default_keyfile and a private_key file. The openssl.cnf default_keyfile can be created with the following command: openssl genrsa -out default_keyfile.pem 2048
The next command will create the private_key for openssl.cnf.
openssl req -new -x509 -days 1825 -keyout private_key.pem -out cacert.pem
The cacert.pem will be the SSL_CLIENT_CERT distributed with the client. The client will use this to verify the signature of the server's certificate.
<SSL_CLIENT_CERT>
/usr/local/ssl/cacert.pem
</SSL_CLIENT_CERT>
server.key is the server's private key. The server.csr is the server's certificate request. The request will need to be signed using the private_key.pem from the previous step.
openssl req -new -nodes -keyout server.key -out server.csr
The server will need the private key in the config file.
<SSL_PRIVATE_KEY>
/usr/local/ssl/server.key
</SSL_PRIVATE_KEY>
Now, sign this certificate. The signed certificate will be used by the server for identification.
openssl ca -out server.crt -infiles server.csr
<SSL_SERVER_CERT>
/usr/local/ssl/server.crt
</SSL_SERVER_CERT>
<ESCROW>
<RSA_MODULUS>
00:c6:83:9f:08:79:d0:60:66:dc:52:52:c1:52:f4:
60:8d:6e:40:57:60:ee:5a:9c:f4:28:9c:30:ca:05:
e9:f7:82:2e:53:48:15:3b:47:89:cd:76:de:04:09:
fe:fb:b9:48:63:e8:5c:dd:2e:60:b7:d6:47:34:4e:
9b:1f:9b:9d:77
</RSA_MODULUS>
<RSA_PUBLIC>
10001
</RSA_PUBLIC>
<SSL_SERVER_CERT>
/usr/local/ssl/server.crt
</SSL_SERVER_CERT>
<SSL_PRIVATE_KEY>
/usr/local/ssl/server.key
</SSL_PRIVATE_KEY>
<SERVER_NAME>
lagrange.wfunet.wfu.edu
</SERVER_NAME>
<TCP_PORT>
1111
</TCP_PORT>
<ADMIN_SUBNET_MASK>
10.255.255.255
</ADMIN_SUBNET_MASK>
<LDAP_URI> ldaps://ldap.wfu.edu/ </LDAP_URI>
<LDAP_DN> o=WFU,c=US </LDAP_DN>
<MYSQL_DB> wfu_mysql_db </MYSQL_DB>
<MYSQL_USER> wfu_mysql_user </MYSQL_USER>
<MYSQL_PASS> wfu_mysql_passwd </MYSQL_PASS>
<MYSQL_HOST> localhost </MYSQL_HOST>
<MYSQL_PORT> 3306 </MYSQL_PORT>
</ESCROW>
/* * libwfu - A Key Escrow Client/Server and API for TrueCrypt. * Copyright (C) 2007 Wake Forest University * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. * * Author: J. Mike Rollins <rollins@wfu.edu> and Carl Fulp <fulpc@wfu.edu> */ /* * This file is derived from a sample application provided in the OpenSSL source. * The sample application was written by Tim Hudson (tjh@cryptsoft.com) * inetdserv.cpp - Minimal ssleay server for Unix inetd.conf * 30.9.1996, Sampo Kellomaki <sampo@iki.fi> */ #include <stdio.h> #include <errno.h> #include <openssl/rsa.h> #include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/ssl.h> #include <openssl/err.h> #include "WFU.h" #include "libconfig.h" #include "common.h" #include "server.h" #include "server_parameters.h" #include <unistd.h> #include <signal.h> #define TIMEOUT 60 #define WFU_ERR_SSL_NULL_X (WFU_ERR_SSL_NULL | WFU_ERR_SSL) void timeout(int sig) { WFU_log("Alarm signal received: Exiting."); exit(1); } int main (int argc, char *argv[]) { int err; SSL_CTX* ctx; SSL* ssl; X509* client_cert; char* str; SSL_METHOD *meth; char configuration_file[WFU_MAX_FILE_NAME_LEN]; char client_ip[WFU_MAX_IP_LEN]; /* Set the timeout */ alarm(TIMEOUT); (void) signal(SIGALRM, (void*)timeout); if (argc != 2) { WFU_log("Error must provide a configuration file as the only argument to this program."); exit(1); } memset(configuration_file,0,sizeof(configuration_file)); strncpy(configuration_file,argv[1],WFU_MAX_FILE_NAME_LEN); //NOTE: check that file exists WFU_parse_config(configuration_file); struct sockaddr_in addr; int addr_len = sizeof(addr); if (! getpeername(fileno(stdin), (struct sockaddr *)&addr, &addr_len) != 0 ) { str = inet_ntoa(addr.sin_addr); if (! str) { WFU_log("Error obtaining IP address of client."); exit(1); } strncpy(client_ip, str, WFU_MAX_IP_LEN); snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"Connection from %s:%d\n", client_ip, ntohs(addr.sin_port)); WFU_log(NULL); } else WFU_CHK_RET("SERVER: getpeername() failed", WFU_ERR_SSL_NULL_X, 1); SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_method(); ctx = SSL_CTX_new (meth); if (!ctx) { WFU_log("SERVER: failed to init SSL Context."); exit(1); } WFU_debug("SERVER: Reading certificate file."); err = SSL_CTX_use_certificate_file (ctx, WFU_get_server_cert_file(), SSL_FILETYPE_PEM); WFU_CHK_NEG(err, "SERVER: use_certificate_file failed", WFU_ERR_SSL_NULL_X, 1); WFU_debug("SERVER: Reading private key file."); err = SSL_CTX_use_PrivateKey_file (ctx, WFU_get_server_privkey_file(), SSL_FILETYPE_PEM); WFU_CHK_NEG(err, "SERVER: use_PrivateKey_file failed", WFU_ERR_SSL_NULL_X, 1); /* inetd has already opened the TCP connection, so we can get right down to business. */ WFU_debug("SERVER: Creating new SSL context."); ssl = SSL_new (ctx); WFU_CHK_NULL(ssl, "SERVER: SSL structure is NULL", WFU_ERR_SSL_NULL_X, 1); SSL_set_fd (ssl, fileno(stdin)); WFU_debug("SERVER: Connecting to socket."); err = SSL_accept (ssl); if (err < 0) WFU_CHK_SSL_4(ssl, err, WFU_ERR_SSL_NULL_X, 1); /* Get the cipher - opt */ snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: SSL connection using %s", SSL_get_cipher (ssl)); WFU_debug(NULL); /* Get client's certificate (note: beware of dynamic allocation) - opt */ client_cert = SSL_get_peer_certificate (ssl); if (client_cert != NULL) { str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); WFU_CHK_NULL(str, "SERVER: Null string", WFU_ERR_SSL_NULL_X, 1); snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: Client certificate subject: %s", str); WFU_debug(NULL); OPENSSL_free (str); str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0); WFU_CHK_NULL(str, "SERVER: Null string", WFU_ERR_SSL_NULL_X, 1); snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: Client certificate issuer: %s", str); WFU_debug(NULL); OPENSSL_free (str); /* We could do all sorts of certificate verification stuff here before deallocating the certificate. */ X509_free (client_cert); } else WFU_debug("SERVER: Client does not have certificate."); WFU_debug("SERVER: Sending control over to the WFU_server_dispatch function."); (void) WFU_server_dispatch(ssl,client_ip); /* Clean up. */ SSL_free (ssl); SSL_CTX_free (ctx); WFU_log("SERVER: normal exit."); return 0; }
1.3.9.1