Ограничение доступа по SSL сертификатам
Тикль: пакет tcl-tls. См. в tls.htm следующее: tls::status - инфа о сертификате, секция CALLBACK OPTIONS - как повесить обработчик, который получит в том числе её (подкоманда verify).
Сервер: stunnel4, ucspi-ssl, ipsvd.
Пример использования ucspi-ssl:
Для управления сертификатами удобен пакет tinyca. Команда tinyca2 запустит простой и понятный интерфейс.
Для преобразования форматов можно воспользоваться следующими командами:
Подробнее см. по ссылке
Creating Certificate Authorities and self-signed SSL certificates
Upd. OpenSSL
Сервер: stunnel4, ucspi-ssl, ipsvd.
Пример использования ucspi-ssl:
openssl dhparam -out dh1024.pem 1024 # drop password from exported server PEM sertificate with key openssl rsa -in 127.0.0.1-cert.pem -out 127.0.0.1-cert.pem.plain # start server CAFILE=MBG_CA-cacert.pem CCAFILE=MBG_CA-cacert.pem CERTFILE=127.0.0.1-cert.pem \ KEYFILE=127.0.0.1-cert.pem.plain DHFILE=dh1024.pem \ sslserver -RHl0 -is 0 9999 /usr/sbin/fnord-idx . # drop password from exported client PEM sertificate with key openssl rsa -in client01-cert.pem -out client01-cert.pem.plain # start client https@ 127.0.0.1 / 9999 -c client01-cert.pem -k client01-cert.pem.plain -a MBG_CA-cacert.pem
export CAFILE="MBG_CA-cacert.pem" export CCAFILE="MBG_CA-cacert.pem" export CERTFILE="127.0.0.1-cert.pem" export SSLLOCALHOST="0" export SSLLOCALIP="127.0.0.1" export SSLLOCALPORT="9999" export SSLREMOTEIP="127.0.0.1" export SSLREMOTEPORT="36681" export SSL_CIPHER="DHE-RSA-AES256-SHA" export SSL_CIPHER_ALGKEYSIZE="256" export SSL_CIPHER_EXPORT="false" export SSL_CIPHER_USEKEYSIZE="256" export SSL_CLIENT_A_KEY="rsaEncryption" export SSL_CLIENT_A_SIG="sha1WithRSAEncryption" export SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " ... -----END CERTIFICATE----- " export SSL_CLIENT_I_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=MBG/emailAddress=support@mobigroup.ru" export SSL_CLIENT_I_DN_C="RU" export SSL_CLIENT_I_DN_CN="MBG" export SSL_CLIENT_I_DN_Email="support@mobigroup.ru" export SSL_CLIENT_I_DN_L="Nizhny Novgorod" export SSL_CLIENT_I_DN_O="Mobile Business Group" export SSL_CLIENT_I_DN_OU="Software Development" export SSL_CLIENT_I_DN_ST="Nizhny Novgorod Region" export SSL_CLIENT_M_SERIAL="2" export SSL_CLIENT_M_VERSION="3" export SSL_CLIENT_S_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=client01" export SSL_CLIENT_S_DN_C="RU" export SSL_CLIENT_S_DN_CN="client01" export SSL_CLIENT_S_DN_L="Nizhny Novgorod" export SSL_CLIENT_S_DN_O="Mobile Business Group" export SSL_CLIENT_S_DN_OU="Software Development" export SSL_CLIENT_S_DN_ST="Nizhny Novgorod Region" export SSL_CLIENT_V_END="Nov 19 17:18:47 2012 GMT" export SSL_CLIENT_V_START="Feb 23 17:18:47 2010 GMT" export SSL_PROTOCOL="TLSv1" export SSL_SERVER_A_KEY="rsaEncryption" export SSL_SERVER_A_SIG="sha1WithRSAEncryption" export SSL_SERVER_CERT="-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " export SSL_SERVER_I_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=MBG/emailAddress=support@mobigroup.ru" export SSL_SERVER_I_DN_C="RU" export SSL_SERVER_I_DN_CN="MBG" export SSL_SERVER_I_DN_Email="support@mobigroup.ru" export SSL_SERVER_I_DN_L="Nizhny Novgorod" export SSL_SERVER_I_DN_O="Mobile Business Group" export SSL_SERVER_I_DN_OU="Software Development" export SSL_SERVER_I_DN_ST="Nizhny Novgorod Region" export SSL_SERVER_M_SERIAL="5" export SSL_SERVER_M_VERSION="3" export SSL_SERVER_S_DN="/C=RU/ST=Nizhny Novgorod Region/L=Nizhny Novgorod/O=Mobile Business Group/OU=Software Development/CN=127.0.0.1" export SSL_SERVER_S_DN_C="RU" export SSL_SERVER_S_DN_CN="127.0.0.1" export SSL_SERVER_S_DN_L="Nizhny Novgorod" export SSL_SERVER_S_DN_O="Mobile Business Group" export SSL_SERVER_S_DN_OU="Software Development" export SSL_SERVER_S_DN_ST="Nizhny Novgorod Region" export SSL_SERVER_V_END="Nov 19 19:43:16 2012 GMT" export SSL_SERVER_V_START="Feb 23 19:43:16 2010 GMT" export SSL_SESSION_ID="f04e24260747ff1784c054e4465de6b3c9ca75b6b9e2c37acfec937aad0d5350" export SSL_VERSION_INTERFACE="ucspi-ssl" export SSL_VERSION_LIBRARY="OpenSSL 0.9.8k 25 Mar 2009" export _="/usr/bin/sslserver"
Для управления сертификатами удобен пакет tinyca. Команда tinyca2 запустит простой и понятный интерфейс.
Для преобразования форматов можно воспользоваться следующими командами:
openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt
Подробнее см. по ссылке
Creating Certificate Authorities and self-signed SSL certificates
Upd. OpenSSL
Comments