use https
This commit is contained in:
parent
42aa1d8f0a
commit
d98f78db85
|
@ -38,6 +38,10 @@ chmod 0700 psk
|
||||||
openssl genrsa -out ca.key 4096
|
openssl genrsa -out ca.key 4096
|
||||||
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
|
CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
|
||||||
|
|
||||||
|
# create key for the server and sign it with the CA
|
||||||
|
CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
|
||||||
|
openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
|
||||||
|
|
||||||
# create example client CSR for testing (check openssl.cnf against "psk" file)
|
# create example client CSR for testing (check openssl.cnf against "psk" file)
|
||||||
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
|
CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
|
||||||
|
|
||||||
|
@ -45,7 +49,7 @@ CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client
|
||||||
nix-build && result/bin/certifix --challenge-password psk --certificate ca.crt --private-key ca.key localhost:19613
|
nix-build && result/bin/certifix --challenge-password psk --certificate ca.crt --private-key ca.key localhost:19613
|
||||||
|
|
||||||
# send it
|
# send it
|
||||||
curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr http://localhost:8201/sign
|
curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign
|
||||||
```
|
```
|
||||||
|
|
||||||
## Background
|
## Background
|
||||||
|
|
30
main.fnl
30
main.fnl
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
(local server (require :http.server))
|
(local server (require :http.server))
|
||||||
(local headers (require :http.headers))
|
(local headers (require :http.headers))
|
||||||
(local ssl (require :openssl))
|
(local htls (require :http.tls))
|
||||||
|
(local ctx (require :openssl.ssl.context))
|
||||||
(local csr (require :openssl.x509.csr))
|
(local csr (require :openssl.x509.csr))
|
||||||
(local x509 (require :openssl.x509))
|
(local x509 (require :openssl.x509))
|
||||||
(local pkey (require :openssl.pkey))
|
(local pkey (require :openssl.pkey))
|
||||||
|
@ -53,10 +54,14 @@
|
||||||
|
|
||||||
(fn parse-args [args]
|
(fn parse-args [args]
|
||||||
(match args
|
(match args
|
||||||
["--certificate" f & rest]
|
["--ca-certificate" f & rest]
|
||||||
(assoc (parse-args rest) :certificate (slurp f))
|
(assoc (parse-args rest) :ca-certificate (slurp f))
|
||||||
["--private-key" f & rest]
|
["--ca-private-key" f & rest]
|
||||||
(assoc (parse-args rest) :private-key (slurp f))
|
(assoc (parse-args rest) :ca-private-key (slurp f))
|
||||||
|
["--server-certificate" f & rest]
|
||||||
|
(assoc (parse-args rest) :server-certificate (slurp f))
|
||||||
|
["--server-private-key" f & rest]
|
||||||
|
(assoc (parse-args rest) :server-private-key (slurp f))
|
||||||
["--challenge-password" f & rest]
|
["--challenge-password" f & rest]
|
||||||
(assoc (parse-args rest) :challenge-password (read-line f))
|
(assoc (parse-args rest) :challenge-password (read-line f))
|
||||||
[bind-address] { : bind-address }
|
[bind-address] { : bind-address }
|
||||||
|
@ -66,13 +71,15 @@
|
||||||
(doto
|
(doto
|
||||||
(parse-args arg)
|
(parse-args arg)
|
||||||
(case
|
(case
|
||||||
{: certificate : private-key : challenge-password : bind-address}
|
{: ca-certificate : ca-private-key
|
||||||
|
: server-certificate : server-private-key
|
||||||
|
: challenge-password : bind-address}
|
||||||
true
|
true
|
||||||
_
|
_
|
||||||
(assert nil "missing required command line params"))))
|
(assert nil "missing required command line params"))))
|
||||||
|
|
||||||
(local ca-key (pkey.new options.private-key))
|
(local ca-key (pkey.new options.ca-private-key))
|
||||||
(local ca-crt (x509.new options.certificate))
|
(local ca-crt (x509.new options.ca-certificate))
|
||||||
|
|
||||||
(fn new-crt [csr]
|
(fn new-crt [csr]
|
||||||
(let [crt
|
(let [crt
|
||||||
|
@ -110,6 +117,11 @@
|
||||||
_
|
_
|
||||||
(send-error out 404 "not found"))))
|
(send-error out 404 "not found"))))
|
||||||
|
|
||||||
|
(fn ssl-context []
|
||||||
|
(doto (htls.new_server_context)
|
||||||
|
(: :setCertificate (x509.new options.server-certificate))
|
||||||
|
(: :setPrivateKey (pkey.new options.server-private-key))))
|
||||||
|
|
||||||
(fn new-server []
|
(fn new-server []
|
||||||
(let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
|
(let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
|
||||||
(ncall (server.listen
|
(ncall (server.listen
|
||||||
|
@ -117,6 +129,8 @@
|
||||||
:host addr
|
:host addr
|
||||||
:port (tonumber port)
|
:port (tonumber port)
|
||||||
:onstream on-stream
|
:onstream on-stream
|
||||||
|
:tls true
|
||||||
|
:ctx (ssl-context)
|
||||||
}))))
|
}))))
|
||||||
|
|
||||||
(let [s (new-server)]
|
(let [s (new-server)]
|
||||||
|
|
Loading…
Reference in New Issue