NxXS4QqWoQ1E3sVSaDontgdkKSZTqTd/LrT +9RKqNvKHBLQJBG+UoRg+Rs6uVfQP2CbuEc/UjuUz2hfirUMFUOI4x9IVGCPw+s3M +s+nqAFqvKZBqaYy6yPeEhFcNgLEQLL2dM0Jt8VjVtGp55CaPQe+itYRrwm2+XnaP +KSUT6LrdqmQ+dLyQLaq7Gs3J +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://127.0.0.1:22220 + + Signature Algorithm: sha256WithRSAEncryption + 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1: + 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7: + 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8: + 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1: + e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17: + 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b: + 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2: + af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6: + 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7: + 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56: + 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7: + a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c: + 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75: + 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8: + bb:4b:1f:aa +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9 +jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg +iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw +0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC +LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt +JMjGmMN/2B1Pxa7gso71qLtLH6o= +-----END CERTIFICATE----- diff --git a/conf/ocsp-bad-key.pem b/conf/ocsp-bad-key.pem new file mode 100644 index 0000000..e4b6181 --- /dev/null +++ b/conf/ocsp-bad-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGNYroqr0zyV6E +Q2dCZSo844m0pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NK +N1fD19ju5KB3ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP +0wUI8i4DZy5cXeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/c +UOvuEKIUtZoS4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWe +JtX4uTlXQ+/t8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz +9bGtkmI5AgMBAAECggEAL6rWwke1gsvNyD8xiR0tQEF0b5aJW5Q/LeW95WwPjed3 +0Jnt67MaHFmUNfaKYR35Au39si2/2of7FYEjwTyatjETikMxrxKTwOBNYN2+InWt +wjOJ5CmcKwwruVxmERrNT5aiiLp2mvHefrXAAzvC5xycYKhPS6zizuWfX+0ckEM5 +yJnl8TRTjfqExxHS1ciTY4B1w8nfWdYY/xiQW23sCPZ8toqsqAuHJjREmMcj+oer +z8Md1tZNa0ujDy0ejSovCnqzWIi4Umg3SndhRDYKNRAFGPNQmYRM+EWEqQufMaXP +ghD+Heb5RUPSkNW98KdjDGK4WiIeqF45tb+YQ4AvgQKBgQDt2X+FMHG/s7FAEAxA +x6TzIcDedqwEKtO3JbaC+Q0FKwRTGwP1tGOnyqbVrw4cSlza5EvUnK8CZK9I2HFd +qfbP3rtFCtHl9/bpVZPNkaVImzqkfmzmGJIREsCDIPu8THFNyxL2TC27VKCNsSmZ +ui2tuxRJ6/O0DroGdvdnFL89SQKBgQDVVaZjiA5Cr1e5Eo6q3dNNeMSBfTuI90Ja +W1OmVovp2yWYjfFFTW2B9vb4RDaRvIuykGhHgAnGKGmHtv7f0GlY7n6Qr0czvyn5 +6s+fRVIcPzEaTVnxC1g20+XHc41XdqnIOcaUjUz7oqC6g7+Y56WKdvvKitV0Lb98 +ua7ZOM6tcQKBgGWtRMY7H2VD+9HXCmXm8qy9ESYItSBS7o6soIj8zoQXD5I3SkoP +A0sHZqqSWwXdBDTOw1vwXyA2ynfpjwzrS4cxP/0T0wbsKbE11ClcybtwIHGRWhxD +BK4nxgRIZVTpmMYYudJwXlxmoPvxcEc3P6+0+cdgBp5CbWO2F60JQXeBAoGAHxLs +u46z1Q7JTlHfqg/JmX0/0kS1iUvKxHKNCquMkbG0FjaGsDuI+edJLfxxnmTCTG4w +YknKIqz8QiJrmZo33hZPJTACxQzRRm/nciGcxjSGKHif4zZt0P6od5bjPZwxOtL/ +k9/JGNYlZ0WNgO4s9LBEGMqEMPoA7F/3kfhuUmECgYEA6WzFZjs31OqTLE0vnCfL +/b/wPeozaAyjtR/24TNkAFwP/LrBAA5gFOoL8p94ce87yXdm80x3bK6OGbNmor7c +qT/OJgnXV1wTrKYSkFUu7LTC7DihpYy2MqyGg8xGxB4kK1IR+ROB4v3c5RkIqaGF +lTSpXFge771NjCimucIOl/Y= +-----END PRIVATE KEY----- diff --git a/conf/ocsp-good-cert.pem b/conf/ocsp-good-cert.pem new file mode 100644 index 0000000..c60d8d7 --- /dev/null +++ b/conf/ocsp-good-cert.pem @@ -0,0 +1,186 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:e6:96:55:75:cf:8a:97:68:8c:b6:38:f6:7a:05: + be:33:b6:51:47:37:8a:f7:db:91:be:92:6b:b7:00: + 8c:f2:c5:24:6e:18:e9:92:00:81:01:dc:b3:4c:28: + a9:b7:80:f1:96:cf:23:7a:2f:ae:f8:e3:0f:2d:d3: + 5e:23:e7:db:4c:b2:5d:89:16:17:be:be:81:db:fb: + 12:6d:28:4b:10:a0:12:04:27:c1:c9:d0:79:95:ef: + e8:8d:8c:59:9b:4e:72:7d:bc:49:2b:22:4e:f8:4f: + e2:0c:f1:e9:e9:97:f9:df:8c:5a:0a:aa:38:1d:43: + 04:a3:a7:89:a1:e2:83:a4:4b:b5:4e:45:88:a6:22: + 5d:ac:a9:58:67:88:c1:d5:61:ef:bd:11:05:27:94: + 47:bb:33:a5:8a:ca:ee:1f:8d:c0:6e:24:af:cd:ca: + bf:80:47:71:95:ac:a9:f1:5d:23:6c:f5:4b:b4:a9: + e1:c4:66:fb:e5:c4:a1:9f:a7:51:d1:78:cd:2e:b4: + 3f:2e:e2:82:f3:7f:c4:a7:f4:31:cf:76:27:3f:db: + 2e:d2:6e:c3:47:23:82:a3:48:40:8c:a7:c1:13:f0: + 63:50:54:43:f6:71:12:e1:6f:a5:7a:58:26:f7:fd: + 8b:3b:70:18:a0:43:ba:01:6b:b3:f8:d5:be:05:13: + 64:31 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + CC:55:15:00:E2:44:89:92:63:6D:10:5D:B9:9E:73:B6:5D:3A:19:CA + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://127.0.0.1:22221 + + Signature Algorithm: sha256WithRSAEncryption + 05:65:8d:f5:fa:47:b1:4d:b9:9b:86:b0:18:9d:c8:94:64:7d: + 16:5e:69:69:bb:62:06:9d:8c:be:4f:83:22:f1:0a:7d:ae:f5: + ca:68:78:63:b2:bc:43:12:4f:d3:eb:ce:30:82:d6:be:81:c0: + 68:f4:3b:97:5f:3a:2c:88:62:36:0b:83:1d:ba:56:b1:06:65: + cd:4d:ac:1d:92:3f:73:77:10:5b:17:44:1f:66:cf:a8:f2:1f: + 18:29:c0:5f:20:b6:cb:15:d4:35:b1:b0:a6:41:a8:6e:f0:29: + 83:28:3b:4a:68:e5:b7:42:2f:b4:8a:96:ed:65:84:de:0b:72: + 6f:2b:91:10:56:7f:cd:89:5e:22:30:cc:5a:df:39:88:a9:ea: + af:1d:ba:9a:8a:3d:61:a6:c7:45:2d:ce:9f:76:f9:b2:45:9d: + 19:68:5d:e7:d6:3e:32:0e:65:83:79:63:81:0e:b5:44:51:47: + 9c:a7:6a:c1:5a:04:36:f3:b9:be:4d:76:80:55:2a:76:cd:61: + 15:c1:1a:5f:1f:62:b5:0f:ad:7f:48:66:81:eb:7a:04:b4:0a: + 92:a4:40:ff:bf:59:34:86:5c:1b:79:10:b4:d4:09:fa:45:3d: + 4f:bf:4c:30:b3:18:f2:b9:e9:8d:7c:5f:c0:67:ea:94:fb:ac: + 2e:90:ef:0d +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOaWVXXPipdojLY49noFvjO2 +UUc3ivfbkb6Sa7cAjPLFJG4Y6ZIAgQHcs0woqbeA8ZbPI3ovrvjjDy3TXiPn20yy +XYkWF76+gdv7Em0oSxCgEgQnwcnQeZXv6I2MWZtOcn28SSsiTvhP4gzx6emX+d+M +WgqqOB1DBKOniaHig6RLtU5FiKYiXaypWGeIwdVh770RBSeUR7szpYrK7h+NwG4k +r83Kv4BHcZWsqfFdI2z1S7Sp4cRm++XEoZ+nUdF4zS60Py7igvN/xKf0Mc92Jz/b +LtJuw0cjgqNIQIynwRPwY1BUQ/ZxEuFvpXpYJvf9iztwGKBDugFrs/jVvgUTZDEC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMxVFQDiRImSY20QXbme +c7ZdOhnKMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQAFZY31+kexTbmbhrAYnciUZH0WXmlpu2IGnYy+T4Mi8Qp9rvXKaHhjsrxDEk/T +684wgta+gcBo9DuXXzosiGI2C4MdulaxBmXNTawdkj9zdxBbF0QfZs+o8h8YKcBf +ILbLFdQ1sbCmQahu8CmDKDtKaOW3Qi+0ipbtZYTeC3JvK5EQVn/NiV4iMMxa3zmI +qeqvHbqaij1hpsdFLc6fdvmyRZ0ZaF3n1j4yDmWDeWOBDrVEUUecp2rBWgQ287m+ +TXaAVSp2zWEVwRpfH2K1D61/SGaB63oEtAqSpED/v1k0hlwbeRC01An6RT1Pv0ww +sxjyuemNfF/AZ+qU+6wukO8N +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://127.0.0.1:22220 + + Signature Algorithm: sha256WithRSAEncryption + 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1: + 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7: + 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8: + 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1: + e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17: + 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b: + 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2: + af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6: + 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7: + 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56: + 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7: + a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c: + 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75: + 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8: + bb:4b:1f:aa +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9 +jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg +iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw +0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC +LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt +JMjGmMN/2B1Pxa7gso71qLtLH6o= +-----END CERTIFICATE----- diff --git a/conf/ocsp-good-key.pem b/conf/ocsp-good-key.pem new file mode 100644 index 0000000..e44f631 --- /dev/null +++ b/conf/ocsp-good-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDmllV1z4qXaIy2 +OPZ6Bb4ztlFHN4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t +014j59tMsl2JFhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM +8enpl/nfjFoKqjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WK +yu4fjcBuJK/Nyr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn +9DHPdic/2y7SbsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P4 +1b4FE2QxAgMBAAECggEBAMcAl2DFbOae5FGfd5h3vF8EycCcvuKKLI4775pQb1RV +r8sU1P+cT7o7rsHblh04u0dcHVImNOu3ijISaPyz7R+UEAVve66y23/uf0iVrbL7 +cpEDfsudkFFGa30901elrEm3Za5EPcMvrfdeEHH5Jz02876giS032ZkjzjRYOSRg +TuFhiqjRTMfE6AB63KSRWcb6AYEocHV/jF+IEQcz9ctsv6XKKKJtge4+Y3+gQU4N +ALUE6OjBsD5KpMVuMYBSfTucYi5g2eOK05PoCOR8lTqgvsbof+ALj+84zEpG20aK +p0KdMVwiMolXaYcvKBOGPxZKt7sQaIMitbs0iuErMQECgYEA+cLVZh4qkRnsjPVc +/27qC/VLeWo2QAL7TWC7YgkY0MgNtZXRkJZdKOlzYWo/iJmuxHj7eUFLkoHpPNV2 +X6WG+CGHD1qq/BqLQNlJKS/MtI2VNzOjBJ/J3SktOGo3BwL+Q5uSRNHukQip0YnD +c9GCU4UhfBHr/UNitMBH6N5aPqUCgYEA7FjjTGomVseF5wNbfw2xLjBmRuQ2DDgJ +/OvCtV6it+OiVU9R+cYcz/hVl1QLIkGBHt5hb8O6np4tW5ehKd5LNTtolIO+/BLL +2xPZCLY7U+LES5dgUTC/wb5t5igAmPuOMi9qNQ1kYxbKYJVLRUdwfOM8FNE4gjZF +kj2BIb6OxZ0CgYEAmuXXvWZ2FdmTGHTPwWdDZjkyHtHdZWO0AXA9pnZn2oxH3FdX +SinHCymFsmPXlVtixV0W8UOqn+lMAruMl5MsGtWIUuBzbLj1pjlcI1wOw+ePJFY1 +AxgqdKwl7HgLOqEDmmBwnZfpMi/CSj77ZegIwM2vT6g5yK+zFtCtiGHmbDUCgYBf +L2VLbyzFolGBOk7tGnyTF5b5UguaXC9ZlzGxjc2Gtby5Etr29xy/fUorSgO55hu0 +bOdc9b0BCL9HtgeILyim5ag2t+CA8Kj9MD8mTQ4TuK5Jq0t1J2bzBliIau/irN0V +xRbHCv+1EIas4zOPUTgyc+nMkH5roqPeQ7rv9ijV2QKBgQDJiNmAJv3dlie2x+bj +rX5RDF1Q/egVVGx41jPyuzh0oFLwEQG2lSHEAKgF+gWt0ZMwNzPB9oue2LBSpNFl +7ZdpFCpzD+3OcaxnWYEGT+qNhczbf0PvVNBOzOI33Trr7maktWi0Mh9qmXqoNuwG +uCnrEriJlBk2MV88tIG/ZJ+bvQ== +-----END PRIVATE KEY----- diff --git a/conf/ocsp-root-resp-cert.pem b/conf/ocsp-root-resp-cert.pem new file mode 100644 index 0000000..b62a03c --- /dev/null +++ b/conf/ocsp-root-resp-cert.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://127.0.0.1:22220 + + Signature Algorithm: sha256WithRSAEncryption + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== +-----END CERTIFICATE----- diff --git a/conf/scgi_params b/conf/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/conf/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/conf/ticket_keys b/conf/ticket_keys new file mode 100644 index 0000000..bfe1a6f --- /dev/null +++ b/conf/ticket_keys @@ -0,0 +1 @@ +Kyu81~bS ]x1x%2\Kjy{ \ No newline at end of file diff --git a/conf/uwsgi_params b/conf/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/conf/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/conf/win-utf b/conf/win-utf new file mode 100644 index 0000000..ed8bc00 --- /dev/null +++ b/conf/win-utf @@ -0,0 +1,126 @@ + +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A ; # single low-9 quotation mark + + 84 E2809E ; # double low-9 quotation mark + 85 E280A6 ; # ellipsis + 86 E280A0 ; # dagger + 87 E280A1 ; # double dagger + 88 E282AC ; # euro + 89 E280B0 ; # per mille + + 91 E28098 ; # left single quotation mark + 92 E28099 ; # right single quotation mark + 93 E2809C ; # left double quotation mark + 94 E2809D ; # right double quotation mark + 95 E280A2 ; # bullet + 96 E28093 ; # en dash + 97 E28094 ; # em dash + + 99 E284A2 ; # trade mark sign + + A0 C2A0 ; #   + A1 D18E ; # capital Byelorussian short U + A2 D19E ; # small Byelorussian short u + + A4 C2A4 ; # currency sign + A5 D290 ; # capital Ukrainian soft G + A6 C2A6 ; # borken bar + A7 C2A7 ; # section sign + A8 D081 ; # capital YO + A9 C2A9 ; # (C) + AA D084 ; # capital Ukrainian YE + AB C2AB ; # left-pointing double angle quotation mark + AC C2AC ; # not sign + AD C2AD ; # soft hypen + AE C2AE ; # (R) + AF D087 ; # capital Ukrainian YI + + B0 C2B0 ; # ° + B1 C2B1 ; # plus-minus sign + B2 D086 ; # capital Ukrainian I + B3 D196 ; # small Ukrainian i + B4 D291 ; # small Ukrainian soft g + B5 C2B5 ; # micro sign + B6 C2B6 ; # pilcrow sign + B7 C2B7 ; # · + B8 D191 ; # small yo + B9 E28496 ; # numero sign + BA D194 ; # small Ukrainian ye + BB C2BB ; # right-pointing double angle quotation mark + + BF D197 ; # small Ukrainian yi + + C0 D090 ; # capital A + C1 D091 ; # capital B + C2 D092 ; # capital V + C3 D093 ; # capital G + C4 D094 ; # capital D + C5 D095 ; # capital YE + C6 D096 ; # capital ZH + C7 D097 ; # capital Z + C8 D098 ; # capital I + C9 D099 ; # capital J + CA D09A ; # capital K + CB D09B ; # capital L + CC D09C ; # capital M + CD D09D ; # capital N + CE D09E ; # capital O + CF D09F ; # capital P + + D0 D0A0 ; # capital R + D1 D0A1 ; # capital S + D2 D0A2 ; # capital T + D3 D0A3 ; # capital U + D4 D0A4 ; # capital F + D5 D0A5 ; # capital KH + D6 D0A6 ; # capital TS + D7 D0A7 ; # capital CH + D8 D0A8 ; # capital SH + D9 D0A9 ; # capital SHCH + DA D0AA ; # capital hard sign + DB D0AB ; # capital Y + DC D0AC ; # capital soft sign + DD D0AD ; # capital E + DE D0AE ; # capital YU + DF D0AF ; # capital YA + + E0 D0B0 ; # small a + E1 D0B1 ; # small b + E2 D0B2 ; # small v + E3 D0B3 ; # small g + E4 D0B4 ; # small d + E5 D0B5 ; # small ye + E6 D0B6 ; # small zh + E7 D0B7 ; # small z + E8 D0B8 ; # small i + E9 D0B9 ; # small j + EA D0BA ; # small k + EB D0BB ; # small l + EC D0BC ; # small m + ED D0BD ; # small n + EE D0BE ; # small o + EF D0BF ; # small p + + F0 D180 ; # small r + F1 D181 ; # small s + F2 D182 ; # small t + F3 D183 ; # small u + F4 D184 ; # small f + F5 D185 ; # small kh + F6 D186 ; # small ts + F7 D187 ; # small ch + F8 D188 ; # small sh + F9 D189 ; # small shch + FA D18A ; # small hard sign + FB D18B ; # small y + FC D18C ; # small soft sign + FD D18D ; # small e + FE D18E ; # small yu + FF D18F ; # small ya +} diff --git a/html/index.html b/html/index.html new file mode 100644 index 0000000..2ca3b95 --- /dev/null +++ b/html/index.html @@ -0,0 +1,25 @@ + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

Thank you for using nginx.

+ + diff --git a/nginx-1.10.3-wolfssl-debug.patch b/nginx-1.10.3-wolfssl-debug.patch new file mode 100644 index 0000000..61b87d4 --- /dev/null +++ b/nginx-1.10.3-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c nginx-1.10.3-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:37:30.867368905 +1000 ++++ nginx-1.10.3-wolfssl-debug/src/event/ngx_event_openssl.c 2017-04-13 15:43:02.561501608 +1000 +@@ -128,6 +128,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.10.3-wolfssl.patch b/nginx-1.10.3-wolfssl.patch new file mode 100644 index 0000000..8931542 --- /dev/null +++ b/nginx-1.10.3-wolfssl.patch @@ -0,0 +1,258 @@ +diff -ur nginx-1.10.3/auto/lib/openssl/conf nginx-1.10.3-wolfssl/auto/lib/openssl/conf +--- nginx-1.10.3/auto/lib/openssl/conf 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/auto/lib/openssl/conf 2017-04-13 10:38:27.614124846 +1000 +@@ -53,8 +53,34 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl $WOLFSSL/include" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.10.3/auto/options nginx-1.10.3-wolfssl/auto/options +--- nginx-1.10.3/auto/options 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/auto/options 2017-04-13 10:38:27.614124846 +1000 +@@ -133,6 +133,7 @@ + PCRE_CONF_OPT= + PCRE_JIT=NO + ++WOLFSSL=NONE + USE_OPENSSL=NO + OPENSSL=NONE + +@@ -330,6 +331,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +diff -ur nginx-1.10.3/src/event/ngx_event_openssl.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.10.3/src/event/ngx_event_openssl.c 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:37:30.867368905 +1000 +@@ -55,7 +55,7 @@ + HMAC_CTX *hctx, int enc); + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x10002002L ++#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX) + static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); + #endif + +@@ -304,6 +304,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -361,8 +365,6 @@ + return NGX_ERROR; + } + +- X509_free(x509); +- + /* read rest of the chain */ + + for ( ;; ) { +@@ -527,6 +529,13 @@ + return size; + } + ++ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} + + ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, +@@ -2971,6 +2980,11 @@ + ngx_ssl_cleanup_ctx(void *data) + { + ngx_ssl_t *ssl = data; ++ X509 *x509; ++ ++ x509 = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); ++ if (x509 != NULL) ++ X509_free(x509); + + SSL_CTX_free(ssl->ctx); + } +@@ -2986,7 +3000,7 @@ + return NGX_ERROR; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10002002L ++#if OPENSSL_VERSION_NUMBER >= 0x10002002L || defined(WOLFSSL_NGINX) + + /* X509_check_host() is only available in OpenSSL 1.0.2+ */ + +@@ -3103,7 +3117,7 @@ + } + + +-#if OPENSSL_VERSION_NUMBER < 0x10002002L ++#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX) + + static ngx_int_t + ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) +diff -ur nginx-1.10.3/src/event/ngx_event_openssl.h nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.10.3/src/event/ngx_event_openssl.h 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h 2017-04-13 15:37:15.307255249 +1000 +@@ -142,6 +142,7 @@ + ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); + ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.10.3/src/event/ngx_event_openssl_stapling.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.10.3/src/event/ngx_event_openssl_stapling.c 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 15:37:15.307255249 +1000 +@@ -285,7 +285,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 15:37:15.315255307 +1000 +@@ -4340,6 +4340,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c 2017-02-01 01:01:11.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 15:37:15.315255307 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.10.3/src/http/ngx_http_upstream.c nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c +--- nginx-1.10.3/src/http/ngx_http_upstream.c 2017-02-01 01:01:12.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c 2017-04-13 15:37:15.307255249 +1000 +@@ -1683,7 +1683,12 @@ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "upstream SSL server name: \"%s\"", name.data); + +- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { ++#ifdef WOLFSSL_NGINX ++ if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0) ++#else ++ if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) ++#endif ++ { + ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, + "SSL_set_tlsext_host_name(\"%s\") failed", name.data); + return NGX_ERROR; +diff -ur nginx-1.10.3/src/mail/ngx_mail_ssl_module.c nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.10.3/src/mail/ngx_mail_ssl_module.c 2017-02-01 01:01:12.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 15:37:15.319255337 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + +diff -ur nginx-1.10.3/src/stream/ngx_stream_proxy_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.10.3/src/stream/ngx_stream_proxy_module.c 2017-02-01 01:01:12.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 15:37:15.323255367 +1000 +@@ -879,8 +879,13 @@ + ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0, + "upstream SSL server name: \"%s\"", name.data); + ++#ifdef WOLFSSL_NGINX ++ if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, ++ (char *)name.data) == 0) ++#else + if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data) + == 0) ++#endif + { + ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0, + "SSL_set_tlsext_host_name(\"%s\") failed", name.data); +@@ -1578,6 +1583,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.10.3/src/stream/ngx_stream_ssl_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.10.3/src/stream/ngx_stream_ssl_module.c 2017-02-01 01:01:12.000000000 +1000 ++++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 15:37:15.323255367 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + diff --git a/nginx-1.11.10-wolfssl-debug.patch b/nginx-1.11.10-wolfssl-debug.patch new file mode 100644 index 0000000..9bda45e --- /dev/null +++ b/nginx-1.11.10-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c nginx-1.11.10-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 14:53:51.151297965 +1000 ++++ nginx-1.11.10-wolfssl-debug/src/event/ngx_event_openssl.c 2017-04-13 15:43:18.269591752 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.11.10-wolfssl.patch b/nginx-1.11.10-wolfssl.patch new file mode 100644 index 0000000..34fed37 --- /dev/null +++ b/nginx-1.11.10-wolfssl.patch @@ -0,0 +1,179 @@ +diff -ur nginx-1.11.10/auto/lib/openssl/conf nginx-1.11.10-wolfssl/auto/lib/openssl/conf +--- nginx-1.11.10/auto/lib/openssl/conf 2017-02-15 01:36:04.000000000 +1000 ++++ nginx-1.11.10-wolfssl/auto/lib/openssl/conf 2017-03-03 12:12:59.991555289 +1000 +@@ -61,8 +61,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.11.10/auto/options nginx-1.11.10-wolfssl/auto/options +--- nginx-1.11.10/auto/options 2017-02-15 01:36:04.000000000 +1000 ++++ nginx-1.11.10-wolfssl/auto/options 2017-03-03 12:12:59.991555289 +1000 +@@ -141,6 +141,7 @@ + PCRE_CONF_OPT= + PCRE_JIT=NO + ++WOLFSSL=NONE + USE_OPENSSL=NO + OPENSSL=NONE + +@@ -345,6 +346,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +diff -ur nginx-1.11.10/src/event/ngx_event_openssl.c nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.11.10/src/event/ngx_event_openssl.c 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 14:53:51.151297965 +1000 +@@ -340,6 +340,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -648,6 +652,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +diff -ur nginx-1.11.10/src/event/ngx_event_openssl.h nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.11.10/src/event/ngx_event_openssl.h 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.h 2017-04-13 14:54:11.115369454 +1000 +@@ -147,6 +147,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.11.10/src/event/ngx_event_openssl_stapling.c nginx-1.11.10-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.11.10/src/event/ngx_event_openssl_stapling.c 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-03-03 12:12:59.991555289 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.11.10/src/http/modules/ngx_http_proxy_module.c nginx-1.11.10-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.11.10/src/http/modules/ngx_http_proxy_module.c 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 14:54:56.619532795 +1000 +@@ -4370,6 +4370,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.11.10/src/http/modules/ngx_http_ssl_module.c nginx-1.11.10-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.11.10/src/http/modules/ngx_http_ssl_module.c 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-03-03 12:12:59.991555289 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.11.10/src/mail/ngx_mail_ssl_module.c nginx-1.11.10-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.11.10/src/mail/ngx_mail_ssl_module.c 2017-02-15 01:36:05.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-03-03 12:12:59.991555289 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.11.10/src/stream/ngx_stream_proxy_module.c nginx-1.11.10-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.11.10/src/stream/ngx_stream_proxy_module.c 2017-02-15 01:36:06.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 14:56:13.979811627 +1000 +@@ -2001,6 +2001,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.11.10/src/stream/ngx_stream_ssl_module.c nginx-1.11.10-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.11.10/src/stream/ngx_stream_ssl_module.c 2017-02-15 01:36:06.000000000 +1000 ++++ nginx-1.11.10-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-03-03 12:12:59.991555289 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.11.13-wolfssl-debug.patch b/nginx-1.11.13-wolfssl-debug.patch new file mode 100644 index 0000000..2d4ecba --- /dev/null +++ b/nginx-1.11.13-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c nginx-1.11.13-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:07:53.569430271 +1000 ++++ nginx-1.11.13-wolfssl-debug/src/event/ngx_event_openssl.c 2017-04-13 15:43:20.801606211 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.11.13-wolfssl.patch b/nginx-1.11.13-wolfssl.patch new file mode 100644 index 0000000..1893565 --- /dev/null +++ b/nginx-1.11.13-wolfssl.patch @@ -0,0 +1,187 @@ +diff -ur nginx-1.11.13/auto/lib/openssl/conf nginx-1.11.13-wolfssl/auto/lib/openssl/conf +--- nginx-1.11.13/auto/lib/openssl/conf 2017-04-05 01:01:57.000000000 +1000 ++++ nginx-1.11.13-wolfssl/auto/lib/openssl/conf 2017-04-13 09:30:40.072107746 +1000 +@@ -61,8 +61,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.11.13/auto/options nginx-1.11.13-wolfssl/auto/options +--- nginx-1.11.13/auto/options 2017-04-05 01:01:57.000000000 +1000 ++++ nginx-1.11.13-wolfssl/auto/options 2017-04-13 09:32:55.964864689 +1000 +@@ -143,6 +143,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -345,6 +346,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -563,6 +565,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +diff -ur nginx-1.11.13/src/event/ngx_event_openssl.c nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.11.13/src/event/ngx_event_openssl.c 2017-04-05 01:01:57.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:07:53.569430271 +1000 +@@ -340,6 +340,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -648,6 +652,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +diff -ur nginx-1.11.13/src/event/ngx_event_openssl.h nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.11.13/src/event/ngx_event_openssl.h 2017-04-05 01:01:57.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.h 2017-04-13 15:08:11.385467468 +1000 +@@ -147,6 +147,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.11.13/src/event/ngx_event_openssl_stapling.c nginx-1.11.13-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.11.13/src/event/ngx_event_openssl_stapling.c 2017-04-05 01:01:57.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 09:34:30.857357204 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.11.13/src/http/modules/ngx_http_proxy_module.c nginx-1.11.13-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.11.13/src/http/modules/ngx_http_proxy_module.c 2017-04-05 01:01:58.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 15:08:43.989537529 +1000 +@@ -4371,6 +4371,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.11.13/src/http/modules/ngx_http_ssl_module.c nginx-1.11.13-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.11.13/src/http/modules/ngx_http_ssl_module.c 2017-04-05 01:01:58.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 09:35:07.345539975 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.11.13/src/mail/ngx_mail_ssl_module.c nginx-1.11.13-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.11.13/src/mail/ngx_mail_ssl_module.c 2017-04-05 01:01:58.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 09:35:28.825646018 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.11.13/src/stream/ngx_stream_proxy_module.c nginx-1.11.13-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.11.13/src/stream/ngx_stream_proxy_module.c 2017-04-05 01:01:58.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 15:09:06.433587186 +1000 +@@ -2001,6 +2001,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.11.13/src/stream/ngx_stream_ssl_module.c nginx-1.11.13-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.11.13/src/stream/ngx_stream_ssl_module.c 2017-04-05 01:01:58.000000000 +1000 ++++ nginx-1.11.13-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 09:35:48.089740189 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.11.7-wolfssl-debug.patch b/nginx-1.11.7-wolfssl-debug.patch new file mode 100644 index 0000000..59991f6 --- /dev/null +++ b/nginx-1.11.7-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c nginx-1.11.7-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 14:47:08.313886491 +1000 ++++ nginx-1.11.7-wolfssl-debug/src/event/ngx_event_openssl.c 2017-04-13 15:43:23.309620512 +1000 +@@ -134,6 +134,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.11.7-wolfssl.patch b/nginx-1.11.7-wolfssl.patch new file mode 100644 index 0000000..0ffc47e --- /dev/null +++ b/nginx-1.11.7-wolfssl.patch @@ -0,0 +1,179 @@ +diff -ur nginx-1.11.7/auto/lib/openssl/conf nginx-1.11.7-wolfssl/auto/lib/openssl/conf +--- nginx-1.11.7/auto/lib/openssl/conf 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/auto/lib/openssl/conf 2017-01-17 16:09:53.864946344 +1000 +@@ -53,8 +53,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.11.7/auto/options nginx-1.11.7-wolfssl/auto/options +--- nginx-1.11.7/auto/options 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/auto/options 2017-01-17 16:09:53.864946344 +1000 +@@ -141,6 +141,7 @@ + PCRE_CONF_OPT= + PCRE_JIT=NO + ++WOLFSSL=NONE + USE_OPENSSL=NO + OPENSSL=NONE + +@@ -345,6 +346,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +diff -ur nginx-1.11.7/src/event/ngx_event_openssl.c nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.11.7/src/event/ngx_event_openssl.c 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 14:47:08.313886491 +1000 +@@ -330,6 +330,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -638,6 +642,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +diff -ur nginx-1.11.7/src/event/ngx_event_openssl.h nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.11.7/src/event/ngx_event_openssl.h 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.h 2017-04-13 14:49:57.150469616 +1000 +@@ -146,6 +146,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.11.7/src/event/ngx_event_openssl_stapling.c nginx-1.11.7-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.11.7/src/event/ngx_event_openssl_stapling.c 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-01-17 16:09:53.864946344 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.11.7/src/http/modules/ngx_http_proxy_module.c nginx-1.11.7-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.11.7/src/http/modules/ngx_http_proxy_module.c 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 14:48:59.546269024 +1000 +@@ -4359,6 +4359,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.11.7/src/http/modules/ngx_http_ssl_module.c nginx-1.11.7-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.11.7/src/http/modules/ngx_http_ssl_module.c 2016-12-14 01:21:24.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-01-17 16:09:53.864946344 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.11.7/src/mail/ngx_mail_ssl_module.c nginx-1.11.7-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.11.7/src/mail/ngx_mail_ssl_module.c 2016-12-14 01:21:25.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-01-17 16:09:53.864946344 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.11.7/src/stream/ngx_stream_proxy_module.c nginx-1.11.7-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.11.7/src/stream/ngx_stream_proxy_module.c 2016-12-14 01:21:25.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 14:51:24.850777768 +1000 +@@ -1995,6 +1995,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.11.7/src/stream/ngx_stream_ssl_module.c nginx-1.11.7-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.11.7/src/stream/ngx_stream_ssl_module.c 2016-12-14 01:21:25.000000000 +1000 ++++ nginx-1.11.7-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-01-17 16:09:53.864946344 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.12.0-wolfssl-debug.patch b/nginx-1.12.0-wolfssl-debug.patch new file mode 100644 index 0000000..13d93ff --- /dev/null +++ b/nginx-1.12.0-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c nginx-1.12.0-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:05:43.741185370 +1000 ++++ nginx-1.12.0-wolfssl-debug/src/event/ngx_event_openssl.c 2017-04-13 15:43:26.645639503 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.12.0-wolfssl.patch b/nginx-1.12.0-wolfssl.patch new file mode 100644 index 0000000..93c56e3 --- /dev/null +++ b/nginx-1.12.0-wolfssl.patch @@ -0,0 +1,187 @@ +diff -ur nginx-1.12.0/auto/lib/openssl/conf nginx-1.12.0-wolfssl/auto/lib/openssl/conf +--- nginx-1.12.0/auto/lib/openssl/conf 2017-04-13 00:46:01.000000000 +1000 ++++ nginx-1.12.0-wolfssl/auto/lib/openssl/conf 2017-04-13 09:53:49.670278950 +1000 +@@ -61,8 +61,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.12.0/auto/options nginx-1.12.0-wolfssl/auto/options +--- nginx-1.12.0/auto/options 2017-04-13 00:46:01.000000000 +1000 ++++ nginx-1.12.0-wolfssl/auto/options 2017-04-13 09:52:52.646047189 +1000 +@@ -143,6 +143,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -345,6 +346,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -563,6 +565,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +diff -ur nginx-1.12.0/src/event/ngx_event_openssl.c nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.12.0/src/event/ngx_event_openssl.c 2017-04-13 00:46:01.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 15:05:43.741185370 +1000 +@@ -340,6 +340,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -648,6 +652,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +diff -ur nginx-1.12.0/src/event/ngx_event_openssl.h nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.12.0/src/event/ngx_event_openssl.h 2017-04-13 00:46:01.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.h 2017-04-13 15:06:02.777218149 +1000 +@@ -147,6 +147,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.12.0/src/event/ngx_event_openssl_stapling.c nginx-1.12.0-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.12.0/src/event/ngx_event_openssl_stapling.c 2017-04-13 00:46:01.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 09:54:56.830970748 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.12.0/src/http/modules/ngx_http_proxy_module.c nginx-1.12.0-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.12.0/src/http/modules/ngx_http_proxy_module.c 2017-04-13 00:46:02.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 15:06:24.397256759 +1000 +@@ -4371,6 +4371,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.12.0/src/http/modules/ngx_http_ssl_module.c nginx-1.12.0-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.12.0/src/http/modules/ngx_http_ssl_module.c 2017-04-13 00:46:02.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 09:56:08.267656857 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.12.0/src/mail/ngx_mail_ssl_module.c nginx-1.12.0-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.12.0/src/mail/ngx_mail_ssl_module.c 2017-04-13 00:46:02.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 09:56:36.643916645 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.12.0/src/stream/ngx_stream_proxy_module.c nginx-1.12.0-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.12.0/src/stream/ngx_stream_proxy_module.c 2017-04-13 00:46:02.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 15:07:12.337347314 +1000 +@@ -2001,6 +2001,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.12.0/src/stream/ngx_stream_ssl_module.c nginx-1.12.0-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.12.0/src/stream/ngx_stream_ssl_module.c 2017-04-13 00:46:02.000000000 +1000 ++++ nginx-1.12.0-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 09:57:09.364207951 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/ssl_ecc.t b/ssl_ecc.t new file mode 100644 index 0000000..e72ccdd --- /dev/null +++ b/ssl_ecc.t @@ -0,0 +1,185 @@ +#!/usr/bin/perl + +# (C) Sean Parkinson +# (C) wolfSSL, Inc. + +# Tests for http ssl module. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { require IO::Socket::SSL; }; +plan(skip_all => 'IO::Socket::SSL not installed') if $@; +eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; +plan(skip_all => 'IO::Socket::SSL too old') if $@; + +my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) + ->has_daemon('openssl'); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_tickets off; + + server { + listen 127.0.0.1:8080 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_cache shared:SSL:1m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + + location /cipher { + return 200 "body $ssl_cipher"; + } + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); + +$t->write_file('ca.conf', <write_file('certserial', '1000'); +$t->write_file('certindex', ''); + +system("openssl ecparam -genkey -name prime256v1 -out '$d/issuer.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create ECC public key for issuer: $!\n"; +system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=issuer/' " + . "-out '$d/issuer.crt' -key '$d/issuer.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for issuer: $!\n"; + +system("openssl ecparam -genkey -name prime256v1 -out '$d/subject.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create ECC public key for subject: $!\n"; +system("openssl req -new " + . "-config '$d/openssl.conf' -subj '/CN=subject/' " + . "-out '$d/subject.csr' -key '$d/subject.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for subject: $!\n"; + +system("openssl ca -batch -config '$d/ca.conf' " + . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " + . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for subject: $!\n"; + +foreach my $name ('localhost') { + system("openssl ecparam -genkey -name prime256v1 " + . "-out '$d/$name.key' >>$d/openssl.out 2>&1") == 0 + or die "Can't create ECC public key for $name: $!\n"; + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -key '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +my $ctx = new IO::Socket::SSL::SSL_Context( + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_session_cache_size => 100); + +$t->try_run('no ssl_ecc')->plan(1); + +############################################################################### + +like(get('/cipher', 8080), qr/^body [\w-]+$/m, 'cipher'); + +############################################################################### + +sub get { + my ($uri, $port) = @_; + my $s = get_ssl_socket($ctx, port($port)) or return; + http_get($uri, socket => $s); +} + +sub cert { + my ($uri, $port) = @_; + my $s = get_ssl_socket(undef, port($port), + SSL_cert_file => "$d/subject.crt", + SSL_key_file => "$d/subject.key") or return; + http_get($uri, socket => $s); +} + +sub get_ssl_socket { + my ($ctx, $port, %extra) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1', + PeerPort => $port, + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_reuse_ctx => $ctx, + SSL_error_trap => sub { die $_[1] }, + %extra + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +############################################################################### diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..495337c --- /dev/null +++ b/test.sh @@ -0,0 +1,405 @@ +#!/bin/bash + +NGINX_SRC="../nginx" +if [ "$NGINX_BIN" = "" ]; then + NGINX_BIN="${NGINX_SRC}/objs/nginx" +fi +if [ "$WOLFSSL_SOURCE" = "" ]; then + WOLFSSL_SOURCE="../wolfssl" +fi +WOLFSSL_CLIENT="./examples/client/client" +WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp" +NGINX_CONF="./conf" +CLIENT_TMP="/tmp/nginx_client.$$" +SERVER_TMP="/tmp/nginx_server.$$" +OCSP_GOOD="ocsp-good-status.der" +OCSP_BAD="ocsp-bad-status.der" +WN_PATH=`pwd` +WN_OCSP_GOOD="$WN_PATH/conf/$OCSP_GOOD" +WN_OCSP_BAD="$WN_PATH/conf/$OCSP_BAD" +WN_LOGS="$WN_PATH/logs" +WN_ERROR_LOG="$WN_LOGS/error.log" +HOST="127.0.0.1" +if [ "$IPV6" != "" ]; then + HOST="::ffff:127.0.0.1" +fi + + +if [ ! -f $NGINX_BIN ]; then + echo "Could not find Nginx exe: ${NGINX_BIN}" + echo "Stopping - FAIL" + exit 1 +fi +echo "Ngninx binary: $NGINX_BIN" +echo "wolfSSL Source directory: $WOLFSSL_SOURCE" +if [ ! -d $WOLFSSL_SOURCE ]; then + echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}" + echo "Stopping - FAIL" + exit 1 +fi +if [ ! -d $WOLFSSL_OCSP_CERTS ]; then + echo "Could not find OCSP certs path: ${WOLFSSL_OCSP_CERTS}" + echo "Stopping - FAIL" + exit 1 +fi +echo "Changing into wolfSSL source directory" +cd $WOLFSSL_SOURCE +if [ ! -e $WOLFSSL_CLIENT ]; then + echo "Could not find wolfSSL client: ${WOLFSSL_CLIENT}" + echo "Stopping - FAIL" + exit 1 +fi +OPENSSL=`which openssl` +if [ "$?" = "1" ]; then + echo "Could not find openssl superapp" + echo "Stopping - FAIL" + exit 1 +fi +echo "OpenSSL superapp found: $OPENSSL" +echo + +if [ ! -d $WN_LOGS ]; then + echo "Making directory: ${WN_LOGS}" + mkdir ${WN_LOGS} +fi + +# Number of minutes OCSP responses will be valid for +VALID_MIN=60 + +declare -a EXPECT +declare -a EXPECT_SERVER +declare -a EXP + +SERVER_PID=0 +OCSP_PID=0 + +PASS=0 +FAIL=0 +UNKNOWN=0 + +run_nginx() { + # valgrind --leak-check=full + ${NGINX_BIN} -p ${WN_PATH} \ + -g "error_log ${WN_ERROR_LOG} debug;" \ + ${NGINX_OPTS} + RES=$? +} + +do_cleanup() { + echo "# In cleanup" + + NGINX_OPTS="-s stop" + run_nginx + + rm -f $CLIENT_TMP + rm -f $SERVER_TMP + + if [ $SERVER_PID != '0' ] + then + echo "# Killing server" + kill -9 $SERVER_PID + fi + if [ $OCSP_PID != '0' ] + then + echo "# Killing OCSP responder" + kill -9 $OCSP_PID + fi + + cd $WN_PATH + rm -rf client_body_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp +} + +do_trap() { + echo "# Got trap" + do_cleanup + exit 1 +} + +trap do_trap INT TERM + +check_log() { + DUMP_LOG="no" + if [ "$EXP" != "" ]; then + for I in ${!EXP[@]} + do + if grep "${EXP[$I]}" $LOG; then + echo "# PASS: Found: ${EXP[$I]}" + echo + PASS=$(($PASS + 1)) + else + echo "# FAIL: Didn't find: ${EXP[$I]}" + echo + DUMP_LOG="yes" + FAIL=$(($FAIL + 1)) + fi + done + else + DUMP_LOG="yes" + UNKNOWN=$(($UNKNOWN + 1)) + fi + + if [ "$DUMP_LOG" = "yes" ]; then + cat $LOG + fi +} + +client() { + ${WOLFSSL_CLIENT} -r -g -p $PORT -h $HOST $OPTS >$CLIENT_TMP 2>&1 + + echo "# Client Output" + LOG=$CLIENT_TMP + EXP=("${EXPECT[@]}") + check_log +} +client_test() { + OPTS="$OPTS -r -g" + client +} +stapling_test() { + OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1" + client +} + +# Start the OSCP responder and generate the response files +${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index ${WOLFSSL_OCSP_CERTS}/index1.txt -rsigner ${WOLFSSL_OCSP_CERTS}/ocsp-responder-cert.pem -rkey ${WOLFSSL_OCSP_CERTS}/ocsp-responder-key.pem -CA ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem >/dev/null 2>&1 & +OCSP_PID=$! + +# Generate OCSP response file that indicates certificate is good. +${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server1-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_GOOD} -no_nonce >/dev/null 2>&1 + +# Generate OCSP response file that indicates certificate is revoked. +${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server2-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_BAD} -no_nonce >/dev/null 2>&1 + +if [ ! -f $WN_OCSP_GOOD ]; then + echo "Could not find OCSP output file: ${WN_OCSP_GOOD}" + echo "Stopping - FAIL" + exit 1 +fi +if [ ! -f $WN_OCSP_BAD ]; then + echo "Could not find OCSP output file: ${WN_OCSP_BAD}" + echo "Stopping - FAIL" + exit 1 +fi + +echo "Stopping Nginx ..." +NGINX_OPTS="-s stop" +run_nginx +echo "Starting Nginx ..." +# Start Nginx +NGINX_OPTS= +run_nginx +if [ "$RES" != "0" ]; then + echo "Failed to start Nginx" + exit 1 +fi + +# Default certificate, DH KEA +echo +echo '#' +echo '# DH Key Exchange' +echo '#' +PORT=11443 +echo "# Port: $PORT" +OPTS= +EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") +client_test +# Default certificate, DH, verify client +echo +echo '#' +echo '# DH Key Exchange verify client' +echo '#' +PORT=11444 +echo "# Port: $PORT" +OPTS="-x" +EXPECT=("400 No required SSL certificate was sent") +client_test +# Default certificate, ECDH with SECP384R1 +echo +echo '#' +echo '# ECDH Key Exchange: SECP384R1' +echo '#' +PORT=11445 +echo "# Port: $PORT" +OPTS= +EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") +client_test +# ECC certificate, ECDH with default curve (prime256v1) +echo +echo '#' +echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)' +echo '#' +PORT=11446 +echo "# Port: $PORT" +OPTS= +EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") +client_test +# Session tickets file +echo +echo '#' +echo '# Session ticket file' +echo '#' +PORT=11450 +echo "# Port: $PORT" +OPTS= +EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK") +client_test + +echo +echo '#' +echo '# Session cache off' +echo '#' +PORT=11455 +echo "# Port: $PORT" +OPTS= +EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") +client_test +echo +echo '#' +echo '# Session cache none' +echo '#' +PORT=11456 +echo "# Port: $PORT" +OPTS= +EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") +client_test +echo +echo '#' +echo '# Session cache builtin' +echo '#' +PORT=11457 +echo "# Port: $PORT" +OPTS= +EXPECT=("reused session id" "HTTP/1.1 200 OK") +client_test + +# Proxy to localhost:11111 - DHE-RSA +echo +echo '#' +echo '# Proxy - DHE-RSA' +echo '#' +PORT=11460 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS= +EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") +client_test +# Proxy to localhost:11111 - ECDHE-RSA +echo +echo '#' +echo '# Proxy - ECDHE-RSA' +echo '#' +PORT=11461 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS= +EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") +client_test +# Proxy to localhost:11111 - ECDHE-ECDSA +echo +echo '#' +echo '# Proxy - ECDHE-ECDSA' +echo '#' +PORT=11462 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem" +EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") +client_test +# Proxy to localhost:11111 - ECDHE-ECDSA +echo +echo '#' +echo '# Proxy - ECDHE-ECDSA' +echo '#' +PORT=11463 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem" +EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") +client_test +# Proxy to localhost:11111 - ECDHE-ECDSA +echo +echo '#' +echo '# Proxy - ECDHE-ECDSA' +echo '#' +PORT=11464 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem" +EXPECT=("HTTP/1.1 502") +client_test +# Proxy to localhost:11111 - Revoked certificate in CRL +echo +echo '#' +echo '# Proxy - Revoked certificate in CRL' +echo '#' +PORT=11465 +echo "# Port: $PORT" +OPTS= +SERVER_OPTS= +EXPECT=("HTTP/1.1 502") +client_test + +# OCSP Stapling +# Good certificate +echo +echo '#' +echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)' +echo '#' +PORT=11470 +echo "# Port: $PORT" +OPTS= +EXPECT=("HTTP/1.1 200 OK") +stapling_test +stapling_test +# Revoked certificate +echo +echo '#' +echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)' +echo '#' +PORT=11471 +echo "# Port: $PORT" +OPTS= +EXPECT=("err = -360") +stapling_test +stapling_test +# Good certificate - response file +echo +echo '#' +echo '# OCSP Stapling - Good Certificate (Using pre-generated file)' +echo '#' +PORT=11472 +echo "# Port: $PORT" +OPTS= +EXPECT=("HTTP/1.1 200 OK") +stapling_test +# Revoked certificate - response file +echo +echo '#' +echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)' +echo '#' +PORT=11473 +echo "# Port: $PORT" +OPTS= +EXPECT=("err = -360") +stapling_test +# No certificate for verification of OCSP response +echo +echo '#' +echo '# OCSP Stapling - Using OCSP Responder but no cert to verify' +echo '#' +PORT=11474 +echo "# Port: $PORT" +OPTS= +EXPECT=("HTTP/1.1 200 OK") +stapling_test +stapling_test + +do_cleanup + +echo +echo "##############" +echo "# PASS : $PASS" +echo "# FAIL : $FAIL" +echo "# UNKNOWN : $UNKNOWN" +echo "##############" + diff --git a/wolfssl/index.html b/wolfssl/index.html new file mode 100644 index 0000000..2f2eb98 --- /dev/null +++ b/wolfssl/index.html @@ -0,0 +1,9 @@ + + + +Welcome to wolfSSL! + + +

wolfSSL has successfully performed handshake!

+ +