Skip to content

Latest commit

 

History

History
65 lines (53 loc) · 2.58 KB

README.md

File metadata and controls

65 lines (53 loc) · 2.58 KB

openssl-demo-server

Example program to implement a TLS server. It was written for demonstration and educational purposes.

Pre-requisites:

Features:

  • OCSP stapling
  • DNSSEC Authentication chain extension
  • session resumption
  • 4 x 100 at SSLlabs given the right key and certificate is used
  • chroot operation possible
  • setuid(non root user) possible

Limitations:

  • can't specify to listen in IPv4 only if IPv6 is available
  • proxy-mode: destination must be an IPv4 address

Source:

general Build:

$ make
cc -Wall -Wextra -Wpedantic   -c -o main.o main.c
cc -Wall -Wextra -Wpedantic   -c -o ocsp-stapling.o ocsp-stapling.c
cc -Wall -Wextra -Wpedantic   -c -o dnssec-chain-extension.o dnssec-chain-extension.c
cc -Wall -Wextra -Wpedantic  -lssl -lcrypto -lgetdns -o openssl-demo-server main.o ocsp-stapling.o dnssec-chain-extension.o

personal Build:

$ export DEB_BUILD_MAINT_OPTIONS='hardening=+all'
$ export CFLAGS="$( dpkg-buildflags --get CFLAGS ) $( dpkg-buildflags --get CPPFLAGS )"
$ export LDFLAGS="$( dpkg-buildflags --get LDLAGS )"
$ export LIBS='-lssl-dv -lcrypto-dv -lgetdns'
$ make -B

Usage:

# /path/to/openssl-demo-server -h

Usage: openssl-demo-server [options]

  -h                  print this help message
  -sname  <name>      server name               default: dubai.signing-milter.org
  -port   <port>      server port               default: 443
  -cert   <file>      server certificate file   default: ./cert+intermediate.pem
  -key    <file>      server private key file   default: ./key.pem
  -oscp   <file>      server ocsp response file default: ./ocsp.response
  -chroot <dir>       chroot to directory       default: don't chroot
  -user   <name>      switch to that user       default: don't switch user
  -proxy  <ip>:<port> IPv4 address and port to forward to

If the program cannot access the OCSP response file OCSP will be not used.

Bugs:

I'm sure there are some! For that reason: DO NOT USE that software on a production level system!