Implement SSL server with OpenSSL backend / still flaky

2019-10-01 15:43:37 -07:00
parent d60f5de231
commit de87fa34dc
9 changed files with 339 additions and 14 deletions
--- a/ws/generate_certs.sh
+++ b/ws/generate_certs.sh
@ -0,0 +1,104 @@
+#!/bin/bash
+
+set -eo pipefail
+
+
+generate_key() {
+    local path=${1}
+    local base=${2}
+    local type=${3:-'rsa'} # "ec" or "rsa"
+    
+    mkdir -p ${path}
+    if [[ "${type}" == "rsa" ]]; then
+        openssl genrsa -out "${path}/${base}-key.pem"
+    elif [[ "${type}" == "ec" ]]; then
+        openssl ecparam -genkey -param_enc named_curve -name prime256v1 -out "${path}/${base}-key.pem"
+    else
+        echo "Error: usage: type (param \$2) should be 'rsa' or 'ec'" >&2 && exit 1
+    fi
+    echo "generated ${path}/${base}-key.pem"
+}
+
+generate_ca() {
+    local path="${1}"
+    local base="${2:-'root-ca'}"
+    local type="${3:-'rsa'}" # "ec" or "rsa"
+    local org="${4:-'/O=machinezone/O=IXWebSocket'}"
+    
+    mkdir -p ${path}
+
+    generate_key "${path}" "${base}" "${type}"
+
+    openssl req -new -x509 -sha256 -days 3650 \
+        -reqexts v3_req -extensions v3_ca \
+        -subj "${org}/CN=${base}" \
+        -key "${path}/${base}-key.pem" \
+        -out "${path}/${base}-crt.pem"
+
+    echo "generated ${path}/${base}-crt.pem"
+}
+
+generate_cert() {
+    local path="$1"
+    local base="$2"
+    local cabase="$3"
+    local type="${4:-'rsa'}" # "ec" or "rsa"
+    local org="${5:-'/O=machinezone/O=IXWebSocket'}"
+    local san="${6:-'DNS:localhost,DNS:127.0.0.1'}"
+
+    mkdir -p ${path}
+
+    generate_key "${path}" "${base}" "${type}"
+
+    openssl req -new -sha256 \
+        -key "${path}/${base}-key.pem" \
+        -subj "${org}/CN=${base}" \
+        -out "${path}/${base}.csr"
+    
+
+    if [ "${base}" == "${cabase}" ]; then
+        # self-signed
+        openssl x509 -req -in "${path}/${base}.csr" \
+            -signkey "${path}/${base}-key.pem" -days 365 -sha256 \
+            -extfile <(printf "subjectAltName=${san}") \
+            -outform PEM -out "${path}/${base}-crt.pem" 
+    else
+        openssl x509 -req -in ${path}/${base}.csr \
+            -CA "${path}/${cabase}-crt.pem" \
+            -CAkey "${path}/${cabase}-key.pem" \
+            -CAcreateserial -days 365 -sha256 \
+            -extfile <(printf "subjectAltName=${san}") \
+            -outform PEM -out "${path}/${base}-crt.pem"
+    fi
+
+    rm -f ${path}/${base}.csr
+    echo "generated ${path}/${base}-crt.pem"
+}
+
+# main
+
+outdir=${1:-'./.certs'}
+type=${2:-'rsa'}
+org=${3:-'/O=machinezone/O=IXWebSocket'}
+
+if ! which openssl &>/dev/null; then
+    
+    if ! grep -qa -E 'docker|lxc' /proc/1/cgroup; then
+        # launch a container with openssl and run this script there
+        docker run --rm -i -v $(pwd):/work alpine sh -c "apk add bash openssl && /work/generate_certs.sh /work/${outdir} && chown -R $(id -u):$(id -u) /work/${outdir}"
+    else
+        echo "Please install openssl in this container to generate test certs, or launch outside of docker" >&2 && exit 1
+    fi
+else
+    
+    generate_ca   "${outdir}" "trusted-ca" "${type}" "${org}"
+    
+    generate_cert "${outdir}" "trusted-server" "trusted-ca" "${type}" "${org}"
+    generate_cert "${outdir}" "trusted-client" "trusted-ca" "${type}" "${org}"
+
+    generate_ca   "${outdir}" "untrusted-ca" "${type}" "${org}"
+
+    generate_cert "${outdir}" "untrusted-client"  "untrusted-ca"        "${type}" "${org}"
+    generate_cert "${outdir}" "selfsigned-client" "selfsigned-client" "${type}" "${org}"
+
+fi
--- a/ws/ws.cpp
+++ b/ws/ws.cpp
@ -28,6 +28,10 @@ int main(int argc, char** argv)
    ix::IXCoreLogger::LogFunc logFunc = [](const char* msg) { spdlog::info(msg); };
    ix::IXCoreLogger::setLogFunction(logFunc);

+#ifndef _WIN32
+    signal(SIGPIPE, SIG_IGN);
+#endif
+
    // Display command.
    if (getenv("DEBUG"))
    {
@ -80,6 +84,7 @@ int main(int argc, char** argv)
    bool binaryMode = false;
    bool redirect = false;
    bool version = false;
+    bool verifyNone = false;
    int port = 8008;
    int redisPort = 6379;
    int statsdPort = 8125;
@ -91,7 +96,7 @@ int main(int argc, char** argv)
    int jobs = 4;
    uint32_t maxWaitBetweenReconnectionRetries;

-    auto addTLSOptions = [&tlsOptions](CLI::App* app) {
+    auto addTLSOptions = [&tlsOptions, &verifyNone](CLI::App* app) {
        app->add_option(
               "--cert-file", tlsOptions.certFile, "Path to the (PEM format) TLS cert file")
            ->check(CLI::ExistingPath);
@ -102,9 +107,8 @@ int main(int argc, char** argv)
        app->add_option("--ciphers",
                        tlsOptions.ciphers,
                        "A (comma/space/colon) separated list of ciphers to use for TLS");
-        app->add_flag("--tls",
-                      tlsOptions.tls,
-                      "Enable TLS");
+        app->add_flag("--tls", tlsOptions.tls, "Enable TLS (server only)");
+        app->add_flag("--verify_none", verifyNone, "Disable peer cert verification");
    };

    app.add_flag("--version", version, "Connection url");
@ -294,6 +298,11 @@ int main(int argc, char** argv)
        f.close();
    }

+    if (verifyNone)
+    {
+        tlsOptions.caFile = "NONE";
+    }
+
    int ret = 1;
    if (app.got_subcommand("transfer"))
    {