openssl-demo-server

Example program to implement a TLS server. It was written for demonstration and educational purposes.

Pre-requisites:

OpenSSL version 1.1.0 or later
getdns library, for getdns version

Features:

OCSP stapling
DNSSEC Authentication chain extension
session resumption
4 x 100 at SSLlabs given the right key and certificate is used
chroot operation possible
setuid(non root user) possible

Limitations:

can't specify to listen in IPv4 only if IPv6 is available
proxy-mode: destination must be an IPv4 address

Source:

based on sample code "Simple_TLS_Server" from https://wiki.openssl.org/
DNSSEC Authentication chain extension based on the implementation of Shumon Huque available at https://github.com/shuque/chainserver
session resumption worked after I read https://nachtimwald.com/2014/10/05/server-side-session-cache-in-openssl/
OCSP implementation was copied from nginx

general Build:

$ make
cc -Wall -Wextra -Wpedantic   -c -o main.o main.c
cc -Wall -Wextra -Wpedantic   -c -o ocsp-stapling.o ocsp-stapling.c
cc -Wall -Wextra -Wpedantic   -c -o dnssec-chain-extension.o dnssec-chain-extension.c
cc -Wall -Wextra -Wpedantic  -lssl -lcrypto -lgetdns -o openssl-demo-server main.o ocsp-stapling.o dnssec-chain-extension.o

personal Build:

$ export DEB_BUILD_MAINT_OPTIONS='hardening=+all'
$ export CFLAGS="$( dpkg-buildflags --get CFLAGS ) $( dpkg-buildflags --get CPPFLAGS )"
$ export LDFLAGS="$( dpkg-buildflags --get LDLAGS )"
$ export LIBS='-lssl-dv -lcrypto-dv -lgetdns'
$ make -B

Usage:

# /path/to/openssl-demo-server -h

Usage: openssl-demo-server [options]

  -h                  print this help message
  -sname  <name>      server name               default: dubai.signing-milter.org
  -port   <port>      server port               default: 443
  -cert   <file>      server certificate file   default: ./cert+intermediate.pem
  -key    <file>      server private key file   default: ./key.pem
  -oscp   <file>      server ocsp response file default: ./ocsp.response
  -chroot <dir>       chroot to directory       default: don't chroot
  -user   <name>      switch to that user       default: don't switch user
  -proxy  <ip>:<port> IPv4 address and port to forward to

If the program cannot access the OCSP response file OCSP will be not used.

Bugs:

I'm sure there are some! For that reason: DO NOT USE that software on a production level system!

Name		Name	Last commit message	Last commit date
Latest commit History 32 Commits
BUGS		BUGS
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
dnssec-chain-extension.c		dnssec-chain-extension.c
dnssec-chain-extension.h		dnssec-chain-extension.h
main.c		main.c
ocsp-stapling.c		ocsp-stapling.c
ocsp-stapling.h		ocsp-stapling.h
proxy.c		proxy.c
proxy.h		proxy.h

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

openssl-demo-server

Pre-requisites:

Features:

Limitations:

Source:

general Build:

personal Build:

Usage:

Bugs:

About

Releases

Packages

Languages

License

paulwouters/openssl-demo-server

Folders and files

Latest commit

History

Repository files navigation

openssl-demo-server

Pre-requisites:

Features:

Limitations:

Source:

general Build:

personal Build:

Usage:

Bugs:

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages