crypto

Author: VivekSubr

crypto/README.md

@@ -0,0 +1,13 @@
+------------------------------------------------
+A note on self signed certificates. 
+------------------------------------------------
+The ca cert generated by 'generate_tls_cert.sh' is self signed. Self signed certificates are created without reference to any
+authority, and hence will have 'subject' and 'issuer' fields as same.
+
+openssl x509 -in ca-crt -noout -issuer
+issuer=C = US, ST = Denial, L = Springfield, O = Dis, CN = litest.com
+
+openssl x509 -in ca-crt -noout -subject
+subject=C = US, ST = Denial, L = Springfield, O = Dis, CN = litest.com
+
+Hence it is own ca cert: openssl verify -CAfile ca-crt ca-crt

crypto/certs/CA-CERT

@@ -0,0 +1,66 @@
+-----BEGIN CERTIFICATE-----
+MIIFezCCA2OgAwIBAgIDEAISMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVT
+MQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQK
+DANEaXMxEzARBgNVBAMMCmxpdGVzdC5jb20wHhcNMjEwNDE1MTMzNDMxWhcNMzEw
+NDEzMTMzNDMxWjBBMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGRGVuaWFsMQwwCgYD
+VQQKDANEaXMxEzARBgNVBAMMCmxpdGVzdC5jb20wggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQDIY8JMwxElMOd0iA8WtSwbWAD51o+3G9A0yYkZzRCMmmFo
+Jt+AWAkIny/mY9wB5P6pLqJD3fpMfi9eiruS/u8azWtgLJUmPnHlH8n/BkRogXem
+TlNzohaQVaH+cyLJ9mJ/Y718l2b8kjPCYFvJyjf0QZv8I1jjk+WKVcS7h9FxAGgS
+EJAki2tjCFyjc973SP5aSCqfhvxnGUd+9JlVqlfEGEVjvsTAbcRT5ysbk2AkQeik
+zviA8V17vHRRDs7p+O235ecpQU+abjg0i6HapOqDMRyBxqBLoX8sk5ZJbM5tERki
+RCU6d2LZXZJkd9lxMT+pz3GLQCJQBVAGgzw46uxZC/o9ps0HzsJpsnYVeSQ1aIVp
+d+xo8pfmllXV0h6/k7LpddD7GgcWdAWuwz+5Hflm5wp96MWAj0YC6lVRSkaZFE0b
+2PsKrpUgOYg5BietkJMULwIeZ3B8lsKdHB8dmyN5RTepN//SPuiW+G/PS5ISWpki
+6B0JrqUWEIX/N2xxQ39F7gP7twjgAZlIiGxXQ9gOkokj+fc6UhXq0P+IF0s3S/jC
+oMLAvA6u+xcHoKkXT4z/FcTEGFd91hklSMmrfzQfcbEufloJnmXKpErrfHsG6Ety
+jBpvJA5yKKyKkTUjlX3AYijIvmSZXZoZ6y3Yca3iDm4wpfiVtvMZH7QkQudKhQID
+AQABo2YwZDAdBgNVHQ4EFgQUyg5CGktgLoddPZ1QHWJ1/x2Fzb4wHwYDVR0jBBgw
+FoAUP8d/e2Ex8yl2RYKgVlgsgJrNKK0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
+HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBACPp4o9dF02piT/zUxdC8y1A
+b9CpzeqvFtE1zRec8yiUX352Lc6K/G9oNofYjCWt4gjcb+iTlXzUDjMMzzEs+DsB
+DvtAmmE0HE94YCBTCSjcn0SGJ6TDQhNn1btCT0YECE8IzGoKzIVUk5JXOrbXUT6j
+zEeIIlvdh5DjRFIEFucp8Nqnd80tazGNdaW/dVmxanp2SL+02bDtxSGSfXr4gtD0
+zL/kD8jdSBbhaqhMTOkUC/5wkj8SUwFdQy7CsBBJb8j6MtU5NSQEWi4axTEc165b
+Pxp6VKc8LofMChrV3uoVj+rdLVcXYaUypK78gIqaa0Rl2S2D3oRi8ynRD2M+4VqZ
+Q+iG36kFeKITbK9JSQ0EcYN6Wp6FBsanaXZQEQggCLsO+DzQYgn4GM/MYEmHi7uu
+6YlZgyo9BjlpZ2EAbsQdreYNX2pbfFTaE5zLhTDnZNMDH5FMfE+L6UBatVoqj/6G
+hO/GcZEJhcprRnvk77hPpYNsr4MwQrsOWU20y4aT+e8EsiNGtqbUbmmQ54bIGoZ5
+iIkSXR7ifkAowqsPipB8lyRwHH0nybE3ZxDWj2ejJV0o/0L3AUH/cEgjjwxNO7KN
+n05LnPjICTysxv3BI6Cy3eb64UaBAQbFhk3XqZl6T3nwcgw5TRkA+ZYH/b4NCK/5
+pDMNTboqXrEpH02poYfs
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFnzCCA4egAwIBAgIUOCQ752A9OPgnSiSMBgITMcikTIowDQYJKoZIhvcNAQEL
+BQAwVzELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By
+aW5nZmllbGQxDDAKBgNVBAoMA0RpczETMBEGA1UEAwwKbGl0ZXN0LmNvbTAeFw0y
+MTA0MTUxMzM0MzBaFw00MTA0MTAxMzM0MzBaMFcxCzAJBgNVBAYTAlVTMQ8wDQYD
+VQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANEaXMx
+EzARBgNVBAMMCmxpdGVzdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQDnc08pi0+hpSW8iao2oXr6slhe7YiNbkM1ZmbS4uh2J+pJsZ91+gqP875Y
+QTP1urCsNhA5dZqyjzWVp7YZvT13riXtF/ZuoK1QAB57fhcNm6FfG59gl07Kgurl
+3l1EcGtwWNGEqCgNxLZKtNXJoQ6YEjR+X+wHCAU+YQByYN6Hs81iUtxMqfNTHydV
+Jh2YBkOjjoSCPZhzDMcdS6l0pQyKGgeU+vp49WscN+kFMC0+t0mDq0imLMatbZz2
+QFVsJcgObG62SHCIR4KeFr32cA4TgC+hEIB8tuJVs8MR+2qheF0XuFpVU/u1f/V0
+ylVap02Sb+v1a5qoI3sgyJkCCj42UxnGzCprh8ENKiSg2huZxN87idiAdyZcwoRl
+KPFFtiRiRiE7a6FE8NnC9n181muUXeozvqaCeveHVkB/UaG0Zj6yHaZYcHHkXGXA
+RclqByV7Cmrhp+HF1izKQ97uM7liO5jhDpEMF3gE2ofJTFHZudBdK8/cXlVOMwys
+tAjqCffslOJtQ6XzabeUeVqhE1cChSr/XPxmVTit+/1aoE9VLsWl0y5vWoIVSKsr
+RTmoFEnLUjlZXs67uxpJQ9f/F7c0cbRc8akNyiqBHEzf29YvtufxYTrzCgEmO46E
+kbGrTESBvm2X7dcxvG30U5QV+SwQlQkPWYsYDFI2/QQUkSwkwQIDAQABo2MwYTAd
+BgNVHQ4EFgQUP8d/e2Ex8yl2RYKgVlgsgJrNKK0wHwYDVR0jBBgwFoAUP8d/e2Ex
+8yl2RYKgVlgsgJrNKK0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw
+DQYJKoZIhvcNAQELBQADggIBAKuKM9k0oCrWU3BGdCC3Mor2/AESxtIszsFrpOME
+H0LGa4m8Cx1Cs5pceXERDlLYf+n9CMH1JJEYuNfNXhACgiV2OAUwt3kupbox2YEG
+Br5vCosncdJJBkQ5g3Inf5j1LlQ3C4fHKKcAvG9U51BV6fGGs2Ru6siPg/MvwHSW
+L+JExKGHhVAICR61ShL0iKhgAIRafTdyd/455MoA88VYJBZ1IcPpnJ51PhkqzZNJ
+2GaQmLEVWatSwt2aKNkCkzsKXl9N9UYatLkvRcXN76fhb7Puif/m13EqINEC3c1G
+dqRHOsDop6ZZYMmCT+OsBq8zW0yvVd5GryXOUJ+MXbYi+XzABvPvsYcWM5Zd3Rjs
+4layYA8Y6Lj5MHCGgwlYA+KjVcZ61ES6mMoczrAwEQabN+OAJimcI/YqSHLXdb8G
+Z0wb/cE4uzR0pCHTaWJL/9hKRkSQCM6rwR7HPx3zo1c54SDrVWS3sTSDn6q+k8Lz
+E8+QwCPm0+Q2T6Xpkfdl2pbf3nMm0KCQUvkfKAzFbvbQMfnUkw3E9SixbiHHeO9w
+eeQvYjufMQhbyC5YZ+2Da+6ajHAjKrgshR/L7f9ua9lNUMOjH7X7cqJJkohtWET4
+jVZpgTYJrNIqnwB+YK2or6K2kLI4bAw20Tr+EXGqj1BNwZt5V5IQsP8o5WytSkrZ
+wYJE
+-----END CERTIFICATE-----
+

crypto/certs/CLIENT-TLS-CERT

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE2zCCAsOgAwIBAgIDEAITMA0GCSqGSIb3DQEBCwUAMEExCzAJBgNVBAYTAlVT
+MQ8wDQYDVQQIDAZEZW5pYWwxDDAKBgNVBAoMA0RpczETMBEGA1UEAwwKbGl0ZXN0
+LmNvbTAeFw0yMTA0MTUxMzM1MzhaFw0zMTAyMjIxMzM1MzhaMFcxCzAJBgNVBAYT
+AlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYD
+VQQKDANEaXMxEzARBgNVBAMMCmxpdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC/fKSB5sa4cY4h3C40d6oj4z9Um26Su0PBFf4DjoIn4XLc
+R2H6qb1pYdVRsjmw/otE7nOO/FpF/IVvM36PilDOcrkvXybxE2hHDC6zFiho9W4i
+W0WpvEF2dGfSLgRLFyy4HfEA6h6KCX910oRt7sBpJIcBnIxDxptNfO8JY87VExfs
+t1n6YnCNBZC25hkQ8WauSUp2S0+jPS9+BKMXsfkEMJodV9Y1RobhnhEY1Xu9lRiA
+NEBHF6i2vOoHr9xAjLb2fv82t0Xw8bSn7Z1TSriG0fGQB6vq/XolPamnMP1x10Di
+XcmpIwiJWR8y47xyqhpy71Q/YZPXhDiXDEMeTPXJAgMBAAGjgcUwgcIwCQYDVR0T
+BAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wg
+R2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUh2nzfghU6RO5
+ww0fUu4EKekTu4owHwYDVR0jBBgwFoAUyg5CGktgLoddPZ1QHWJ1/x2Fzb4wDgYD
+VR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkq
+hkiG9w0BAQsFAAOCAgEADwIaBXDoCkL7E7InQJd0cBXL5IYUTPYN2ZkOROzkHAsW
+t+cAYZer7Z14ErutrsEEfYgeP4UZdSE48TRzZ539+EIxrSxWLrG971NyUyiFTSws
+JbFI4lUVnQGHA3i/BWLW+TJR2aKJ9nGQ1W6xD6ASU409jwnjUCNrXBwqho6GdZNo
+1zKYzx8WONKWdYw01qa/XOR/UBZBiYDVD/e5jH7ojMMBkNAmYXGvVEjQShlA0uuR
+/SwLCVjGKUhqR7fjwAYYJLe3+CvW9Mn935olgeYhIc0/OPSYv7voqy5jyS6yXTEa
+EkvJGxS433F9510KVdGX7cjAJiMZKJiERE20Tfx307DN2rZxTbDKmJD4nAwo3QAL
+djhmRSW0bW7G4ZBxUi441nOlfznj0ZNhsrU2kw4jznkw45ggmQqJqTMg4Ntj+B71
+xNctGgQjzGXC9uegrcehscuHhbQ7Nd/jkqd2v1FRxIb2C4vjNv2eZySrVNklfyEZ
+J5eWyolWEIn8VU+W8CqNEFYmqlRrLJZ8LIxecLRq2fqXospDAAjgdklKRz3GCkUL
+CtNUCOBqqhv9XAPwY+zBImAdJlj8mkUKKTCZUz66d+oEzA++wvEHSsvRKMCGpuMp
+51d3yKSlnI6Vj/PCzgxY7WXX4H+LPa29jbQpeqSl1aXm7e/7KHHjTE4arRpYsFc=
+-----END CERTIFICATE-----
+

crypto/certs/CLIENT-TLS-KEY

@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAv3ykgebGuHGOIdwuNHeqI+M/VJtukrtDwRX+A46CJ+Fy3Edh
++qm9aWHVUbI5sP6LRO5zjvxaRfyFbzN+j4pQznK5L18m8RNoRwwusxYoaPVuIltF
+qbxBdnRn0i4ESxcsuB3xAOoeigl/ddKEbe7AaSSHAZyMQ8abTXzvCWPO1RMX7LdZ
++mJwjQWQtuYZEPFmrklKdktPoz0vfgSjF7H5BDCaHVfWNUaG4Z4RGNV7vZUYgDRA
+RxeotrzqB6/cQIy29n7/NrdF8PG0p+2dU0q4htHxkAer6v16JT2ppzD9cddA4l3J
+qSMIiVkfMuO8cqoacu9UP2GT14Q4lwxDHkz1yQIDAQABAoIBADDNlKPi7FzP3Di3
+BDOtF/jjjx2CK9FL1v3cHAxOAtAlPn/z1X3sSvET1SloMhnxFg+wclVL7boOnPd1
+eVkeGHA1fwsaxjMFDjulWDWefRgbDUHGX1/eMhT9oARKZB+7PVODlgv0n2nw98JQ
+sB3Qjst9WsdHXdxcPvKl18pd3LYjIb1zYo89Clbfn4gMarxzcci+Cd5zwR3gIhBr
+Eet72eNb7DTYKerNaKjoXCTi7pvsaTFdiWy2ED0+OR+aaXFJZNx1tkcrqNRoXYAg
+pWZSHiJkACgxTuiUx0lVTLROZVftQY02rH6TkWMPV3IGGha2zPgTz2NvGn8KZHA1
+stNx5/ECgYEA4zPMO6h/qe6CX9MPbxxktU5Drw9iEhTX/iInPtExbxH8KsHL4UWs
+zmpgno/da9g+lYLZzT+eJzDsZHzUDXWoD7TK15epWCaHX+I24QM4iGRt+TwWwh4V
+49hd+7AjZd6+l8JE/8kgX5wRLJohEqerrw/LBHlx6L2sMWC3TvHfU00CgYEA18H1
+jkF2PUtV7OQVpOZHG0do/ZeIZfpl3jv7w4l3rKRs38gdVUeGLA3WulIs3rMgssAw
+ZXoIjLyxJHtXBHx4MzyTa9OQczkSAWNcYJVqej71CwnoEXuOT8/E50b24ioF/Euq
+t621I3f5unMn6LIydUZYuK4QrtK3AeJ6XY6Vdm0CgYA+IbIeNmwDCoh4r/0ug3M+
+6ZI0014cV7rhcnGNCiQcnax5/NlGV4l0QT7+3ZTNoysqM8hgCp+zU/uxVzmeHKjC
+8svtvTnAM3kdzXz4d6sEEYLJf5cxqoyN7GN3Kqnjd9BjK+s2j8fcnY9MxTF6KoQW
+sZjxNkziOsxWDH7UhexumQKBgCCV8Ko9hMgZGq8ee45eIRsjm93BBx6vxLbdxFZx
+6psucisSJCv/E2qP5IBbbN9tmmCk2ipZVfU7gl2KK0hILDdAzNsaJtTgJ7IB+a+0
+oVI5M/Uo193cFVBEhu6PLzZVNnY2T2BSYesrcZIRVlO0ph5EM54g2/Arbuxf8i8z
+G6u5AoGAWZbzwUY/kcfmWgSTIv2TpnwZow1ksD9vAMEw8DWR+T+ZBWc56KNgS+iu
+oLOPPeQ9DZAjQsag3ZV7MedWnXGrNbKUYJUbj2+02DmFAa/uiE+gka1EhFeFxgjy
+nAkP+KPa4u1XFnQH/0BPWIKY8YbmAlr2+agmBH3QxdFJodMuI58=
+-----END RSA PRIVATE KEY-----
+

crypto/ingress-li-tls-crt crypto/certs/SERVER-TLS-CERT

@@ -27,4 +27,5 @@ ckMYrGHVic7Xk5gANxUeAlJp4IZAGSVyefOgmUBu8ULkVeIGvumHXyCk8t0qjzsh
 XEroHk7y+m8d6wYyK3T9vIZhVsTVNVT8AS27i0C2cPA+MjhCoZqvpR3eIK0BJJn0
 qrezCQ3I3rSslh/DKcjtJQR5VX6pmZBx+t0F+Ht0u88IqzBHRIBmIBE1Sk4+m6FL
 kCVJXNVlwq978uUcVuv1QZ3nHsDMejrIumie7myngnohL2bk8SQSOuXU
------END CERTIFICATE-----
+-----END CERTIFICATE-----
+

crypto/ingress-li-tls-key crypto/certs/SERVER-TLS-KEY

@@ -24,4 +24,5 @@ oqVNjwfzFF5UA/vZNbbxVnLH5iXzbXbRfUl2k1WHktf+dew9sO+osCwvDSnEHflc
 RtOebwKBgQDJV1oXz+ORLaHtIGPquZ7vBtsOKW9Fc6SS1xbiizEgZE13QD6N+gP/
 SgsdXuYkptdXofQ9VKb6axjxaP2RaE0OpR/oOvJ51O5X5yfILuZVAabsEVXfOEYt
 utoBOKDJsmzJHF+qZqviGE5OTTdryhit/Y8HKPcnq7uDhzS0HUO7qg==
------END RSA PRIVATE KEY-----
+-----END RSA PRIVATE KEY-----
+

crypto/client/tlsClient

@@ -15,7 +15,7 @@ func main() {
     portPtr     := flag.String("port", "3000", "port server listening to")
     crtPtr      := flag.String("crt", "../server/selfSigned.cert", "certificate")
     keyPtr      := flag.String("key", "../server/private.pem", "PEM encoded private key file.")
-    insecurePtr := flag.String("insecure", "true", "skip verifying cert chain")
+    insecurePtr := flag.String("insecure", "false", "skip verifying cert chain")
     caCrtPtr    := flag.String("caCrt", "", "ca cert")
 
     flag.Parse()
@@ -52,6 +52,7 @@ func main() {
         conf = &tls.Config{
             Certificates: []tls.Certificate{cert},
             InsecureSkipVerify: insecure,
+            MinVersion:   tls.VersionTLS12,
         }
     }
 

crypto/client/tls_client.go

@@ -0,0 +1,43 @@
+static_resources:
+  listeners:
+    - name: listener_0
+      address:
+        socket_address: { address: 0.0.0.0, port_value: 10000 }
+      filter_chains:
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext 
+            common_tls_context:
+              tls_certificates:
+                - certificate_chain: { filename: /ca/LI-SERVER-TLS-CERT }
+                  private_key: { filename: /ca/LI-SERVER-TLS-KEY }
+
+      filter_chains:             
+        - filters:         
+          - name: envoy.filters.network.tcp_proxy
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+              stat_prefix: destination
+              cluster: cluster_0
+                
+  clusters:
+    - name: cluster_0
+      connect_timeout: 30s
+      load_assignment:
+        cluster_name: cluster_0
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address: { address: 127.0.0.1, port_value: 1447 } 
+      transport_socket:
+        name: envoy.transport_sockets.cluster.tls
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext 
+          common_tls_context:
+            tls_certificates:
+              - certificate_chain: { filename: /ca/LI-CLIENT-TLS-CERT }
+                private_key: { filename: /ca/LI-CLIENT-TLS-KEY }
+            validation_context:
+              trusted_ca: { filename : /ca/LI-CA-CERT }

crypto/envoy/envoy-config.yaml

@@ -0,0 +1,43 @@
+set -x
+
+function kill_proc() {
+    killall envoy
+    killall http2_client
+    killall server
+    killall tlsServer
+    killall tlsClient
+}
+
+trap `kill_proc` SIGINT
+
+SERVER_IP=127.0.0.1
+CLIENT_IP=127.0.0.1
+SERVER_PORT=1447
+CLIENT_PORT=10000
+ENVOY_YAML=envoy-config.yaml
+GO_SERVER=../server/tlsServer
+GO_CLIENT=../client/tlsClient
+ADDL_CLIENT_FLAGS="-key=/ca/tls-key"
+ADDL_SERVER_FLAGS="-crt=/ca/tls-crt -key=/ca/tls-key"
+
+#Run envoy proxy
+make clean build
+envoy --log-level debug -c envoy/$ENVOY_YAML --log-path $PWD/envoy.log &
+
+#Run http2 server and client, both should refer to envoy proxy
+$GO_SERVER -ip=$SERVER_IP -port=$SERVER_PORT $ADDL_SERVER_FLAGS &> server.log &
+$GO_CLIENT -ip=$CLIENT_IP -port=$CLIENT_PORT $ADDL_CLIENT_FLAGS &> client.log &
+
+#verify communication
+tail -f server.log | while read temp
+do
+    found=`echo $temp | grep "Replied"`
+    echo $found
+    if [[ "$found" == "Replied" ]]; then
+        echo "test passed\n"
+        break
+    fi
+done
+
+#kill process
+kill_proc

crypto/envoy/test_envoy_tls.sh

@@ -1,6 +1,12 @@
 build:
 	go build
 
+debug: #change the args
+	dlv debug tls_server.go -- -ip=127.0.0.1 -port=1447 -crt=/ca/tls-crt -key=/ca/tls-key
+
+test:
+	openssl s_client 127.0.0.1:1447
+
 clean:
 	go clean
-	rm -f *.pem *.cert
+	rm -f *.pem *.cert *.key *.csr *.crt

crypto/ingress-li-ca-crt

@@ -1,17 +1,32 @@
 set -x
 
 #clean
-rm -f *.pem *.cert
+rm -f *.pem *.cert *.key *.csr *.crt
 
 #generate private key
 #This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so 
 #that it is readable as ASCII text.
-openssl genrsa -out private.pem 1024
+#openssl genrsa -out private.pem 1024
 
 #create public key
-openssl rsa -in private.pem -outform PEM -pubout -out public.pem
+#openssl rsa -in private.pem -outform PEM -pubout -out public.pem
 
 #create X509 cert
 #X.509 certificate is a standard way to distribute public keys, signed by a certificate authority...
 #here, this is self signed
-openssl req -new -x509 -key private.pem -out selfSigned.cert -days 365 -config server.req
+#openssl req -new -x509 -key private.pem -out ca.cert -days 365 -config server.req 
+
+#generate ca private key,
+openssl genpkey -algorithm RSA -out ca.key -config server.req 
+
+#generate ca cert
+openssl req -new -x509 -key ca.key -out ca.cert -days 365 -config server.req 
+
+#generate user private key
+openssl genpkey -algorithm RSA -out user.key
+
+#create certificate signing request using user key
+openssl req -new -key user.key -out user.csr -config server.req
+
+#create and sign cert using ca cert
+openssl x509 -req -in user.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out user.crt -days 365 -sha256 

crypto/server/Makefile

@@ -9,14 +9,16 @@ import (
     "net"
     "bufio"
     "io/ioutil"
+    //"time"
 )
 
 func main() {
-    ipPtr    := flag.String("ip", "0.0.0.0",  "ip server listening to")
-    portPtr  := flag.String("port", "3000",   "port server listening to")
-    crtPtr   := flag.String("crt", "selfSigned.cert", "X.509 certificate")
-    keyPtr   := flag.String("key", "private.pem", "private key")
-    caCrtPtr := flag.String("caCrt", "", "A PEM encoded CA's certificate file")
+    ipPtr       := flag.String("ip", "0.0.0.0",  "ip server listening to")
+    portPtr     := flag.String("port", "3000",   "port server listening to")
+    crtPtr      := flag.String("crt", "selfSigned.cert", "X.509 certificate")
+    keyPtr      := flag.String("key", "private.pem", "private key")
+    caCrtPtr    := flag.String("caCrt", "", "A PEM encoded CA's certificate file")
+    insecurePtr := flag.String("insecure", "false", "skip verifying cert chain")
     flag.Parse()
 
     fmt.Printf("listening on %s\n", *ipPtr + ":" + *portPtr)
@@ -28,13 +30,20 @@ func main() {
         return
     }
 
+    insecure := false
+    if *insecurePtr == "true" {
+        insecure = true
+    }
+
     var config *tls.Config
     if *caCrtPtr == "" {
         config = &tls.Config{
             Certificates: []tls.Certificate{cer},
-            MinVersion:    tls.VersionTLS13,
+            MinVersion:    tls.VersionTLS12,
+            InsecureSkipVerify: insecure,
         }
     } else {
+        fmt.Printf("Using ca cert %s\n", *caCrtPtr)
         caCert, err := ioutil.ReadFile(*caCrtPtr)
         if err != nil {
             log.Fatal(err)
@@ -45,10 +54,12 @@ func main() {
         config = &tls.Config{
             Certificates: []tls.Certificate{cer},
             RootCAs:      caCertPool,
-            MinVersion:   tls.VersionTLS13,
+            MinVersion:   tls.VersionTLS12,
+            InsecureSkipVerify: insecure,
         }
     }
 
+    printTlsConfig(config)
     ln, err := tls.Listen("tcp",  *ipPtr + ":" + *portPtr, config) 
     if err != nil {
         log.Println(err)
@@ -58,6 +69,7 @@ func main() {
 
     for {
         conn, err := ln.Accept()
+        //conn.SetReadDeadline(time.Now().Add(30*time.Second))
         if err != nil {
             log.Println(err)
             continue
@@ -72,11 +84,15 @@ func handleConnection(conn net.Conn) {
     for {
         msg, err := r.ReadString('\n')
         if err != nil {
-            log.Println(err)
-            return
+            fmt.Printf("errored - %v\n", err.Error())
+            continue
         }
 
-        println(msg)
+        if(msg == "") {
+            fmt.Println("empty message")
+        }
+        
+        fmt.Println(msg)
 
         n, err := conn.Write([]byte("world\n"))
         if err != nil {
@@ -87,3 +103,19 @@ func handleConnection(conn net.Conn) {
         fmt.Print("Replied\n")
     }
 }
+
+func printTlsConfig(config *tls.Config) {    
+    tlsVersion := ""
+    switch(config.MinVersion) {
+        case tls.VersionTLS11: tlsVersion = "TLS 1.1"
+        case tls.VersionTLS12: tlsVersion = "TLS 1.2"
+        case tls.VersionTLS13: tlsVersion = "TLS 1.3"
+    }
+
+    insecure := "false"
+    if config.InsecureSkipVerify {
+        insecure = "true"
+    }
+
+    fmt.Printf("TLS Config\n minVersion : %s\tInsecure:%s", tlsVersion, insecure)
+}

crypto/server/generate_tls_cert.sh

@@ -283,4 +283,4 @@ int main(int argc, const char **argv) {
     const char *ifname = argv[1];
     const char *ip = argv[2];
     return test_arping(ifname, ip);
-}
+}

crypto/server/tlsServer

@@ -23,7 +23,6 @@ int main(int argc,  char **argv)
     std::cout<<"set dscp : "<<dscp<<"\n";
 
     if(connect(sock, (struct sockaddr*)&client, sizeof(client)) < 0) retError("failed to connect socket"); 
-    std::cout<<"connected to 127.0.0.1:3000\n";
 
     std::string msg = "test";
     while(true) {

crypto/server/tls_server.go

@@ -22,6 +22,7 @@ int retError(const std::string sError)
 std::unique_ptr<host> getHostFromArg(int argc, char** argv, int ipIndex, int portIndex)
 {
     if(argc < ipIndex || argc < portIndex) return nullptr;
+    std::cout<<"Connecting to "<<argv[ipIndex]<<":"<<argv[portIndex]<<"\n";
     return std::make_unique<host>(argv[ipIndex], std::atoi(argv[portIndex]));
 }