From d562ece62ca1b6fadf2c796c44135b00cc04180d Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Wed, 6 Jun 2018 22:19:18 -0600 Subject: [PATCH 1/5] Check CRL in client, use revoked in server --- ex1/client.c | 2 ++ ex1/server.c | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/ex1/client.c b/ex1/client.c index 70ce013..e61e08c 100644 --- a/ex1/client.c +++ b/ex1/client.c @@ -91,6 +91,8 @@ int main(int argc, char *argv[]) errx(1, "unable to allocate TLS config"); if (tls_config_set_ca_file(tls_cfg, "../CA/root.pem") == -1) errx(1, "unable to set root CA file"); + if (tls_config_set_crl_file(tls_cfg, "../CA/intermediate/crl/intermediate.crl.pem") == -1) + errx(1, "unable to set crl file"); /* ok now get a socket. we don't care where... */ if ((sd=socket(AF_INET,SOCK_STREAM,0)) == -1) diff --git a/ex1/server.c b/ex1/server.c index c28b44b..e3c9330 100644 --- a/ex1/server.c +++ b/ex1/server.c @@ -96,10 +96,17 @@ int main(int argc, char *argv[]) errx(1, "unable to allocate TLS config"); if (tls_config_set_ca_file(tls_cfg, "../CA/root.pem") == -1) errx(1, "unable to set root CA filet"); +#if 0 if (tls_config_set_cert_file(tls_cfg, "../CA/server.crt") == -1) errx(1, "unable to set TLS certificate file"); if (tls_config_set_key_file(tls_cfg, "../CA/server.key") == -1) errx(1, "unable to set TLS key file"); +#else + if (tls_config_set_cert_file(tls_cfg, "../CA/revoked.crt") == -1) + errx(1, "unable to set TLS certificate file"); + if (tls_config_set_key_file(tls_cfg, "../CA/revoked.key") == -1) + errx(1, "unable to set TLS key file"); +#endif if ((tls_ctx = tls_server()) == NULL) errx(1, "tls server creation failed"); if (tls_configure(tls_ctx, tls_cfg) == -1) From 7bf01ff5350e6c3e0952b8c6eddf7519425ce7bc Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Wed, 6 Jun 2018 22:26:39 -0600 Subject: [PATCH 2/5] make server do ocsp staple, and client show it --- ex1/Makefile | 3 +++ ex1/client.c | 5 +++++ ex1/server.c | 8 +++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ex1/Makefile b/ex1/Makefile index a01df18..a7fccdc 100644 --- a/ex1/Makefile +++ b/ex1/Makefile @@ -4,5 +4,8 @@ LDLIBS += -ltls -lssl -lcrypto all: client server +client: client.o report_tls.o + $(CC) $(CFLAGS) -o client client.o report_tls.o $(LDLIBS) + clean: /bin/rm -f client server *.o diff --git a/ex1/client.c b/ex1/client.c index e61e08c..cc897ba 100644 --- a/ex1/client.c +++ b/ex1/client.c @@ -32,6 +32,7 @@ #include #include +extern void report_tls(struct tls * tls_ctx, char * host); static void usage() @@ -91,8 +92,10 @@ int main(int argc, char *argv[]) errx(1, "unable to allocate TLS config"); if (tls_config_set_ca_file(tls_cfg, "../CA/root.pem") == -1) errx(1, "unable to set root CA file"); +#if 0 if (tls_config_set_crl_file(tls_cfg, "../CA/intermediate/crl/intermediate.crl.pem") == -1) errx(1, "unable to set crl file"); +#endif /* ok now get a socket. we don't care where... */ if ((sd=socket(AF_INET,SOCK_STREAM,0)) == -1) @@ -117,6 +120,8 @@ int main(int argc, char *argv[]) tls_error(tls_ctx)); } while (i == TLS_WANT_POLLIN || i == TLS_WANT_POLLOUT); + report_tls(tls_ctx, "localhost"); + /* * finally, we are connected. find out what magnificent wisdom * our server is going to send to us - since we really don't know diff --git a/ex1/server.c b/ex1/server.c index e3c9330..33ee283 100644 --- a/ex1/server.c +++ b/ex1/server.c @@ -96,16 +96,22 @@ int main(int argc, char *argv[]) errx(1, "unable to allocate TLS config"); if (tls_config_set_ca_file(tls_cfg, "../CA/root.pem") == -1) errx(1, "unable to set root CA filet"); -#if 0 +#if 1 if (tls_config_set_cert_file(tls_cfg, "../CA/server.crt") == -1) errx(1, "unable to set TLS certificate file"); if (tls_config_set_key_file(tls_cfg, "../CA/server.key") == -1) errx(1, "unable to set TLS key file"); + if (tls_config_set_ocsp_staple_file(tls_cfg, "../CA/server.crt-ocsp.der") == -1) + errx(1, "unable to set OCSP staple file"); #else if (tls_config_set_cert_file(tls_cfg, "../CA/revoked.crt") == -1) errx(1, "unable to set TLS certificate file"); if (tls_config_set_key_file(tls_cfg, "../CA/revoked.key") == -1) errx(1, "unable to set TLS key file"); + if (tls_config_set_ocsp_staple_file(tls_cfg, "../CA/server.crt-ocsp.der") == -1) + errx(1, "unable to set OCSP staple file"); + if (tls_config_set_ocsp_staple_file(tls_cfg, "../CA/revoked.crt-ocsp.der") == -1) + errx(1, "unable to set OCSP staple file"); #endif if ((tls_ctx = tls_server()) == NULL) errx(1, "tls server creation failed"); From 9185ccaaad20061e9d249c15b40a2bef26627113 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Thu, 7 Jun 2018 09:42:58 -0600 Subject: [PATCH 3/5] fix --- ex1/README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/ex1/README.md b/ex1/README.md index 15920af..bf035ba 100644 --- a/ex1/README.md +++ b/ex1/README.md @@ -6,7 +6,7 @@ As you may note, what is in here is exactly what you got for the review exercies The reason is simple, your task here is to make the client and server here speak TLS! -### Exercise 1a: +# Exercise 1a: For a first step Make the client connect anonymously, and validate the server's certificate. @@ -16,7 +16,7 @@ For a first step Make the client connect anonymously, and validate the server's Stop at the point that you get the client talking to the server. Other exercises below will build upon this. -### Exercise 1b +# Exercise 1b As a follow on to 1a, modify your program (or my solution) so the server insists on client verification, and the client provides the certificate from ../CA/client.[crt|key] @@ -27,21 +27,25 @@ Now modify the client and the server to print out details of each other's certif after the handshake - Make use of the function in report_tls.c if you like, and add it to your code. -### Exercise 1r +# Exercise 1r -###CRL use +### CRL use For certificate verification, modify your program so that the client supports a CRL list. The CRL for your certificates is located in ../CA/intermediate/crl/intermediate.crl.pem. Start your server up using ../CA/revoked.[key|crt] instead of server.crt. Try to connect to it when using the CRL and not using the CRL. -###OCSP Stapling +### OCSP Stapling -Modify your server to use an OCSP staple file. You can fetch an ocsp staple for your server.crt -by running the ocsp server in ../CA/ocspserver.sh, then connecting to it using ../CA/ocspfetch.sh server.crt - which will retreive a server.crt-ocsp.der file This can be used as the input file for [tls_config_set_ocsp_staple_file](http://man.openbsd.org/tls_config_set_ocsp_staple_file.3) +Modify your server to use an OCSP staple file. Set your server up to use server.crt, then you can fetch an ocsp staple for server.crt by first: -Modify your client to check for the OCSP staple, or to require it. - connect up and see what happens. +- running the ocsp server in ../CA/ocspserver.sh, and then +- connecting to it using ../CA/ocspfetch.sh server.crt + +This which will retreive a server.crt-ocsp.der file. The der file can be used as the input file for a call to [tls_config_set_ocsp_staple_file](http://man.openbsd.org/tls_config_set_ocsp_staple_file.3) in your server code. + +Modify your client to check for the OCSP staple and show it, or to require it. - connect up and see what happens. If you have time you can try the same thing with the revoked certificate in the server. From bd7b81335bc8a7bdd3c37f53f5552edb3e9ca39f Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Thu, 7 Jun 2018 21:02:40 -0600 Subject: [PATCH 4/5] fix double staple --- ex1/server.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/ex1/server.c b/ex1/server.c index 33ee283..f3b98fc 100644 --- a/ex1/server.c +++ b/ex1/server.c @@ -108,8 +108,6 @@ int main(int argc, char *argv[]) errx(1, "unable to set TLS certificate file"); if (tls_config_set_key_file(tls_cfg, "../CA/revoked.key") == -1) errx(1, "unable to set TLS key file"); - if (tls_config_set_ocsp_staple_file(tls_cfg, "../CA/server.crt-ocsp.der") == -1) - errx(1, "unable to set OCSP staple file"); if (tls_config_set_ocsp_staple_file(tls_cfg, "../CA/revoked.crt-ocsp.der") == -1) errx(1, "unable to set OCSP staple file"); #endif From 5c5543e8e13da487328cff00aca3966a55372f32 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Thu, 7 Jun 2018 21:15:51 -0600 Subject: [PATCH 5/5] fix md links --- TUTORIAL.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/TUTORIAL.md b/TUTORIAL.md index c0a49a5..5fc6afe 100644 --- a/TUTORIAL.md +++ b/TUTORIAL.md @@ -221,11 +221,11 @@ can anonymously connect to the server, validate the cert and do full tls. A number of programs in OpenBSD use libtls, examining the source code is often a useful resource -- [nc](http://man.openbsd.org/nc.1 - [Source code for OpenBSD nc](https://github.com/openbsd/src/tree/master/usr.bin/nc) -- [httpd](http://man.openbsd.org/httpd.1 - [Source code for OpenBSD httpd](https://github.com/openbsd/src/tree/master/usr.sbin/httpd) -- [acme-client](http://man.openbsd.org/acme-client.1 - [Source code for OpenBSD acme-client](https://github.com/openbsd/src/tree/master/usr.sbin/acme-client) -- [acme-client](http://man.openbsd.org/ocspcheck.8 - [Source code for OpenBSD ocspcheck](https://github.com/openbsd/src/tree/master/usr.sbin/ocspcheck) -- [OpenBSD's libtls regression tests] https://github.com/openbsd/src/tree/master/regress/lib/libtls) +- [nc](http://man.openbsd.org/nc.1) - [Source code for OpenBSD nc](https://github.com/openbsd/src/tree/master/usr.bin/nc) +- [httpd](http://man.openbsd.org/httpd.1) - [Source code for OpenBSD httpd](https://github.com/openbsd/src/tree/master/usr.sbin/httpd) +- [acme-client](http://man.openbsd.org/acme-client.1) - [Source code for OpenBSD acme-client](https://github.com/openbsd/src/tree/master/usr.sbin/acme-client) +- [acme-client](http://man.openbsd.org/ocspcheck.8) - [Source code for OpenBSD ocspcheck](https://github.com/openbsd/src/tree/master/usr.sbin/ocspcheck) +- [OpenBSD's libtls regression tests](https://github.com/openbsd/src/tree/master/regress/lib/libtls)