Does any one (but me :) feel a need to have something like below
living in test/* -- over the past couple
of days I found it very useful to hget folks with embryonic SNI
installations going.
Thanks,
Dw
PS: SNI Rocks !
#!/bin/sh
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version
2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will populate a directory 'sni' with 3 sites, httpd.conf
# and certificates as to facilitate testing of TLS server name
# indication support (RFC 4366) or SNI.
#
# $Id$
#
OPENSSL=${OPENSSL:-openssl}
DOMAIN=${DOMAIN:-`hostname | sed -e 's/^[^\.]*\.//g'`}
if [ $# = 1 -a "x$1" != "x-f" -o $# -gt 1 ]; then
echo Syntax: $0 [-f]
exit 1
fi
if test -d sni -a "x$1" != "x-f"; then
echo Aborted - already an $PWD/sni directory. Use the -f flag
to overwrite.
exit 1
fi
mkdir -p sni || exit 1
cd sni || exit 1
mkdir -p ssl htdocs logs || exit 1
if ! openssl version | grep -q OpenSSL; then
echo Aborted - your openssl is very old or misconfigured.
exit 1
fi
set `openssl version`
if test "0$2" \< "00.9"; then
echo Aborted - version of openssl too old, 0.9 or up required.
exit 1
fi
# Create a 'CA'
serial=1
openssl req -new -nodes -batch \
-x509 \
-days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial
$serial \
-keyout root.key -out root.pem \
|| exit 2
echo '# To append to your hosts file' > hosts
cat > httpd-sni.conf << EOM
# To append to your httpd.conf file'
Listen 127.0.0.1:443
NameVirtualHost 127.0.0.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
LogLevel debug
TransferLog $PWD/logs/access_log
ErrorLog $PWD/logs/error_log
SSLSessionCache none
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
<Directory "$PWD/htdocs">
allow from all
Require all granted
</Directory>
# The first entry is also the default for non SNI
# supporting clients.
EOM
for n in ape nut jane
do
FQDN=$n.$DOMAIN
serial=`expr $serial + 1`
openssl req -new -nodes -batch \
-days 9 -subj "/CN=$FQDN/O=SNI Testing/" \
-keyout $n.key -out $n.req -batch \
|| exit 3
openssl x509 -text -req \
-CA root.pem -CAkey root.key \
-set_serial $serial -in $n.req -out $n.pem \
|| exit 4
cat $n.pem $n.key > ssl/$n.crt
rm $n.req $n.key $n.pem
LST="$LST
https://$FQDN/index.html";
echo "127.0.0.1 $FQDN $n" >> hosts
mkdir -p htdocs/$n
echo We are $FQDN > htdocs/$n/index.html
cat >> httpd-sni.conf << EOM
<VirtualHost 127.0.0.1:443>
SSLEngine On
ServerName $FQDN:443
DocumentRoot $PWD/htdocs/$n
SSLCertificateChainFile $PWD/root.pem
SSLCertificateFile $PWD/ssl/$n.crt
TransferLog $PWD/logs/$n
</VirtualHost>
EOM
done
cat << EOM
SNI Files generated
===================
The directory $PWD/sni has been populated with the following
- root.key|pem Certificate authority root and key
- hosts /etc/hosts file with fake entries for the hosts
- htdocs directory with one docroot for each domain,
each with a small sample file.
- ssl directory with an ssl cert (signed by root)
for each of the domains).
- logs logfiles, one for each domain and an
access_log for any misses.
SNI Test
========
A directory $PWD/sni has been created. Run an apache
server against it with
.../httpd -f $PWD/httpd-sni.conf
and keep an eye on $PWD/logs/... Note that you will see an entries
like
Feb 11 16:12:26 2008] [debug] Init:
SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs.
jane.*:443 (httpd-sni.conf:42)
and a concluding warning
[Mon Feb 11 16:12:26 2008] [warn] Init:
Name-based SSL virtual hosts only work for clients with TLS
server name indication support (RFC 4366)
If you see an entry like
[Mon Feb 11 15:41:41 2008] [warn] Init:
You should not use name-based virtual hosts in conjunction
with SSL!!
then you are either using an OpenSSL which is too old, or you need to
ensure that the
TLS Extensions are compiled into openssl with the 'enable-tlsext' flag.
Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
or /etc/hosts file as to point the various URL's to your server:
$LST
and verify that each returns its own name (and an entry in its
own $PWD/logs) file).
EOM
exit 0
