make_sni.sh revision 00d6521b902bb0b381f3ffe7eff44f7978497e5c
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will populate a directory 'sni' with 3 sites, httpd.conf
# and certificates as to facilitate testing of TLS server name
# indication support (RFC 4366) or SNI.
#
# $Id$
#
if [ $? != 0 ]; then
echo "Syntax: $0 [-f] [-d outdir] [-D domain ] [two or more vhost names ]"
echo " -f Force overwriting of outdir (default is $DIR)"
echo " -d dir Directory to create the SNI test server in (default is $DIR)"
echo " -D domain Domain name to use for this test (default is $DOMAIN)"
echo " [names] List of optional vhost names (default is $NAMES)"
echo
echo "Example:"
echo " $0 -D SecureBlogsAreUs.com peter fred mary jane ardy"
echo
exit 1
fi
set -- $args
for i
do
case "$i"
-f)
FORCE=1
shift;;
-d)
DIR=$2; shift
shift;;
-D)
DOMAIN=$2; shift
shift;;
--)
shift; break;
esac
done
if [ $# = 1 ]; then
echo "Aborted - just specifing one vhost makes no sense for SNI testing. Go wild !"
exit 1
fi
if [ $# -gt 0 ]; then
NAMES=$*
fi
exit 1
fi
if test "0$2" \< "00.9"; then
exit 1
fi
exit 1
fi
# Create a 'CA' - keep using different serial numbers
# as the browsers get upset if they see an identical
# serial with a different pub-key.
#
# Note that we're not relying on the 'v3_ca' section as
# in the default openssl.conf file - so the certificate
# will be without the basicConstraints = CA:true and
# keyUsage = cRLSign, keyCertSign values. This is fine
# for most browsers.
#
serial=$$
-x509 \
|| exit 2
# To append to your httpd.conf file'
Listen 127.0.0.1:443
NameVirtualHost 127.0.0.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
LogLevel debug
TransferLog ${DIR}/logs/access_log
ErrorLog ${DIR}/logs/error_log
# You'll get a warning about this.
#
SSLSessionCache none
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
<Directory "${DIR}/htdocs">
allow from all
Require all granted
</Directory>
# This first entry is also the default for non SNI
# supporting clients.
#
EOM
INFO="and also the site you see when the browser does not support SNI."
do
# Create a certificate request for this host.
#
|| exit 3
# And get it signed by our root authority.
#
|| exit 4
# Create and populate a docroot for this host.
#
# gets marked as such.
#
INFO="and you'd normally only see this site when there is proper SNI support."
# And create a configuration snipped.
#
<VirtualHost 127.0.0.1:443>
SSLEngine On
ServerName $FQDN:443
DocumentRoot ${DIR}/htdocs/$n
SSLCertificateChainFile ${DIR}/root.pem
SSLCertificateFile ${DIR}/ssl/$n.crt
TransferLog ${DIR}/logs/access_$n
</VirtualHost>
EOM
done
cat << EOM
SNI Files generated
===================
The directory ${DIR}/sni has been populated with the following
- root.key|pem Certificate authority root and key. (You could
import the root.pem key into your browser to
quell warnings about an unknown authority).
- hosts /etc/hosts file with fake entries for the hosts
- htdocs directory with one docroot for each domain,
each with a small sample file.
- ssl directory with an ssl cert (signed by root)
for each of the domains).
- logs logfiles, one for each domain and an
access_log for any misses.
SNI Test
========
A directory ${DIR}/sni has been created. Run an apache
server against it with
.../httpd -f ${DIR}/httpd-sni.conf
and keep an eye on ${DIR}/logs/error_log. When everything
is fine you will see entries like:
Feb 11 16:12:26 2008] [debug] Init:
SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs. jane.*:443 (httpd-sni.conf:42)
for each vhost configured and a concluding warning:
[Mon Feb 11 16:12:26 2008] [warn] Init:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
HOWEVER - If you see an entry like:
[Mon Feb 11 15:41:41 2008] [warn] Init:
You should not use name-based virtual hosts in conjunction with SSL!!
then you are either using an OpenSSL which is too old and/or you need to ensure that the
TLS Extensions are compiled into openssl with the 'enable-tlsext' flag. Once you have
recompiled or reinstalled OpenSSL with TLS Extensions you will have to recompile mod_ssl
to allow it to recognize SNI support.
Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
or /etc/hosts file as to point the various URL's to your server:
$LST
and verify that each returns its own name (and an entry in its
own ${DIR}/logs) file).
EOM
exit 0