chore: update tls cert for test

shshekhar93 · Mar 7, 2023 · d079d66 · d079d66
1 parent ee5c7b4
commit d079d66
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 42 deletions.
diff --git a/docs/transport.md b/docs/transport.md
@@ -6,21 +6,29 @@ By default, `rathole` forwards traffic as it is. Different options can be enable
 Checkout the [example](../examples/tls)
 ### Client
 Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. `trusted_root` is the path to the root CA's certificate PEM file.
-`hostname` is the hostname that the client used to validate aginst the certificate that the server presents.
+`hostname` is the hostname that the client used to validate aginst the certificate that the server presents. Note that it does not have to be the same with the `remote_addr` in `[client]`.
 ```
 [client.transport.tls]
-trusted_root = "example/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "example/tls/rootCA.crt"
+hostname = "localhost"
 ```
 
 ### Server
 PKCS#12 archives are needed to run the server.
 
 It can be created using openssl like:
 ```
-openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile ca_chain_certs.crt
 ```
 
+Aruguments are:
+
+- `-inkey`: Server Private Key
+- `-in`: Server Certificate
+- `-certfile`: CA Certificate
+
+Creating self-signed certificate with one's own CA is a non-trival task. However, a script is provided under tls example folder for reference.
+
 ## Noise Protocol
 ### Quickstart for the Noise Protocl
 In one word, the [Noise Protocol](http://noiseprotocol.org/noise.html) is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.

diff --git a/examples/tls/ca-cert.pem b/examples/tls/ca-cert.pem
diff --git a/examples/tls/client.toml b/examples/tls/client.toml
@@ -1,12 +1,12 @@
 [client]
-remote_addr = "localhost:2333"
+remote_addr = "127.0.0.1:2333"
 default_token = "123"
 
 [client.transport]
 type = "tls"
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.foo1]
 local_addr = "127.0.0.1:80"
diff --git a/examples/tls/create_self_signed_cert.sh b/examples/tls/create_self_signed_cert.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# create CA 
+openssl req -x509 \
+            -sha256 -days 356 \
+            -nodes \
+            -newkey rsa:2048 \
+            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
+            -keyout rootCA.key -out rootCA.crt 
+
+# create server private key
+openssl genrsa -out server.key 2048
+
+# create certificate signing request (CSR)
+cat > csr.conf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = San Fransisco
+O = Someone
+OU = Someone
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+EOF
+
+openssl req -new -key server.key -out server.csr -config csr.conf
+
+# create server cert
+cat > cert.conf <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+EOF
+
+openssl x509 -req \
+    -in server.csr \
+    -CA rootCA.crt -CAkey rootCA.key \
+    -out server.crt \
+    -days 365 \
+    -sha256 -extfile cert.conf
+
+# create pkcs12
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt -passout pass:1234
+
+# clean up
+rm server.csr csr.conf cert.conf
diff --git a/examples/tls/identity.pfx b/examples/tls/identity.pfx
diff --git a/examples/tls/rootCA.crt b/examples/tls/rootCA.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUT2Hjb+eORMuX0zIwClSygNTJiSQwDQYJKoZIhvcNAQEL
+BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
+biBGcmFuc2lzY28wHhcNMjMwMzA3MTIzOTM5WhcNMjQwMjI2MTIzOTM5WjA3MRAw
+DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
+aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4hFcu/+GeSQRR0
+XniadepJtCp3juIaHaYLMIsKg4fUSOiVlOCJU27wYa6xaYOcjSKpv7tmZ7YwFBwO
+dGdlcqAFD1nj+JCsHQAJKRIYWY6UklrQb0rd+67HXF03cN4sPGiAKXy52jaPYJIS
+oz5w8mfcz66b3q6fYmefyjwvqBl5nJApiWzBEtLPDKhmT6ST3VuQLdmYNEmL3lL9
+wVJu3R1L7gnzoUFdHyeOpAoALFAI8zfezI8IJsDLLdVfKZNZYm0PDB98ldlBQ2wf
+uXFTzuVHeifBFcUxhV5/U9c3Fp7UnuMD7/RAcABBE8aW6wFl246WjTk4v6r0QYgZ
+49BrnGMCAwEAAaNTMFEwHQYDVR0OBBYEFIwCXoKvHjF6mWhgNLwSEktXT9S/MB8G
+A1UdIwQYMBaAFIwCXoKvHjF6mWhgNLwSEktXT9S/MA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAIlSJqo9QJUZTE1SzafqihkSXBuLAKMNq+Box02o
+2tticlBV3BVpNZ4SbOs8oYN/Hmr2cDSmgbf4ZB1BqExarsrLnFuIrM4XWVzuFHSt
+oMSlE/OE6cO0wzqUlihmUfx2azuXKPLotAObD6fwNbUb03YxTpNrEqFxIjYn6g56
+Mp1Eo/Na2ptr41Nin2gHsynPOWdPhpBqBxnWMFz1pfZ7TB1h92DVqFN92fMzgvAT
+oJdTGl9hFTcS4XrYwOhhITNGn7oM9uTFpTd/IZbjAakcAnLcwRumthD32YJPpXqV
+JC2zJNBvEbQ4hdvZu3eNx5J8GU8wiMoJgYNy4zNMbM3qM+E=
+-----END CERTIFICATE-----
diff --git a/tests/for_tcp/tls_transport.toml b/tests/for_tcp/tls_transport.toml
@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 local_addr = "127.0.0.1:8080" 

diff --git a/tests/for_udp/tls_transport.toml b/tests/for_udp/tls_transport.toml
@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 type = "udp"