From 68f85d9f1abc2b66a6a9a0bd970d42f37395f217 Mon Sep 17 00:00:00 2001 From: James Kasten Date: Thu, 28 Jun 2012 22:15:17 -0400 Subject: [PATCH] Added READMEs for SNI Challenge, renamed variables, added options-ssl-conf --- client-webserver/README | 5 ++++ client-webserver/options-ssl.conf | 24 +++++++++++++++++++ client-webserver/sni_challenge.py | 24 ++++++++++++------- server-ca/sni_challenge/README | 4 ++++ .../sni_challenge/verify_sni_challenge.py | 11 ++++++--- 5 files changed, 56 insertions(+), 12 deletions(-) create mode 100644 client-webserver/options-ssl.conf create mode 100644 server-ca/sni_challenge/README diff --git a/client-webserver/README b/client-webserver/README index 265678b1e..8bb971b3e 100644 --- a/client-webserver/README +++ b/client-webserver/README @@ -12,3 +12,8 @@ chocolate.py - server-side, requires web.py (python-webpy), client.py - experimental tool for making requests and parsing replies chocolate_protocol.proto - protocol definition; needs protobuf-compiler + +sni_challenge - Assumes Apache server with name based virtual hosts is running (for intended address). + Call perform_sni_cert_challenge(address, r, nonce) to do the whole challenge. + Example code is given in main method + Right now requires full path specification of CSR/KEY in the Global Variables (how should this be specified?) diff --git a/client-webserver/options-ssl.conf b/client-webserver/options-ssl.conf new file mode 100644 index 000000000..a7f1f9d5b --- /dev/null +++ b/client-webserver/options-ssl.conf @@ -0,0 +1,24 @@ +# Baseline setting to Include for SSL sites + +SSLEngine On +SSLProtocol -all +SSLv3 +TLSv1 +SSLCipherSuite HIGH:!aNULL:!ADH:!EXP:!SSLv2:!MD5:@STRENGTH +SSLHonorCipherOrder on + +ServerSignature Off +AcceptPathInfo Off +AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf +AddDefaultCharset UTF-8 + +SSLOptions +StrictRequire + +# Add vhost name to log entries: +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined +LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +CustomLog /var/log/apache2/access.log vhost_combined +LogLevel warn +ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/client-webserver/sni_challenge.py b/client-webserver/sni_challenge.py index eef42cd75..4c953c98b 100644 --- a/client-webserver/sni_challenge.py +++ b/client-webserver/sni_challenge.py @@ -5,7 +5,6 @@ from Crypto.PublicKey import RSA from Crypto import Random import hmac import hashlib -import random from shutil import move from os import remove, close @@ -16,11 +15,12 @@ SERVER_BASE = "/etc/apache2/" CHOC_CERT = CHOC_DIR + "choc.crt" CSR = CHOC_DIR + "choc.csr" CHOC_CERT_CONF = "choc_cert_extensions.cnf" +OPTIONS_SSL_CONF = CHOC_DIR + "options-ssl.conf" APACHE_CHALLENGE_CONF = CHOC_DIR + "choc_sni_cert_challenge.conf" -S_SIZE = 20 +S_SIZE = 32 +NONCE_SIZE = 32 def findApacheConfigFile(): - #return CHOC_DIR + "demo_apache.conf" #This needs to be fixed to account for multiple httpd.conf files try: p = subprocess.check_output(["sudo", "find", "/", "-name", "httpd.conf"], stderr=open("/dev/null")) @@ -40,7 +40,7 @@ UseCanonicalName on \n \ \n \ LimitRequestBody 1048576 \n \ \n \ -Include " + CHOC_DIR + "options-ssl.conf \n \ +Include " + OPTIONS_SSL_CONF + " \n \ SSLCertificateFile " + CHOC_CERT + " \n \ SSLCertificateKeyFile " + CHOC_KEY + " \n \ \n \ @@ -109,12 +109,12 @@ def apache_restart(): subprocess.call(["sudo", "/etc/init.d/apache2", "reload"]) #main call -def perform_sni_cert_challenge(encryptedValue, nonce): - ext = generateExtension(encryptedValue) +def perform_sni_cert_challenge(address, r, nonce): + ext = generateExtension(r) createChallengeCert(ext) #Need to decide the form of nonce - modifyApacheConfig(findApacheConfigFile(), nonce, "127.0.0.1") + modifyApacheConfig(findApacheConfigFile(), nonce, address) apache_restart() def main(): @@ -123,8 +123,14 @@ def main(): #the second parameter is ignored #https://www.dlitz.net/software/pycrypto/api/current/ - encryptedValue = testkey.encrypt('0x12345678', 0) - perform_sni_cert_challenge(encryptedValue, "nonce") + + r = Random.get_random_bytes(S_SIZE) + r = "testValueForR" + nonce = Random.get_random_bytes(NONCE_SIZE) + nonce = "nonce" + + y = testkey.encrypt(r, 0) + perform_sni_cert_challenge("127.0.0.1", y, nonce) if __name__ == "__main__": main() diff --git a/server-ca/sni_challenge/README b/server-ca/sni_challenge/README new file mode 100644 index 000000000..77de042d7 --- /dev/null +++ b/server-ca/sni_challenge/README @@ -0,0 +1,4 @@ +Open make.sh and change second command to point to your include/pythonX.X implementation. +Run make.sh + +Run: make a call to verify_challenge(address, r, nonce). Nonce and r must match up to original challenge values. Example code is given in main(). \ No newline at end of file diff --git a/server-ca/sni_challenge/verify_sni_challenge.py b/server-ca/sni_challenge/verify_sni_challenge.py index b0312d3bb..bad782af3 100644 --- a/server-ca/sni_challenge/verify_sni_challenge.py +++ b/server-ca/sni_challenge/verify_sni_challenge.py @@ -1,9 +1,11 @@ import M2Crypto +from Crypto import Random import sni_support import hmac import hashlib -S_SIZE = 20 +S_SIZE = 32 +NONCE_SIZE = 32 def check(one, two, three, four, five): print "done" @@ -61,13 +63,16 @@ def main(): #Testing the example sni_challenge from Crypto.PublicKey import RSA + nonce = Random.get_random_bytes(NONCE_SIZE) nonce = "nonce" testkey = RSA.importKey(open("testing.key").read()) #the second parameter is ignored #https://www.dlitz.net/software/pycrypto/api/current/ - encryptedValue = testkey.encrypt('0x12345678', 0) - valid, response = verify_challenge("127.0.0.1", '0x12345678', nonce) + r = Random.get_random_bytes(NONCE_SIZE) + r = "testValueForR" + encryptedValue = testkey.encrypt(r, 0) + valid, response = verify_challenge("127.0.0.1", r, nonce) print response if __name__ == "__main__":