worker_processes 1; events { } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; ssl_session_tickets off; # HTTPS server # Using DH parameters server { listen 11443 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Verify client server { listen 11444 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_client_certificate client-cert.pem; ssl_verify_client on; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # P384 curve with ECDHE server { listen 11445 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Default curve with ECDHE and ECDSA server { listen 11446 ssl; server_name localhost; ssl_certificate cert-ecc.pem; ssl_certificate_key cert-ecc-p8.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Using TLS v1.3 server { listen 11447 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Session ticket server { listen 11450 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_ticket_key ticket_keys; ssl_session_tickets on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Session cache off server { listen 11455 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache off; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Session cache none server { listen 11456 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache none; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Session cache builtin server { listen 11457 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache builtin:100; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Proxy to wolfSSL server upstream backend { server 127.0.0.1:12443; } server { listen 127.0.0.1:12443 ssl; server_name www.wolfssl.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } upstream backend_ecdhe_rsa { server 127.0.0.1:12444; } server { listen 127.0.0.1:12444 ssl; server_name www.wolfssl.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } upstream backend_ecdhe_ecdsa { server 127.0.0.1:12445; } server { listen 127.0.0.1:12445 ssl; server_name www.wolfssl.com; ssl_certificate cert-ecc.pem; ssl_certificate_key cert-ecc-priv.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } upstream backend_crl_rev { server 127.0.0.1:12446; } server { listen 127.0.0.1:12446 ssl; server_name www.wolfssl.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } upstream backend_chain { server 127.0.0.1:12447; } server { listen 127.0.0.1:12447 ssl; server_name ecc-3-leaf; ssl_certificate ecc-3-caleaf.crt; ssl_certificate_key ecc-3-leaf.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } upstream backend_bad_chain { server 127.0.0.1:12448; } server { listen 127.0.0.1:12448 ssl; server_name ecc-3-leaf; ssl_certificate ecc-3-leaf.crt; ssl_certificate_key ecc-3-leaf.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; location / { root wolfssl; index index.html; } } # Proxy using DHE cipher suites and CRL server { listen 11460 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend; proxy_ssl_name www.wolfssl.com; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE cipher suites and CRL server { listen 11461 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend_ecdhe_rsa; proxy_ssl_name www.wolfssl.com; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE and ECDSA cipher suites server { listen 11462 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend_ecdhe_ecdsa; proxy_ssl_name www.wolfssl.com; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ca-cert-ecc.pem; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; proxy_ssl_protocols TLSv1.3; } } # Proxy using complete chain server { listen 11463 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend_chain; proxy_ssl_name ecc-3-leaf; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ecc-3-root.crt; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; proxy_ssl_protocols TLSv1.3; } } # Proxy using incomplete chain server { listen 11464 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend_bad_chain; proxy_ssl_name ecc-3-leaf; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ecc-3-root.crt; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; proxy_ssl_protocols TLSv1.3; } } # Proxy using revoked CRL server { listen 11465 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { proxy_pass https://backend_crl_rev; proxy_ssl_name www.wolfssl.com; proxy_ssl_server_name on; proxy_ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl-revoked.pem; proxy_ssl_session_reuse on; proxy_ssl_protocols TLSv1.3; } } # OCSP Stapling # Valid server certificate - using OCSP responder server { listen 11470 ssl; server_name localhost; ssl_certificate ocsp-good-cert.pem; ssl_certificate_key ocsp-good-key.pem; ssl_stapling on; ssl_stapling_responder http://127.0.0.1:22221; ssl_stapling_verify on; ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Revoked server certificate - using OCSP responder server { listen 11471 ssl; server_name localhost; ssl_certificate ocsp-bad-cert.pem; ssl_certificate_key ocsp-bad-key.pem; ssl_stapling on; ssl_stapling_responder http://127.0.0.1:22221; ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Valid server certificate in fixed OCSP response server { listen 11472 ssl; server_name localhost; ssl_certificate ocsp-good-cert.pem; ssl_certificate_key ocsp-good-key.pem; ssl_stapling on; ssl_stapling_file ocsp-good-status.der; ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # Revoked server certificate in fixed OCSP response server { listen 11473 ssl; server_name localhost; ssl_certificate ocsp-bad-cert.pem; ssl_certificate_key ocsp-bad-key.pem; ssl_stapling on; ssl_stapling_file ocsp-bad-status.der; ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } # No CA to check responder certificate - using OCSP responder server { listen 11474 ssl; server_name localhost; ssl_certificate ocsp-good-cert.pem; ssl_certificate_key ocsp-good-key.pem; ssl_stapling on; ssl_stapling_responder http://127.0.0.1:22221; ssl_stapling_verify on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; index index.html; } } }