Skip to content

Latest commit

 

History

History
92 lines (67 loc) · 3.01 KB

README.md

File metadata and controls

92 lines (67 loc) · 3.01 KB

openssl-demo-server

markdownlint

Example program to implement a TLS server. It was written for demonstration and educational purposes.

Pre-requisites

Features

  • OCSP stapling
  • DNSSEC Authentication chain extension
  • session resumption
  • 4 x 100 at SSLlabs given a valid key and certificate is used
  • chroot operation possible
  • setuid(non root user) possible

Limitations

  • can't specify to listen in IPv4 only if IPv6 is available
  • proxy-mode: destination must be an IPv4 address

Source

general Build

make
cc -Wall -Wextra -Wpedantic -c -o main.o main.c
cc -Wall -Wextra -Wpedantic -c -o ocsp-stapling.o ocsp-stapling.c
cc -Wall -Wextra -Wpedantic -c -o dnssec-chain-extension.o dnssec-chain-extension.c
cc -Wall -Wextra -Wpedantic -lssl -lcrypto -lgetdns -o openssl-demo-server \
  main.o ocsp-stapling.o dnssec-chain-extension.o
...

personal Build

DEB_BUILD_MAINT_OPTIONS='hardening=+all'
CFLAGS="$( dpkg-buildflags --get CFLAGS ) $( dpkg-buildflags --get CPPFLAGS )"
LDFLAGS="$( dpkg-buildflags --get LDLAGS )"
LIBS='-lssl-dv -lcrypto-dv -lgetdns'
export DEB_BUILD_MAINT_OPTIONS CFLAGS LDFLAGS LIBS
make -B

Docker Build

docker build -t openssl-demo-server .

OR

docker-compose build

Usage

# /path/to/openssl-demo-server -h

Usage: openssl-demo-server [options]

  -h                  print this help message
  -sname  <name>      server name               default: openssl-demo-server.example
  -port   <port>      server port               default: 443
  -cert   <file>      server certificate file   default: ./cert+intermediate.pem
  -key    <file>      server private key file   default: ./key.pem
  -oscp   <file>      server ocsp response file default: ./ocsp.response
  -chroot <dir>       chroot to directory       default: don't chroot
  -user   <name>      switch to that user       default: don't switch user
  -proxy  <ip>:<port> IPv4 address and port to forward to

If the program cannot access the OCSP response file OCSP will be not used.

Bugs

I'm sure there are some! For that reason: DO NOT USE that software on a production level system!