3 # Licensed to the Apache Software Foundation (ASF) under one or more
4 # contributor license agreements. See the NOTICE file distributed with
5 # this work for additional information regarding copyright ownership.
6 # The ASF licenses this file to You under the Apache License, Version 2.0
7 # (the "License"); you may not use this file except in compliance with
8 # the License. You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 # This script will populate a directory 'sni' with 3 sites, httpd.conf
19 # and certificates as to facilitate testing of TLS server name
20 # indication support (RFC 4366) or SNI.
24 OPENSSL=${OPENSSL:-openssl}
25 DOMAIN=${DOMAIN:-my-sni-test.org}
27 NAMES=${NAMES:-ape nut pear apple banana}
29 args=`getopt fd:D: $*`
31 echo "Syntax: $0 [-f] [-d outdir] [-D domain ] [two or more vhost names ]"
32 echo " -f Force overwriting of outdir (default is $DIR)"
33 echo " -d dir Directory to create the SNI test server in (default is $DIR)"
34 echo " -D domain Domain name to use for this test (default is $DOMAIN)"
35 echo " [names] List of optional vhost names (default is $NAMES)"
38 echo " $0 -D SecureBlogsAreUs.com peter fred mary jane ardy"
62 echo "Aborted - just specifing one vhost makes no sense for SNI testing. Go wild !"
70 if ! openssl version | grep -q OpenSSL; then
71 echo Aborted - your openssl is very old or misconfigured.
76 if test "0$2" \< "00.9"; then
77 echo Aborted - version of openssl too old, 0.9 or up required.
81 if test -d ${DIR} -a "x$FORCE" != "x1"; then
82 echo Aborted - already an ${DIR} directory. Use the -f flag to overwrite.
86 mkdir -p ${DIR} || exit 1
87 mkdir -p ${DIR}/ssl ${DIR}/htdocs ${DIR}/logs || exit 1
90 # Create a 'CA' - keep using different serial numbers
91 # as the browsers get upset if they see an identical
92 # serial with a different pub-key.
94 # Note that we're not relying on the 'v3_ca' section as
95 # in the default openssl.conf file - so the certificate
96 # will be without the basicConstraints = CA:true and
97 # keyUsage = cRLSign, keyCertSign values. This is fine
101 openssl req -new -nodes -batch \
103 -days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial $serial \
104 -keyout ${DIR}/root.key -out ${DIR}/root.pem \
108 echo '# To append to your hosts file' > ${DIR}/hosts
109 cat > ${DIR}/httpd-sni.conf << EOM
110 # To append to your httpd.conf file'
112 NameVirtualHost 127.0.0.1:443
114 LoadModule ssl_module modules/mod_ssl.so
116 SSLRandomSeed startup builtin
117 SSLRandomSeed connect builtin
120 TransferLog ${DIR}/logs/access_log
121 ErrorLog ${DIR}/logs/error_log
123 # You'll get a warning about this.
133 <Directory "${DIR}/htdocs">
138 # This first entry is also the default for non SNI
139 # supporting clients.
143 INFO="and also the site you see when the browser does not support SNI."
148 serial=`expr $serial + 1`
150 # Create a certificate request for this host.
152 openssl req -new -nodes -batch \
153 -days 9 -subj "/CN=$FQDN/O=SNI Testing/" \
154 -keyout ${DIR}/$n.key -out ${DIR}/$n.req -batch \
157 # And get it signed by our root authority.
159 openssl x509 -text -req \
160 -CA ${DIR}/root.pem -CAkey ${DIR}/root.key \
161 -set_serial $serial -in ${DIR}/$n.req -out ${DIR}/$n.pem \
164 cat ${DIR}/$n.pem ${DIR}/$n.key > ${DIR}/ssl/$n.crt
165 rm ${DIR}/$n.req ${DIR}/$n.key ${DIR}/$n.pem
168 https://$FQDN/index.html"
170 echo "127.0.0.1 $FQDN $n" >> ${DIR}/hosts
172 # Create and populate a docroot for this host.
174 mkdir -p ${DIR}/htdocs/$n || exit 1
175 echo We are $FQDN $INFO > ${DIR}/htdocs/$n/index.html || exit 1
177 # And change the info text - so that only the default/fallback site
178 # gets marked as such.
180 INFO="and you'd normally only see this site when there is proper SNI support."
182 # And create a configuration snipped.
184 cat >> ${DIR}/httpd-sni.conf << EOM
185 <VirtualHost 127.0.0.1:443>
188 DocumentRoot ${DIR}/htdocs/$n
189 SSLCertificateChainFile ${DIR}/root.pem
190 SSLCertificateFile ${DIR}/ssl/$n.crt
191 TransferLog ${DIR}/logs/access_$n
202 The directory ${DIR}/sni has been populated with the following
204 - root.key|pem Certificate authority root and key. (You could
205 import the root.pem key into your browser to
206 quell warnings about an unknown authority).
208 - hosts /etc/hosts file with fake entries for the hosts
210 - htdocs directory with one docroot for each domain,
211 each with a small sample file.
213 - ssl directory with an ssl cert (signed by root)
214 for each of the domains).
216 - logs logfiles, one for each domain and an
217 access_log for any misses.
222 A directory ${DIR}/sni has been created. Run an apache
223 server against it with
225 .../httpd -f ${DIR}/httpd-sni.conf
227 and keep an eye on ${DIR}/logs/... When everything
228 is fine you will see an entries like:
230 Feb 11 16:12:26 2008] [debug] Init:
231 SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs. jane.*:443 (httpd-sni.conf:42)
233 for each vhost configured and a concluding warning:
235 [Mon Feb 11 16:12:26 2008] [warn] Init:
236 Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
238 HOWEVER - If you see an entry like
240 [Mon Feb 11 15:41:41 2008] [warn] Init:
241 You should not use name-based virtual hosts in conjunction with SSL!!
243 then you are either using an OpenSSL which is too old and/or you need to ensure that the
244 TLS Extensions are compiled into openssl with the 'enable-tlsext' flag. Once you have
245 recompiled or reinstalled OpenSSL with TLS Extensions you will have to recompile mod_ssl
246 to allow it to recognize SNI support.
248 Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
249 or /etc/hosts file as to point the various URL's to your server:
252 and verify that each returns its own name (and an entry in its
253 own ${DIR}/logs) file).