mirror of
https://github.com/rwf2/Rocket.git
synced 2025-01-11 12:09:06 +00:00
237370533c
The latest version of `rustls` acts on the SNI extension to TLS without the apparent ability to disable the behavior. `rustls` requires that the server's certificate match the client's requested server. The matching is done by looking at DNS names in the `subjectAltName` extension and checking if the requested server name is present. Since the certificate in the `tls` example did not have the `subjectAltName` extension, this check always failed, and the TLS connection was aborted. This commit adds the extension to the certificate with a DNS name of `localhost`, ensuring that TLS succeeds on `localhost`.
22 lines
936 B
Bash
Executable File
22 lines
936 B
Bash
Executable File
#! /bin/bash
|
|
|
|
# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
|
|
# to check if a certificate is valid for a server name sent via SNI. It's not
|
|
# clear if this is intended, since certificates _should_ have a `subjectAltName`
|
|
# with a DNS name, or if it simply hasn't been implemented yet. See
|
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
|
|
|
|
CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
|
|
SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
|
|
ALT="DNS:localhost"
|
|
|
|
openssl genrsa -out ca_key.pem 4096
|
|
openssl req -new -x509 -days 3650 -key ca_key.pem -subj "${CA_SUBJECT}" -out ca_cert.pem
|
|
|
|
openssl req -newkey rsa:4096 -nodes -sha256 -keyout key.pem -subj "${SUBJECT}" -out server.csr
|
|
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out cert.pem
|
|
|
|
rm ca_cert.srl server.csr
|