openssl-demo-server

Example program to implement a TLS server. It was written for demonstration and educational purposes.

Pre-requisites

OpenSSL version 1.1.0 or later
getdns library

Features

OCSP stapling
DNSSEC Authentication chain extension
session resumption
4 x 100 at SSLlabs given a valid key and certificate is used
chroot operation possible
setuid(non root user) possible

Limitations

can't specify to listen in IPv4 only if IPv6 is available
proxy-mode: destination must be an IPv4 address

Source

based on sample code "Simple_TLS_Server" from https://wiki.openssl.org/
DNSSEC Authentication chain extension based on the implementation of Shumon Huque available at https://github.com/shuque/chainserver
session resumption worked after I read https://nachtimwald.com/2014/10/05/server-side-session-cache-in-openssl/
OCSP implementation was copied from nginx

general Build

make
cc -Wall -Wextra -Wpedantic -c -o main.o main.c
cc -Wall -Wextra -Wpedantic -c -o ocsp-stapling.o ocsp-stapling.c
cc -Wall -Wextra -Wpedantic -c -o dnssec-chain-extension.o dnssec-chain-extension.c
cc -Wall -Wextra -Wpedantic -lssl -lcrypto -lgetdns -o openssl-demo-server \
  main.o ocsp-stapling.o dnssec-chain-extension.o
...

personal Build

DEB_BUILD_MAINT_OPTIONS='hardening=+all'
CFLAGS="$( dpkg-buildflags --get CFLAGS ) $( dpkg-buildflags --get CPPFLAGS )"
LDFLAGS="$( dpkg-buildflags --get LDLAGS )"
LIBS='-lssl-dv -lcrypto-dv -lgetdns'
export DEB_BUILD_MAINT_OPTIONS CFLAGS LDFLAGS LIBS
make -B

Docker Build

docker build -t openssl-demo-server .

OR

docker-compose build

Usage

# /path/to/openssl-demo-server -h

Usage: openssl-demo-server [options]

  -h                  print this help message
  -sname  <name>      server name               default: openssl-demo-server.example
  -port   <port>      server port               default: 443
  -cert   <file>      server certificate file   default: ./cert+intermediate.pem
  -key    <file>      server private key file   default: ./key.pem
  -oscp   <file>      server ocsp response file default: ./ocsp.response
  -chroot <dir>       chroot to directory       default: don't chroot
  -user   <name>      switch to that user       default: don't switch user
  -proxy  <ip>:<port> IPv4 address and port to forward to

If the program cannot access the OCSP response file OCSP will be not used.

Bugs

I'm sure there are some! For that reason: DO NOT USE that software on a production level system!

Name		Name	Last commit message	Last commit date
Latest commit History 38 Commits
.github/workflows		.github/workflows
BUGS		BUGS
Dockerfile		Dockerfile
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
dnssec-chain-extension.c		dnssec-chain-extension.c
dnssec-chain-extension.h		dnssec-chain-extension.h
docker-compose.yml		docker-compose.yml
main.c		main.c
ocsp-stapling.c		ocsp-stapling.c
ocsp-stapling.h		ocsp-stapling.h
proxy.c		proxy.c
proxy.h		proxy.h

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

openssl-demo-server

Pre-requisites

Features

Limitations

Source

general Build

personal Build

Docker Build

Usage

Bugs

About

Contributors 2

Languages

License

andreasschulze/openssl-demo-server

Folders and files

Latest commit

History

Repository files navigation

openssl-demo-server

Pre-requisites

Features

Limitations

Source

general Build

personal Build

Docker Build

Usage

Bugs

About

Resources

License

Stars

Watchers

Forks

Contributors 2

Languages