httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject SNI test case
Date Mon, 11 Feb 2008 15:35:03 GMT
Does any one (but me :) feel a need to have something like below  
living in test/* -- over the past couple
of days I found it very useful to hget folks with embryonic SNI  
installations going.

Thanks,

Dw

PS: SNI Rocks !

#!/bin/sh
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version  
2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or  
implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will populate a directory 'sni' with 3 sites, httpd.conf
# and certificates as to facilitate testing of TLS server name
# indication support (RFC 4366) or SNI.
#
# $Id$
#
OPENSSL=${OPENSSL:-openssl}
DOMAIN=${DOMAIN:-`hostname | sed -e 's/^[^\.]*\.//g'`}

if [ $# = 1 -a "x$1" != "x-f" -o $# -gt 1 ]; then
         echo Syntax: $0 [-f]
         exit 1
fi

if test -d sni -a "x$1" != "x-f"; then
         echo Aborted - already an $PWD/sni directory. Use the -f flag  
to overwrite.
         exit 1
fi

mkdir -p sni || exit 1
cd sni || exit 1
mkdir -p ssl htdocs logs || exit 1

if ! openssl version | grep -q OpenSSL; then
         echo Aborted - your openssl is very old or misconfigured.
         exit 1
fi

set `openssl version`
if test "0$2" \< "00.9"; then
         echo Aborted - version of openssl too old, 0.9 or up required.
         exit 1
fi


# Create a 'CA'
serial=1
openssl req -new -nodes -batch \
         -x509  \
         -days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial  
$serial \
         -keyout root.key -out root.pem  \
         || exit 2


echo '# To append to your hosts file' > hosts
cat > httpd-sni.conf << EOM
# To append to your httpd.conf file'
Listen 127.0.0.1:443
NameVirtualHost 127.0.0.1:443

LoadModule ssl_module modules/mod_ssl.so

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

LogLevel debug
TransferLog $PWD/logs/access_log
ErrorLog $PWD/logs/error_log

SSLSessionCache none

<Directory />
     Options None
     AllowOverride None
     Require all denied
</Directory>

<Directory "$PWD/htdocs">
     allow from all
    Require all granted
</Directory>

# The first entry is also the default for non SNI
# supporting clients.
EOM

for n in ape nut jane
do
         FQDN=$n.$DOMAIN
         serial=`expr $serial + 1`
         openssl req -new -nodes -batch \
                 -days 9 -subj "/CN=$FQDN/O=SNI Testing/" \
                 -keyout $n.key -out $n.req -batch  \
                 || exit 3
         openssl x509 -text -req \
                 -CA root.pem -CAkey root.key \
                 -set_serial $serial -in $n.req -out $n.pem \
                 || exit 4
         cat $n.pem $n.key > ssl/$n.crt
         rm $n.req $n.key $n.pem

         LST="$LST
         https://$FQDN/index.html"
         echo "127.0.0.1         $FQDN $n" >> hosts
         mkdir -p htdocs/$n
         echo We are $FQDN > htdocs/$n/index.html

         cat >> httpd-sni.conf << EOM
<VirtualHost 127.0.0.1:443>
     SSLEngine On
     ServerName $FQDN:443
     DocumentRoot $PWD/htdocs/$n
     SSLCertificateChainFile $PWD/root.pem
     SSLCertificateFile $PWD/ssl/$n.crt
     TransferLog $PWD/logs/$n
</VirtualHost>

EOM

done

cat << EOM
SNI Files generated
===================

The directory $PWD/sni has been populated with the following

-       root.key|pem    Certificate authority root and key

-       hosts           /etc/hosts file with fake entries for the hosts

-       htdocs          directory with one docroot for each domain,
                         each with a small sample file.

-       ssl             directory with an ssl cert (signed by root)
                         for each of the domains).

-       logs            logfiles, one for each domain and an
                         access_log for any misses.

SNI Test
========

A directory $PWD/sni has been created. Run an apache
server against it with

     .../httpd -f $PWD/httpd-sni.conf

and keep an eye on $PWD/logs/... Note that you will see an entries
like

     Feb 11 16:12:26 2008] [debug] Init:
         SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs.  
jane.*:443 (httpd-sni.conf:42)

and a concluding warning
     [Mon Feb 11 16:12:26 2008] [warn] Init:
         Name-based SSL virtual hosts only work for clients with TLS  
server name indication support (RFC 4366)

If you see an entry like

     [Mon Feb 11 15:41:41 2008] [warn] Init:
         You should not use name-based virtual hosts in conjunction  
with SSL!!

then you are either using an OpenSSL which is too old, or you need to  
ensure that the
TLS Extensions are compiled into openssl with the 'enable-tlsext' flag.

Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
or /etc/hosts file as to point the various URL's to your server:

$LST

and verify that each returns its own name (and an entry in its
own $PWD/logs) file).

EOM
exit 0



Mime
View raw message