diff --git a/README.md b/README.md index 65db7f1..2db5b03 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,8 @@ of Erlang property list. | `cacertfile_path` | `/opt/ca/ca.crt.pem` | SSLCACertificateFile | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path. | `certfile_path` | `/opt/ca/server.crt.pem` | SSLCertificateFile | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path. | `keyfile_path` | `/opt/ca/server.key.pem` | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path. -| `crlfile_path` | `/opt/ca/crl.pem` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. +| `crlfile_path` | `/opt/ca/crl` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. CLRs in this directory must be rehashed by `c_rehash` command as per this solution (https://stackoverflow.com/posts/51480191/revisions) + Migrating from mod_epp diff --git a/apps/epp_proxy/priv/test_ca/certs/revoked2.crt.pem b/apps/epp_proxy/priv/test_ca/certs/revoked2.crt.pem new file mode 100644 index 0000000..edf72a8 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/certs/revoked2.crt.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGEDCCA/igAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVF +MREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwa +RWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEg +MB4GCSqGSIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUwHhcNMjAwNzIxMDczODEy +WhcNMzAwNzE5MDczODEyWjB8MQswCQYDVQQGEwJFRTERMA8GA1UECAwISGFyanVt +YWExIzAhBgNVBAoMGkVlc3RpIEludGVybmV0aSBTaWh0YXN1dHVzMRMwEQYDVQQD +DApsb2NhbGhvc3QzMSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ9WvaOOx8qB0/+zJ23hp9R2 +r6QUNMJWg3JDU2qJZuHZ19DWn47+fDjQORqmiFvNTDCp1EKskk4pykWEGtnwm7sn +E2N9ovoNEmKfYkPiKHtweiHr0IoUsB9tZojSyaolGXxSLSXglXSp3zwB5v1boVOj +7dEHxvK6QeLy/bYqzdVOsZEKcjz5UAjgnd4CfdS6IBW4Dgk1JMHZGMTFbrrVunB/ +No6FARisO+Aq11S3Ak9WyBoe2uUPS7RLdyy/EVGhbft6QE+ENc3gL7LHlQ2LjVUF +2ISwG8ULl4f0A8tmyk3deD/SPGklQVG9M/1Yv7z5aTSB+1o03SPb4abJieY+RF3L +zZO7oa7vzn52Z8gziNo5rMHX6Q+kLqkgnqRvR0Vk+qkbhsZHny68oFNZm8+TWqDW +mZpMKR3vQEC19wfAuCxrBAC5XHLH/wY7kSng2PKUuRoACAsta9JmAnTeQtKFMj66 +wIe+nbr9Q03da3adVAOVRTrlsIuk/9vo5u4pOs2M+s5Q8kisI41Cm9EkNgmVAweY +1LbyZXV1n/smzsHtjSkNco95dZtOVlAHW5GB7v1zj7Ensx96JMBvBq+0XCUMgCJX +NYYvcB9YMLVfZuBaoe15wAx93utSefPgFHFYJ7/pjZMt088SbR9SCyNkYFOkNrdx +abbntYS98CXFI4gB62rLAgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMC +BeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBQuphYluIrOLAaufOBOUUa3jqI/hzAfBgNVHSMEGDAWgBQrl0tO +QaRq54QX5qF/OeLWzWZT9TANBgkqhkiG9w0BAQsFAAOCAgEAdTAqjYLbIBHOvcDW +x1twozGlmtlob20TrmLaHq4jdv2azIcUK5RZukTaI2wbUWeDRmBe91m4m70KiEDp +ToS1l6pJLzPl6y8Uh7yWRjpaMFnEOMMqYI5HoiBzSPC8JAp+JqKlb3Y0jU5/hOIt +eT9C31tzuazShpdM1QR8H1SNT301hAlqIoy9gnCCfbaSg3qYciHUj/tMLvHUhAVy +IFeceLPl+38zxxk2YD6Ed5YhUqeuIR/2ZViPBaLfPvPw4rIqEu0MkPM9TxJ45+xF +OX+esXExCb+EoG6ZHjup3Re5kevxYAo3QKU+xbYCFlTTEv/UgHIyajCk8x1/flhC +CZmfQVF/C9Lpv35MfaDWkzQ2zVcdQGoH8Q0mELpYgoN8npb33mahVP8qxqWHzAdT +o99CZMuUhVsbEtgDsZjxp6CrRDL8X99dxVEWwDwXzY3RgKuxLhCAUH7bhg0+ul0L +xGId9GjHqX46/bN9UCOtrFh8eJlGnFw6I2shNiPauV2CW4SOi/Awzjm2lAN0KFXX +iuGzVH9jVDtiGeLreGehXKByyjX3Zrwv3eMkhF+aJUuin/i5APRe4OWBGp4sfDra +MlFPI+JKDO5011RGgIB75PiqnRIDUtGe8ybjjXlGdnJ7WPW1YfygWXGCVkH19Iyt +aMmvcKiYLxhrpUFiSXj78qBN/Pw= +-----END CERTIFICATE----- diff --git a/apps/epp_proxy/priv/test_ca/crl/crl2.pem b/apps/epp_proxy/priv/test_ca/crl/crl2.pem new file mode 100644 index 0000000..76e2f2f --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/crl2.pem @@ -0,0 +1,20 @@ +-----BEGIN X509 CRL----- +MIIDNjCCAR4CAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD +VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg +SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG +SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcyMTA3MzgyOFoXDTMwMDcx +OTA3MzgyOFowKjATAgIQARcNMjAwNzE3MTExMjAyWjATAgIQAhcNMjAwNzIxMDcz +ODIyWqAwMC4wHwYDVR0jBBgwFoAUK5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0U +BAQCAhABMA0GCSqGSIb3DQEBCwUAA4ICAQAfqwrQHPHnj/QDS2zIlEn3YxfpCnla +x3oaqryp8NRFwj49xkvH2gKrZlLj0yjO3mw0ZJXAsGbADIdqm8nVkFLg+2DyIXlp +nvF9xpXk5sCMqXggcvm1qWXr76xgoq7DMRNw6usynej5ez1xWlPwcVunjJIUKk+x +IM/9l6FyJpeuRv3xWlXdBGLz/WtH0+ycS/Ekl03fsMNaI4ZTefTt3tvORiK5apT8 +4oVnjEWneGfDFfIdj/N/wFphGwxLqo9RuITzupqg/RrXbe1/Z06V7TDPhXMGQyZx +xM8kw4Cikj+VeQw/5nKWeuYD8/wnbex9XFK797HFjG+ReOGaPgFHu/A9ux35FM+6 +hXL1AS1Dv/04U5Siu8i9TatFUEgaLn0VAPoarPiy6kaa9wEne9dJ6C+LlQVxPQsr +Yhjpp9DRtbmvJxuWredmI7sPmIcLdbpRu7gyxQYgFsQT7dcRCGgPR+viIfOkiquq +dx2mhV4mHZxSLegXsLZ2X7bqXgb04YSBKxfRxfWizQfEJLonW+VI8enKh210Aw4R +rch+igPxLHrZKBG/QcRzLI1wh5fZwW4ML5b4dMnJeDv7/8AfJufTtmpYg/AXAI80 +6SJsbHxJ242e3zzmO7FQ7aUz+Y24zrNsdtJvdTgEB0TTzrSfAJZoeZ6y8YCm4pyw +pJeV6jyetNaivw== +-----END X509 CRL----- diff --git a/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r0 b/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r0 new file mode 120000 index 0000000..13a7a92 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r0 @@ -0,0 +1 @@ +crl.pem \ No newline at end of file diff --git a/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r1 b/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r1 new file mode 120000 index 0000000..4aa232f --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r1 @@ -0,0 +1 @@ +crl2.pem \ No newline at end of file diff --git a/apps/epp_proxy/priv/test_ca/crl/first/crl.pem b/apps/epp_proxy/priv/test_ca/crl/first/crl.pem new file mode 100644 index 0000000..b3b108d --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/first/crl.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDITCCAQkCAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD +VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg +SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG +SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcxNzExMTIwOVoXDTMwMDcx +NTExMTIwOVowFTATAgIQARcNMjAwNzE3MTExMjAyWqAwMC4wHwYDVR0jBBgwFoAU +K5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0UBAQCAhAAMA0GCSqGSIb3DQEBCwUA +A4ICAQA8EGqpuVnqlM04otgIoFPDYGqYhv7wTCQFx3iIS5KgEh2E96iHACVi3Q6m +5RmYv1LIrcrrY9GGW8Vgv4lOyPOzpGawCWfrnhGABe5nE5MG591O2X2CQmCjZmL7 +ga0ZPRzHfXTs9XTxBFslcmUXQipy2/sG623Db7/OIZQio7c9F6zfC6cb8ebVxpPD +nstrMOtzpU/nJqytT5KiBeA5Kr2zJqmpwvqZKzRmrM4gFQBtuy2x2qXbjr+CfSIA +DDpkE/Q90aRNqZ1dGvMl+GvOqabndoTlUBwBkRt5SkxXDNiYfLaj3y6CiMR3TAVV +W0pryjUXJ/s2VVCnqSsC2y7jCMSQk7dkcjOlmIJidoJTyqwrAnRptKoLEBp24qe+ +o8DCaWW4jcQSwCgZK3M5YxvOfugZ1I91zuK9HIIRZNJhANiKuzPi+4uwK1JxOzY4 +uI/9Q7bkhDrPSea9b3vdsO+5kfdjnxx/21mVSLqsllm8Gnl2cA80IBXSYOB9JTTV +5vn0+QAW1GrRH5VzmVo/lTW+qj73EfejLy/g6s+I5W9dQcQl9IRerDR90mXsE1ll +MPRQQHxNERtHDg2Rg8flwYl5gE3e7OO2xKlr1jyI1F9QSTsQHQQJCpOJsevJzIkO +jJ+LfUfVcjp+uxa/KOulfgBi13Lco1Yfn9oEgIMPd+zUQvL9HQ== +-----END X509 CRL----- diff --git a/apps/epp_proxy/priv/test_ca/crl/first/d17a9cf0.r0 b/apps/epp_proxy/priv/test_ca/crl/first/d17a9cf0.r0 new file mode 120000 index 0000000..13a7a92 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/first/d17a9cf0.r0 @@ -0,0 +1 @@ +crl.pem \ No newline at end of file diff --git a/apps/epp_proxy/priv/test_ca/crl/second/crl2.pem b/apps/epp_proxy/priv/test_ca/crl/second/crl2.pem new file mode 100644 index 0000000..76e2f2f --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/second/crl2.pem @@ -0,0 +1,20 @@ +-----BEGIN X509 CRL----- +MIIDNjCCAR4CAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD +VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg +SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG +SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcyMTA3MzgyOFoXDTMwMDcx +OTA3MzgyOFowKjATAgIQARcNMjAwNzE3MTExMjAyWjATAgIQAhcNMjAwNzIxMDcz +ODIyWqAwMC4wHwYDVR0jBBgwFoAUK5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0U +BAQCAhABMA0GCSqGSIb3DQEBCwUAA4ICAQAfqwrQHPHnj/QDS2zIlEn3YxfpCnla +x3oaqryp8NRFwj49xkvH2gKrZlLj0yjO3mw0ZJXAsGbADIdqm8nVkFLg+2DyIXlp +nvF9xpXk5sCMqXggcvm1qWXr76xgoq7DMRNw6usynej5ez1xWlPwcVunjJIUKk+x +IM/9l6FyJpeuRv3xWlXdBGLz/WtH0+ycS/Ekl03fsMNaI4ZTefTt3tvORiK5apT8 +4oVnjEWneGfDFfIdj/N/wFphGwxLqo9RuITzupqg/RrXbe1/Z06V7TDPhXMGQyZx +xM8kw4Cikj+VeQw/5nKWeuYD8/wnbex9XFK797HFjG+ReOGaPgFHu/A9ux35FM+6 +hXL1AS1Dv/04U5Siu8i9TatFUEgaLn0VAPoarPiy6kaa9wEne9dJ6C+LlQVxPQsr +Yhjpp9DRtbmvJxuWredmI7sPmIcLdbpRu7gyxQYgFsQT7dcRCGgPR+viIfOkiquq +dx2mhV4mHZxSLegXsLZ2X7bqXgb04YSBKxfRxfWizQfEJLonW+VI8enKh210Aw4R +rch+igPxLHrZKBG/QcRzLI1wh5fZwW4ML5b4dMnJeDv7/8AfJufTtmpYg/AXAI80 +6SJsbHxJ242e3zzmO7FQ7aUz+Y24zrNsdtJvdTgEB0TTzrSfAJZoeZ6y8YCm4pyw +pJeV6jyetNaivw== +-----END X509 CRL----- diff --git a/apps/epp_proxy/priv/test_ca/crl/second/d17a9cf0.r0 b/apps/epp_proxy/priv/test_ca/crl/second/d17a9cf0.r0 new file mode 120000 index 0000000..4aa232f --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/crl/second/d17a9cf0.r0 @@ -0,0 +1 @@ +crl2.pem \ No newline at end of file diff --git a/apps/epp_proxy/priv/test_ca/csrs/revoked2.csr.pem b/apps/epp_proxy/priv/test_ca/csrs/revoked2.csr.pem new file mode 100644 index 0000000..a48e44d --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/csrs/revoked2.csr.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIE1DCCArwCAQAwgY4xCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ +MA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRh +c3V0dXMxEzARBgNVBAMMCmxvY2FsaG9zdDMxIDAeBgkqhkiG9w0BCQEWEWhlbGxv +QGludGVybmV0LmVlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn1a9 +o47HyoHT/7MnbeGn1HavpBQ0wlaDckNTaolm4dnX0Nafjv58ONA5GqaIW81MMKnU +QqySTinKRYQa2fCbuycTY32i+g0SYp9iQ+Ioe3B6IevQihSwH21miNLJqiUZfFIt +JeCVdKnfPAHm/VuhU6Pt0QfG8rpB4vL9tirN1U6xkQpyPPlQCOCd3gJ91LogFbgO +CTUkwdkYxMVuutW6cH82joUBGKw74CrXVLcCT1bIGh7a5Q9LtEt3LL8RUaFt+3pA +T4Q1zeAvsseVDYuNVQXYhLAbxQuXh/QDy2bKTd14P9I8aSVBUb0z/Vi/vPlpNIH7 +WjTdI9vhpsmJ5j5EXcvNk7uhru/OfnZnyDOI2jmswdfpD6QuqSCepG9HRWT6qRuG +xkefLrygU1mbz5NaoNaZmkwpHe9AQLX3B8C4LGsEALlccsf/BjuRKeDY8pS5GgAI +Cy1r0mYCdN5C0oUyPrrAh76duv1DTd1rdp1UA5VFOuWwi6T/2+jm7ik6zYz6zlDy +SKwjjUKb0SQ2CZUDB5jUtvJldXWf+ybOwe2NKQ1yj3l1m05WUAdbkYHu/XOPsSez +H3okwG8Gr7RcJQyAIlc1hi9wH1gwtV9m4Fqh7XnADH3e61J58+AUcVgnv+mNky3T +zxJtH1ILI2RgU6Q2t3Fptue1hL3wJcUjiAHrassCAwEAAaAAMA0GCSqGSIb3DQEB +CwUAA4ICAQApchMGYc4YX8s67DrFX0xZkP/ofRpq3OPrWvAGHtsWEUGvy/ItzCSc +OxUNMlrE3f+eOGObZFllS2T+KFEeE+V54wVDIj7OtNup9Np0M2keIu5A5nVEOYiN +fjFjM/NyeKbWwtLzUJitbhxWGXR1WLGCM98k3qF40siCBvsIGINUx7N9g1c/VmaA +//Pifihlm7gvfBuiYHCU8mOuxQs2JMYfdh/MJ3fo8iqGY7dfY+aH7Cx3y1WCbR7v +54RNJylGXTapI81bRe5AHIFQohzUf3LzHS7EeBSMzEMOmEXhAoy4MJk9uI27L96E +2hYIr20Xza43dq2JWQKgshl5FDtcGrVD6JMg1+/mDaZCxVENrDelRXD7TaAUo8Sh +BPHixdsjNzxWaE8njhDilZ4xY8id3UHRtCtK6TRrmbvuiUoD+VWu7SW7ZLXmnHLq +5OIcZv40gMKiBJOQuvgChM3h0hxuH11elFChk7CyzyUU/xa4qzvdkFFMrVOaO41p +jtVLppMIdA34XFqmxufZoi5UsjZqQKaOG8uVKYbLCQks0mLYfhs8ArFugsVu6jdl +sXMp3tDrSukNZOrgoS5SenJ1nNew17hSr+hH1n6I4cccsg39izRNGUF7mHyib713 +ugaNnZFBeZ29W71dvJtnLa+sNISjGVbbBwDQ4P+1kCNokGhifoVPgA== +-----END CERTIFICATE REQUEST----- diff --git a/apps/epp_proxy/priv/test_ca/generate_certificates.sh b/apps/epp_proxy/priv/test_ca/generate_certificates.sh index 753b39e..14ab3ff 100755 --- a/apps/epp_proxy/priv/test_ca/generate_certificates.sh +++ b/apps/epp_proxy/priv/test_ca/generate_certificates.sh @@ -11,5 +11,12 @@ openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pe openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl.pem +openssl genrsa -out private/revoked2.key.pem 4096 +openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/revoked2.key.pem -out csrs/revoked2.csr.pem +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/revoked2.csr.pem -days 3650 -out certs/revoked2.crt.pem +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -revoke certs/revoked2.crt.pem + +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl2.pem + openssl req -config openssl.cnf -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout private/apache.key -config server.csr.cnf openssl x509 -req -in server.csr -CA certs/ca.crt.pem -CAkey private/ca.key.pem -CAcreateserial -out certs/apache.crt -days 3650 -sha256 -extfile v3.ext diff --git a/apps/epp_proxy/priv/test_ca/private/revoked2.key.pem b/apps/epp_proxy/priv/test_ca/private/revoked2.key.pem new file mode 100644 index 0000000..b96781f --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/private/revoked2.key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAn1a9o47HyoHT/7MnbeGn1HavpBQ0wlaDckNTaolm4dnX0Naf +jv58ONA5GqaIW81MMKnUQqySTinKRYQa2fCbuycTY32i+g0SYp9iQ+Ioe3B6IevQ +ihSwH21miNLJqiUZfFItJeCVdKnfPAHm/VuhU6Pt0QfG8rpB4vL9tirN1U6xkQpy +PPlQCOCd3gJ91LogFbgOCTUkwdkYxMVuutW6cH82joUBGKw74CrXVLcCT1bIGh7a +5Q9LtEt3LL8RUaFt+3pAT4Q1zeAvsseVDYuNVQXYhLAbxQuXh/QDy2bKTd14P9I8 +aSVBUb0z/Vi/vPlpNIH7WjTdI9vhpsmJ5j5EXcvNk7uhru/OfnZnyDOI2jmswdfp +D6QuqSCepG9HRWT6qRuGxkefLrygU1mbz5NaoNaZmkwpHe9AQLX3B8C4LGsEALlc +csf/BjuRKeDY8pS5GgAICy1r0mYCdN5C0oUyPrrAh76duv1DTd1rdp1UA5VFOuWw +i6T/2+jm7ik6zYz6zlDySKwjjUKb0SQ2CZUDB5jUtvJldXWf+ybOwe2NKQ1yj3l1 +m05WUAdbkYHu/XOPsSezH3okwG8Gr7RcJQyAIlc1hi9wH1gwtV9m4Fqh7XnADH3e +61J58+AUcVgnv+mNky3TzxJtH1ILI2RgU6Q2t3Fptue1hL3wJcUjiAHrassCAwEA +AQKCAgBl068ZiTOQ7Osoa7t081Kn6rlQaEFXOKaELRZv7SM8jlTnd2E8ptGIFTmJ +GIfn8wkPyFiHy3UsUnSbfFMUmDlNnyk62Z1/oz7um+DWdP9d84F5kBQTSilLzERM +iDisbU0eL/3+SMn6ZlztImIV46rzor1makvv7qwQdy1Ab5ZfDQ1ZHY3n/YPySGla +6ci0W8YJWzhNFhNJdo3noiyjZdbh8cpRxhnvRJJ3Lamyz8nAHjt+xd0pqV6998RP +akONIVcB8RyMNHeV/AE/hWBx6Y8GmNfH5Cu6/y91iLGsGSKMJE6mqppEr7RQolNJ +QqA2CkX7cl3JRiNUuT45sm5YH87cCCjcgYvP/OlKkW/aEx/69v/i3MpISxoXgAGt +F2zRuqGdYwKAeheQ/D7bdIiAkfAIL0HinVpJOuGDVT6RNCCzoRpJRaHwq+Rmx/TD +wV4wAJ8Fcc1WGyOOYg86cjZa12wljGucy/m88jN0x4si2nctg123rN0Z4TEx9xfU +Olo2WIiNDiyL/wWI+bZUo/ucNO4buheeRiadmHrXU7rAKujWeeyN2fbOkJQnx4J8 +T1HNBTDG/wnblKc3JmkBxyWDo1Cz+Bj3qkA5cjCIIBbwo0vxzh7Qv4hdCiT6Ibbs +NDpMvkhp5zbw4gittGwZwxHxJtVaHrk9gRgkP8tjJQ9TrGjzEQKCAQEAzP5h6U/c +4yUTuOP2tWKAD96Lpq3LfaHTLbi0HzW7343AH1LvCEJsApMkkhWeqxxVSvqQL04r +xgBAGzzwlNB8rmGYckSQ5F1u0Y2bMxxEjKuYMgDmuAlG9xzpySSTHqWqyruF6Vng +xd8XxAFS3Jxw0hNuypd+ZQLhPdqsZVsZza4hQ/g5hdHFeSH/iBkdJGSvTEyBqT5v +pfCa9IW2NWZZcKHZZ+YM/ZrogJlEuattrM6EfyK6C52yGFBCCCggUveF+E/krdVI +ggQqJoegXdSF3ostxgA+O73Bg+0We6F1Ps4xMJiq8B2w7DwVoaPj1oBaUrQtMH2H +TdMJ+Yiut25XhwKCAQEAxvxAUVVkm8H61G8TZy3VT2djucN382+Q2oCjGzV7vCXS +mQLPaGN6S7xUX9uixDmvgxmhfDDuiRNqyNoOQV9VEQj7yGysANFJ4dHm4UPXXvDH +P70JPkDIWhFkAM7N6B0t6wASt9MMYAx64dpyWT75vbXUy008J6E5jQZkpDV3m9qx +unYwYR+rv3Srg+5Fw210LrthBw9CWqd3rUQ99yb2INlqqahxQr4RNX+8o/4AFGuM +93t2qmZeN86rSOrigJzfKYeo/h2GP4DR4Ll+yPQNiIwy5W/qbgty1Fd8C3b+Ey1b +K4VxadQC0yL2u/P/SBRqa4vJ7j6rM7NrU8lY9/ebnQKCAQAlLAu9Lwoy9ko5QL0/ +7vih6A0S0HkR8wJETDX9YtUKmL258GP/72t+nAgJpXn8NUsSKZVzvo0Zfnohdk95 +7MRvKqtmLSDJCFhMD42RGxMjHwqeJqOvw57muIt8OfGjoQ7zbEXAJtgniWjZ1hOc +hZG/xl5UxlvZHUiS2tBgIMDxFx5ZIO3tYjiY2p1npIYwT0GqaEUq13OPd63hoU2F +KWYWkoLF4GWCp1B54VEhCgD9UQWduEJcUOA2oHcY243g/ZmBiZtCGmbnjLHIAtgF +q8AKtto6CVk/pA0vSxLEoGaOWP16fnSgzgGDFPInOXzbLLM0RA/dtyWN6zLn2O01 +vgCJAoIBAHf6AmHH5hiP9kf+DSnqFbKBuTx5Yiqyexlz9GRkdA22lGtTqXDcghGG +JS2DBXng+jVGz/pMmpal0X33FB9Qdr8FtqJa+76mcjCpWdc7C3GgJdMFjLwvXV4J +HE3sY3Rvm48VBTQ3GUAUZkclakrrULOVHg/SqtGOQWAJmcb0wgCD9SNjPbph2TFg +DEZI9WFm7mV6737NMYntbZhYDDCoGkEmNkzDVj8S0Nd8BGawsKWfT2is1ZjajjaB +8v7NOPKpI1ksBbXqYVaKuoEP9yT9GefZ+JokR6pAVuU3NoDHJ1yyvUTZec+AWI+r +hi8/aA2y2ZOsvn1a5ekPZkgnn/ArKHUCggEAHGfHVEg/k6AtBggtwfVRJAYviDh+ +7lfWCJxDZozC6/Lny/kexJcvHERuxDlp+E0Oa3ZHXaxlzG0yaGGXbfrilmSpDmmH +Y1UXjXHTf/slP3fpTZVeibr6HOlVMnZEQEwJjEufvJRXXl+pc5zvqbD3ng8qI+Tf +gJKCFGz+QabzTyEloI4shgjZcC985MHKej4Cmo+BhsSRwBugthfVF74SzejkbJe7 +nh/tpQ0dm5JvH/seNCkNYEZLOmT7aMy1eikdra6Xth+temDFqpNfwJAfby9rPunq +3CEqQJxzNgr/GzuoV/yj/V/r71af+0C+MRqpu7Z8Dc4RFkntnix51cLUpg== +-----END RSA PRIVATE KEY----- diff --git a/apps/epp_proxy/src/epp_proxy_sup.erl b/apps/epp_proxy/src/epp_proxy_sup.erl index 9814d67..65ffa4c 100644 --- a/apps/epp_proxy/src/epp_proxy_sup.erl +++ b/apps/epp_proxy/src/epp_proxy_sup.erl @@ -60,8 +60,11 @@ init([]) -> MemoryMonitor = #{id => memory_monitor, type => worker, modules => [memory_monitor], start => {memory_monitor, start_link, []}}, + TLSMonitor = #{id => epp_tls_monitor, type => worker, + modules => [epp_tls_monitor], + start => {epp_tls_monitor, start_link, []}}, SharedSpecs = [TLSAcceptor, PoolSupervisor, - MemoryMonitor], + MemoryMonitor, TLSMonitor], ChildrenSpec = case ?DevMode of {ok, true} -> [TCPAcceptor | SharedSpecs]; _ -> SharedSpecs diff --git a/apps/epp_proxy/src/epp_tls_acceptor.erl b/apps/epp_proxy/src/epp_tls_acceptor.erl index a3c0080..3fa2526 100644 --- a/apps/epp_proxy/src/epp_tls_acceptor.erl +++ b/apps/epp_proxy/src/epp_tls_acceptor.erl @@ -10,7 +10,7 @@ %% gen_server callbacks -export([handle_call/3, handle_cast/2, init/1, - start_link/1]). + start_link/1, terminate/2]). -export([crl_file/0]). @@ -52,6 +52,9 @@ handle_cast(accept, State#state{socket = ListenSocket, port = Port, options = Options}}. +terminate(_Reason, _State) -> + ok. + handle_call(_E, _From, State) -> {noreply, State}. %% Create a worker process. These are short lived and should not be restarted, @@ -88,15 +91,15 @@ crl_file() -> {ok, CrlFile} -> epp_util:path_for_file(CrlFile) end. + %% In some environments, we do not perform a CRL check. Therefore, we need %% different options proplist. handle_crl_check_options(Options) -> case application:get_env(epp_proxy, crlfile_path) of undefined -> Options; - {ok, _CrlFile} -> - ssl_crl_cache:insert({file, crl_file()}), + {ok, CrlFile} -> NewOptions = [{crl_check, peer}, - {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}} + {crl_cache, {ssl_crl_hash_dir, {internal, [{dir, epp_util:path_for_file(CrlFile)}]}}} | Options], NewOptions end. diff --git a/apps/epp_proxy/src/epp_tls_monitor.erl b/apps/epp_proxy/src/epp_tls_monitor.erl new file mode 100644 index 0000000..c6c0710 --- /dev/null +++ b/apps/epp_proxy/src/epp_tls_monitor.erl @@ -0,0 +1,78 @@ +%%%------------------------------------------------------------------- +%%% @doc +%%% +%%% Monitor module for reloading epp_tls_acceptor on runtime +%%% Used to renew CRLs once in 30 minutes +%%% @end +%%% Created: 20 Feb 2020 +%%%------------------------------------------------------------------- +-module(epp_tls_monitor). + +-behaviour(gen_server). + +-define(THIRTY_MINUTES_IN_MS, 30 * 60 * 1000). + +-export([init/1, start_link/0]). + +-export([code_change/3, handle_call/3, handle_cast/2, + handle_info/2, terminate/2]). + +-export([reload_acceptor/0]). + +-record(state, {timer_ref :: timer:tref()}). + +-type state() :: #state{}. + +-spec start_link() -> ignore | {error, _} | {ok, pid()}. + +start_link() -> + gen_server:start_link({local, ?MODULE}, ?MODULE, [], + []). + +-spec init([]) -> {ok, state()}. + +init([]) -> + TimerReference = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), reload_acceptor), + erlang:send(self(), reload_acceptor), + {ok, #state{timer_ref = TimerReference}}. + +%%%------------------------------------------------------------------- +%%% GenServer callbacks +%%%------------------------------------------------------------------- +-spec handle_call(_, _, State) -> {stop, + not_implemented, State}. + +handle_call(_M, _F, State) -> + {stop, not_implemented, State}. + +-spec handle_cast(_, State) -> {stop, not_implemented, + State}. + +handle_cast(_M, State) -> + {stop, not_implemented, State}. + +-spec handle_info(reload_acceptor, _) -> {noreply, _}. + +handle_info(reload_acceptor, State = #state{timer_ref = TimerReference}) -> + _ = erlang:cancel_timer(TimerReference, [{async, true}, {info, false}]), + TRef = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), reload_clr_file), + ok = reload_acceptor(), + {noreply, State#state{timer_ref = TRef}}. + +-spec terminate(_, state()) -> ok. + +terminate(_Reason, State) -> + _ = erlang:cancel_timer(State#state.timer_ref, [{async, true}, {info, false}]), + ok. + +-spec code_change(_, _, _) -> {ok, _}. + +code_change(_OldVersion, State, _Extra) -> {ok, State}. + +%%%------------------------------------------------------------------- +%%% Internal functions +%%%------------------------------------------------------------------- +reload_acceptor() -> + supervisor:terminate_child(epp_proxy_sup, epp_tls_acceptor), + supervisor:restart_child(epp_proxy_sup, epp_tls_acceptor), + ok. diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl index 1941251..e5880a5 100644 --- a/apps/epp_proxy/src/epp_tls_worker.erl +++ b/apps/epp_proxy/src/epp_tls_worker.erl @@ -7,7 +7,7 @@ -include("epp_proxy.hrl"). %% gen_server callbacks --export([handle_call/3, handle_cast/2, init/1, +-export([handle_call/3, handle_cast/2, init/1, handle_info/2, start_link/1]). -export([code_change/3]). @@ -56,7 +56,7 @@ handle_cast(greeting, headers => Headers, cl_trid => nomatch}), {_Status, Body} = epp_http_client:request(Request), - frame_to_socket(Body, Socket), + frame_to_socket(Body, Socket, State), gen_server:cast(self(), process_command), {noreply, State#state{socket = Socket, session_id = SessionId}}; @@ -93,7 +93,7 @@ handle_cast(process_command, cl_trid => ClTRID}) end, {_Status, Body} = epp_http_client:request(Request), - frame_to_socket(Body, Socket), + frame_to_socket(Body, Socket, State), %% On logout, close the socket. %% Else, go back to the beginning of the loop. if Command =:= "logout" -> @@ -109,16 +109,25 @@ handle_cast(process_command, handle_call(_E, _From, State) -> {noreply, State}. +handle_info(ssl_closed, State) -> + {stop, normal, State}; +handle_info(_Info, State) -> + {noreply, State}. + code_change(_OldVersion, State, _Extra) -> {ok, State}. %% Wrap a message in EPP frame, and then send it to socket. -frame_to_socket(Message, Socket) -> +frame_to_socket(Message, Socket, State) -> Length = epp_util:frame_length_to_send(Message), ByteSize = <>, CompleteMessage = <>, - write_line(Socket, CompleteMessage). + write_line(Socket, CompleteMessage, State). -write_line(Socket, Line) -> ok = ssl:send(Socket, Line). +write_line(Socket, Line, State) -> + case ssl:send(Socket, Line) of + ok -> ok; + {error, closed} -> {stop, normal, State} + end. frame_from_socket(Socket, State) -> case ssl:recv(Socket, 0, ?DefaultTimeout) of diff --git a/apps/epp_proxy/src/memory_monitor.erl b/apps/epp_proxy/src/memory_monitor.erl index 58b2c3b..b2d0612 100644 --- a/apps/epp_proxy/src/memory_monitor.erl +++ b/apps/epp_proxy/src/memory_monitor.erl @@ -34,8 +34,7 @@ start_link() -> -spec init([]) -> {ok, state()}. init([]) -> - {ok, TimerReference} = - timer:send_interval(?THIRTY_MINUTES_IN_MS, log_usage), + TimerReference = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), log_usage), erlang:send(self(), log_usage), {ok, #state{timer_ref = TimerReference}}. @@ -56,13 +55,17 @@ handle_cast(_M, State) -> -spec handle_info(log_usage, _) -> {noreply, _}. -handle_info(log_usage, State) -> - ok = log_memory(), {noreply, State}. +handle_info(log_usage, State = #state{timer_ref = TimerReference}) -> + _ = erlang:cancel_timer(TimerReference, [{async, true}, {info, false}]), + TRef = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), reload_clr_file), + ok = log_memory(), + {noreply, State#state{timer_ref = TRef}}. -spec terminate(_, state()) -> ok. terminate(_Reason, State) -> - {ok, cancel} = timer:cancel(State#state.timer_ref), ok. + _ = erlang:cancel_timer(State#state.timer_ref, [{async, true}, {info, false}]), + ok. -spec code_change(_, _, _) -> {ok, _}. diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl index 2a983f3..b7a596f 100644 --- a/apps/epp_proxy/test/tls_client_SUITE.erl +++ b/apps/epp_proxy/test/tls_client_SUITE.erl @@ -14,7 +14,8 @@ invalid_command_test_case/1, missing_command_test_case/1, error_test_case/1, - revoked_cert_test_case/1]). + revoked_cert_test_case/1, + second_revoked_session_test_case/1]). all() -> [frame_size_test_case, @@ -26,11 +27,13 @@ all() -> invalid_command_test_case, missing_command_test_case, error_test_case, - revoked_cert_test_case]. + revoked_cert_test_case, + second_revoked_session_test_case]. init_per_suite(Config) -> application:ensure_all_started(epp_proxy), application:ensure_all_started(hackney), + ok = application:set_env(epp_proxy, crlfile_path, "test_ca/crl/first"), CWD = code:priv_dir(epp_proxy), Options = [binary, {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")}, @@ -40,7 +43,12 @@ init_per_suite(Config) -> {certfile, filename:join(CWD, "test_ca/certs/revoked.crt.pem")}, {keyfile, filename:join(CWD, "test_ca/private/revoked.key.pem")}, {active, false}], - [{ssl_options, Options}, {revoked_options, RevokedOptions} | Config]. + SecondRevokedOptions = [binary, + {certfile, filename:join(CWD, "test_ca/certs/revoked2.crt.pem")}, + {keyfile, filename:join(CWD, "test_ca/private/revoked2.key.pem")}, + {active, false}], + [{ssl_options, Options}, {revoked_options, RevokedOptions}, + {second_revoked_options, SecondRevokedOptions} | Config]. end_per_suite(Config) -> application:stop(epp_proxy), @@ -109,6 +117,22 @@ session_test_case(Config) -> {error, closed} = receive_data(Socket), ok. + + +second_revoked_session_test_case(Config) -> + ok = application:set_env(epp_proxy, crlfile_path, "test_ca/crl/second"), + + epp_tls_monitor ! reload_acceptor, + ct:sleep({seconds, 5}), + Options = proplists:get_value(second_revoked_options, Config), + + {error, Error} = ssl:connect("localhost", 1443, Options, 2000), + {tls_alert, + {certificate_revoked, + "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error, +%% "TLS client: In state cipher received SERVER ALERT: Fatal - Certificate Revoked\n "}} = Error, + ok. + valid_command_test_case(Config) -> Options = proplists:get_value(ssl_options, Config), {ok, Socket} = ssl:connect("localhost", 1443, Options, 2000), @@ -215,6 +239,7 @@ revoked_cert_test_case(Config) -> {tls_alert, {certificate_revoked, "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error, +%% "TLS client: In state cipher received SERVER ALERT: Fatal - Certificate Revoked\n "}} = Error, ok. %% Helper functions: diff --git a/config/sys.config b/config/sys.config index c2f3ae4..5972988 100644 --- a/config/sys.config +++ b/config/sys.config @@ -26,7 +26,7 @@ {keyfile_path, "/opt/shared/ca/certs/key.pem"}, %% Path to CRL file. When this option is undefined, no CRL check is performed. - {crlfile_path, "/opt/shared/ca/certs/key.pem"}]}, + {crlfile_path, "/opt/shared/ca/crl/"}]}, {lager, [ {handlers, [ {lager_console_backend, [{level, debug}]}, diff --git a/config/test.config b/config/test.config index 61b7a2c..cbfd20f 100644 --- a/config/test.config +++ b/config/test.config @@ -12,7 +12,7 @@ {cacertfile_path, "test_ca/certs/ca.crt.pem"}, {certfile_path, "test_ca/certs/apache.crt"}, {keyfile_path, "test_ca/private/apache.key"}, - {crlfile_path, "test_ca/crl/crl.pem"}]}, + {crlfile_path, "test_ca/crl/first"}]}, {lager, [ diff --git a/rebar.config b/rebar.config index 3f6979f..23f7594 100644 --- a/rebar.config +++ b/rebar.config @@ -14,7 +14,7 @@ sasl, erlsom]}, - {sys_config, "./config/sys.config"}, + {sys_config, "./config/test.config"}, {dev_mode, false}, {vm_args, "./config/vm.args"},