вторник, 23 февраля 2010 г.

Ограничение доступа по SSL сертификатам

Тикль: пакет tcl-tls. См. в tls.htm следующее: tls::status - инфа о сертификате, секция CALLBACK OPTIONS - как повесить обработчик, который получит в том числе её (подкоманда verify).

Сервер: stunnel4, ucspi-ssl, ipsvd.

Пример использования ucspi-ssl:
openssl dhparam -out dh1024.pem 1024 

# drop password from exported server PEM sertificate with key
openssl rsa -in 127.0.0.1-cert.pem -out 127.0.0.1-cert.pem.plain
# start server
CAFILE=MBG_CA-cacert.pem CCAFILE=MBG_CA-cacert.pem CERTFILE=127.0.0.1-cert.pem \
KEYFILE=127.0.0.1-cert.pem.plain DHFILE=dh1024.pem \
sslserver -RHl0 -is 0 9999 /usr/sbin/fnord-idx .

# drop password from exported client PEM sertificate with key
openssl rsa -in client01-cert.pem -out client01-cert.pem.plain
# start client
https@ 127.0.0.1 / 9999 -c client01-cert.pem -k client01-cert.pem.plain -a MBG_CA-cacert.pem

export CAFILE="MBG_CA-cacert.pem"
export CCAFILE="MBG_CA-cacert.pem"
export CERTFILE="127.0.0.1-cert.pem"
export SSLLOCALHOST="0"
export SSLLOCALIP="127.0.0.1"
export SSLLOCALPORT="9999"
export SSLREMOTEIP="127.0.0.1"
export SSLREMOTEPORT="36681"
export SSL_CIPHER="DHE-RSA-AES256-SHA"
export SSL_CIPHER_ALGKEYSIZE="256"
export SSL_CIPHER_EXPORT="false"
export SSL_CIPHER_USEKEYSIZE="256"
export SSL_CLIENT_A_KEY="rsaEncryption"
export SSL_CLIENT_A_SIG="sha1WithRSAEncryption"
export SSL_CLIENT_CERT="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
"
...
-----END CERTIFICATE-----
"
export SSL_CLIENT_I_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=MBG/emailAddress=support@mobigroup.ru"
export SSL_CLIENT_I_DN_C="RU"
export SSL_CLIENT_I_DN_CN="MBG"
export SSL_CLIENT_I_DN_Email="support@mobigroup.ru"
export SSL_CLIENT_I_DN_L="Nizhny Novgorod"
export SSL_CLIENT_I_DN_O="Mobile Business Group"
export SSL_CLIENT_I_DN_OU="Software Development"
export SSL_CLIENT_I_DN_ST="Nizhny Novgorod Region"
export SSL_CLIENT_M_SERIAL="2"
export SSL_CLIENT_M_VERSION="3"
export SSL_CLIENT_S_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=client01"
export SSL_CLIENT_S_DN_C="RU"
export SSL_CLIENT_S_DN_CN="client01"
export SSL_CLIENT_S_DN_L="Nizhny Novgorod"
export SSL_CLIENT_S_DN_O="Mobile Business Group"
export SSL_CLIENT_S_DN_OU="Software Development"
export SSL_CLIENT_S_DN_ST="Nizhny Novgorod Region"
export SSL_CLIENT_V_END="Nov 19 17:18:47 2012 GMT"
export SSL_CLIENT_V_START="Feb 23 17:18:47 2010 GMT"
export SSL_PROTOCOL="TLSv1"
export SSL_SERVER_A_KEY="rsaEncryption"
export SSL_SERVER_A_SIG="sha1WithRSAEncryption"
export SSL_SERVER_CERT="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
"
export SSL_SERVER_I_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=MBG/emailAddress=support@mobigroup.ru"
export SSL_SERVER_I_DN_C="RU"
export SSL_SERVER_I_DN_CN="MBG"
export SSL_SERVER_I_DN_Email="support@mobigroup.ru"
export SSL_SERVER_I_DN_L="Nizhny Novgorod"
export SSL_SERVER_I_DN_O="Mobile Business Group"
export SSL_SERVER_I_DN_OU="Software Development"
export SSL_SERVER_I_DN_ST="Nizhny Novgorod Region"
export SSL_SERVER_M_SERIAL="5"
export SSL_SERVER_M_VERSION="3"
export SSL_SERVER_S_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=127.0.0.1"
export SSL_SERVER_S_DN_C="RU"
export SSL_SERVER_S_DN_CN="127.0.0.1"
export SSL_SERVER_S_DN_L="Nizhny Novgorod"
export SSL_SERVER_S_DN_O="Mobile Business Group"
export SSL_SERVER_S_DN_OU="Software Development"
export SSL_SERVER_S_DN_ST="Nizhny Novgorod Region"
export SSL_SERVER_V_END="Nov 19 19:43:16 2012 GMT"
export SSL_SERVER_V_START="Feb 23 19:43:16 2010 GMT"
export SSL_SESSION_ID="f04e24260747ff1784c054e4465de6b3c9ca75b6b9e2c37acfec937aad0d5350"
export SSL_VERSION_INTERFACE="ucspi-ssl"
export SSL_VERSION_LIBRARY="OpenSSL 0.9.8k 25 Mar 2009"
export _="/usr/bin/sslserver"

Для управления сертификатами удобен пакет tinyca. Команда tinyca2 запустит простой и понятный интерфейс.

Для преобразования форматов можно воспользоваться следующими командами:
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

Подробнее см. по ссылке
Creating Certificate Authorities and self-signed SSL certificates


Upd. OpenSSL

Комментариев нет:


(C) Alexey Pechnikov aka MBG, mobigroup.ru