aHisayoshiSuehiro · April 28, 2017 10:45
diff --git a/000-default.conf b/000-default.conf
 <Directory /var/www/html/secret>
    SSLRequireSSL
    SSLVerifyClient require
    SSLUserName SSL_CLIENT_S_DN_CN
    Satisfy Any
    Allow from All
    SSLRequire %{SSL_CLIENT_S_DN_CN} in {"yone", "foo", "bar"}
 </Directory>
diff --git a/README.rst b/README.rst
diff --git a/default-ssl.conf b/default-ssl.conf
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost

 		DocumentRoot /var/www/html

 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 		# error, crit, alert, emerg.
 		# It is also possible to configure the loglevel for particular
 		# modules, e.g.
 		#LogLevel info ssl:warn

 		ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined

 		# For most configuration files from conf-available/, which are
 		# enabled or disabled at a global level, it is possible to
 		# include a line for only one particular virtual host. For example the
 		# following line enables the CGI configuration for this host only
 		# after it has been globally disabled with "a2disconf".
 		#Include conf-available/serve-cgi-bin.conf

 		#   SSL Engine Switch:
 		#   Enable/Disable SSL for this virtual host.
 		SSLEngine on

 		#   A self-signed (snakeoil) certificate can be created by installing
 		#   the ssl-cert package. See
 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
 		#   If both key and certificate are stored in the same file, only the
 		#   SSLCertificateFile directive is needed.
 		SSLCertificateFile	/etc/apache2/ssl.crt/server.pem
 		SSLCertificateKeyFile   /etc/apache2/ssl.crt/server.key

 		#   Server Certificate Chain:
 		#   Point SSLCertificateChainFile at a file containing the
 		#   concatenation of PEM encoded CA certificates which form the
 		#   certificate chain for the server certificate. Alternatively
 		#   the referenced file can be the same as SSLCertificateFile
 		#   when the CA certificates are directly appended to the server
 		#   certificate for convinience.
 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

 		#   Certificate Authority (CA):
 		#   Set the CA certificate verification path where to find CA
 		#   certificates for client authentication or alternatively one
 		#   huge file containing all of them (file must be PEM encoded)
 		#   Note: Inside SSLCACertificatePath you need hash symlinks
 		#		 to point to the certificate files. Use the provided
 		#		 Makefile to update the hash symlinks after changes.
 		#SSLCACertificatePath /etc/ssl/certs/
 		SSLCACertificateFile  /etc/apache2/ssl.crt/cacert.pem

 		#   Certificate Revocation Lists (CRL):
 		#   Set the CA revocation path where to find CA CRLs for client
 		#   authentication or alternatively one huge file containing all
 		#   of them (file must be PEM encoded)
 		#   Note: Inside SSLCARevocationPath you need hash symlinks
 		#		 to point to the certificate files. Use the provided
 		#		 Makefile to update the hash symlinks after changes.
 		#SSLCARevocationPath /etc/apache2/ssl.crl/
 		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

 		#   Client Authentication (Type):
 		#   Client certificate verification type and depth.  Types are
 		#   none, optional, require and optional_no_ca.  Depth is a
 		#   number which specifies how deeply to verify the certificate
 		#   issuer chain before deciding the certificate is not valid.
 		SSLVerifyClient require
 		SSLVerifyDepth  10

 		#   SSL Engine Options:
 		#   Set various options for the SSL engine.
 		#   o FakeBasicAuth:
 		#	 Translate the client X.509 into a Basic Authorisation.  This means that
 		#	 the standard Auth/DBMAuth methods can be used for access control.  The
 		#	 user name is the `one line' version of the client's X.509 certificate.
 		#	 Note that no password is obtained from the user. Every entry in the user
 		#	 file needs this password: `xxj31ZMTZzkVA'.
 		#   o ExportCertData:
 		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
 		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 		#	 server (always existing) and the client (only existing when client
 		#	 authentication is used). This can be used to import the certificates
 		#	 into CGI scripts.
 		#   o StdEnvVars:
 		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
 		#	 Per default this exportation is switched off for performance reasons,
 		#	 because the extraction step is an expensive operation and is usually
 		#	 useless for serving static content. So one usually enables the
 		#	 exportation for CGI and SSI requests only.
 		#   o OptRenegotiate:
 		#	 This enables optimized SSL connection renegotiation handling when SSL
 		#	 directives are used in per-directory context.
 		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
 				SSLOptions +StdEnvVars
 		</FilesMatch>
 		<Directory /usr/lib/cgi-bin>
 				SSLOptions +StdEnvVars
 		</Directory>

 		#   SSL Protocol Adjustments:
 		#   The safe and default but still SSL/TLS standard compliant shutdown
 		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
 		#   the close notify alert from client. When you need a different shutdown
 		#   approach you can use one of the following variables:
 		#   o ssl-unclean-shutdown:
 		#	 This forces an unclean shutdown when the connection is closed, i.e. no
 		#	 SSL close notify alert is send or allowed to received.  This violates
 		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
 		#	 this when you receive I/O errors because of the standard approach where
 		#	 mod_ssl sends the close notify alert.
 		#   o ssl-accurate-shutdown:
 		#	 This forces an accurate shutdown when the connection is closed, i.e. a
 		#	 SSL close notify alert is send and mod_ssl waits for the close notify
 		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
 		#	 practice often causes hanging connections with brain-dead browsers. Use
 		#	 this only for browsers where you know that their SSL implementation
 		#	 works correctly.
 		#   Notice: Most problems of broken clients are also related to the HTTP
 		#   keep-alive facility, so you usually additionally want to disable
 		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 		#   "force-response-1.0" for this.
 		# BrowserMatch "MSIE [2-6]" \
 		#		nokeepalive ssl-unclean-shutdown \
 		#		downgrade-1.0 force-response-1.0

 	</VirtualHost>
 </IfModule>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/Dockerfile b/Dockerfile
 FROM ubuntu:16.04

 ADD apt.conf /etc/apt/apt.conf
 RUN apt-get update
 RUN apt-get install -y apache2
 RUN a2enmod ssl
 RUN a2ensite default-ssl
 RUN service apache2 restart
 ADD ./openssl.conf /etc/ssl/openssl.cnf
 ADD ./openssl-client.conf /root/
 ADD ./openssl-ca.conf /root/
 ADD ./default-ssl.conf /etc/apache2/sites-enabled/
 ADD ./ssl/demoCA/cacert.pem /etc/apache2/ssl.crt/cacert.pem
 ADD ./ssl/server/server.pem /etc/apache2/ssl.crt/
 ADD ./ssl/server/server.key /etc/apache2/ssl.crt/
 ADD ./000-default.conf /etc/apache2/sites-enabled/
 WORKDIR /root/
diff --git a/gistfile1.txt b/gistfile1.txt
 #CA
 SSLEAY_CONFIG="-config /root/openssl-ca.conf" /usr/lib/ssl/misc/CA.sh -newca

 #client
 SSLEAY_CONFIG="-config /root/openssl-client.conf" /usr/lib/ssl/misc/CA.sh -newreq
 /usr/lib/ssl/misc/CA.sh -sign
 mkdir client
 mv *.pem client/
 openssl pkcs12 -export -in client/newcert.pem -inkey client/newkey.pem -out client/client.local.pfx -name "client.local"

 #server
 /usr/lib/ssl/misc/CA.sh -newreq
 /usr/lib/ssl/misc/CA.sh -sign
 mkdir server
 mv *.pem server/
 openssl rsa -in server/newkey.pem -out ./server/server.key
diff --git a/ssl_local_ca b/ssl_local_ca
 package main

 import (
 	"crypto/tls"
 	"crypto/x509"
 	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"fmt"
 )

 func HelloServer(w http.ResponseWriter, req *http.Request) {
 	cert := req.TLS.PeerCertificates[0]
 	io.WriteString(w, "hello, world!\n")
 	fmt.Fprint(w,  cert.EmailAddresses)
 	fmt.Fprint(w,  cert.OCSPServer)
 	fmt.Fprint(w,  cert.AuthorityKeyId)
 	fmt.Fprint(w,  cert.Subject.CommonName)
 	fmt.Fprint(w,  req.TLS.ServerName)
 }

 func main() {
 	http.HandleFunc("/hello", HelloServer)

 	caCert, err := ioutil.ReadFile("./cacert.pem")
 	if err != nil {
 		log.Fatal(err)
 	}
 	caCertPool := x509.NewCertPool()
 	if !caCertPool.AppendCertsFromPEM(caCert) {
 		log.Fatal("AppendCertsFromPEM faile")
 	}

 	// Setup HTTPS client
 	tlsConfig := &tls.Config{
 		ClientCAs: caCertPool,
 		ClientAuth: tls.RequireAndVerifyClientCert,
 	}
 	log.Println("Setup HTTPS")
 	tlsConfig.BuildNameToCertificate()
 	log.Println("BuildNameToCertificate")
 	server := &http.Server{
 		Addr:      ":443",
 		TLSConfig: tlsConfig,
 	}

 	log.Fatal(server.ListenAndServeTLS("server.pem", "server.key"))
 }
	<Directory /var/www/html/secret>
	SSLRequireSSL
	SSLVerifyClient require
	SSLUserName SSL_CLIENT_S_DN_CN
	Satisfy Any
	Allow from All
	SSLRequire %{SSL_CLIENT_S_DN_CN} in {"yone", "foo", "bar"}
	</Directory>
	<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	# SSL Engine Switch:
	# Enable/Disable SSL for this virtual host.
	SSLEngine on

	# A self-signed (snakeoil) certificate can be created by installing
	# the ssl-cert package. See
	# /usr/share/doc/apache2/README.Debian.gz for more info.
	# If both key and certificate are stored in the same file, only the
	# SSLCertificateFile directive is needed.
	SSLCertificateFile /etc/apache2/ssl.crt/server.pem
	SSLCertificateKeyFile /etc/apache2/ssl.crt/server.key

	# Server Certificate Chain:
	# Point SSLCertificateChainFile at a file containing the
	# concatenation of PEM encoded CA certificates which form the
	# certificate chain for the server certificate. Alternatively
	# the referenced file can be the same as SSLCertificateFile
	# when the CA certificates are directly appended to the server
	# certificate for convinience.
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	# Certificate Authority (CA):
	# Set the CA certificate verification path where to find CA
	# certificates for client authentication or alternatively one
	# huge file containing all of them (file must be PEM encoded)
	# Note: Inside SSLCACertificatePath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCACertificatePath /etc/ssl/certs/
	SSLCACertificateFile /etc/apache2/ssl.crt/cacert.pem

	# Certificate Revocation Lists (CRL):
	# Set the CA revocation path where to find CA CRLs for client
	# authentication or alternatively one huge file containing all
	# of them (file must be PEM encoded)
	# Note: Inside SSLCARevocationPath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCARevocationPath /etc/apache2/ssl.crl/
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

	# Client Authentication (Type):
	# Client certificate verification type and depth. Types are
	# none, optional, require and optional_no_ca. Depth is a
	# number which specifies how deeply to verify the certificate
	# issuer chain before deciding the certificate is not valid.
	SSLVerifyClient require
	SSLVerifyDepth 10

	# SSL Engine Options:
	# Set various options for the SSL engine.
	# o FakeBasicAuth:
	# Translate the client X.509 into a Basic Authorisation. This means that
	# the standard Auth/DBMAuth methods can be used for access control. The
	# user name is the `one line' version of the client's X.509 certificate.
	# Note that no password is obtained from the user. Every entry in the user
	# file needs this password: `xxj31ZMTZzkVA'.
	# o ExportCertData:
	# This exports two additional environment variables: SSL_CLIENT_CERT and
	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
	# server (always existing) and the client (only existing when client
	# authentication is used). This can be used to import the certificates
	# into CGI scripts.
	# o StdEnvVars:
	# This exports the standard SSL/TLS related `SSL_*' environment variables.
	# Per default this exportation is switched off for performance reasons,
	# because the extraction step is an expensive operation and is usually
	# useless for serving static content. So one usually enables the
	# exportation for CGI and SSI requests only.
	# o OptRenegotiate:
	# This enables optimized SSL connection renegotiation handling when SSL
	# directives are used in per-directory context.
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
	SSLOptions +StdEnvVars
	</Directory>

	# SSL Protocol Adjustments:
	# The safe and default but still SSL/TLS standard compliant shutdown
	# approach is that mod_ssl sends the close notify alert but doesn't wait for
	# the close notify alert from client. When you need a different shutdown
	# approach you can use one of the following variables:
	# o ssl-unclean-shutdown:
	# This forces an unclean shutdown when the connection is closed, i.e. no
	# SSL close notify alert is send or allowed to received. This violates
	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
	# this when you receive I/O errors because of the standard approach where
	# mod_ssl sends the close notify alert.
	# o ssl-accurate-shutdown:
	# This forces an accurate shutdown when the connection is closed, i.e. a
	# SSL close notify alert is send and mod_ssl waits for the close notify
	# alert of the client. This is 100% SSL/TLS standard compliant, but in
	# practice often causes hanging connections with brain-dead browsers. Use
	# this only for browsers where you know that their SSL implementation
	# works correctly.
	# Notice: Most problems of broken clients are also related to the HTTP
	# keep-alive facility, so you usually additionally want to disable
	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	# "force-response-1.0" for this.
	# BrowserMatch "MSIE [2-6]" \
	# nokeepalive ssl-unclean-shutdown \
	# downgrade-1.0 force-response-1.0

	</VirtualHost>
	</IfModule>

	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
	FROM ubuntu:16.04

	ADD apt.conf /etc/apt/apt.conf
	RUN apt-get update
	RUN apt-get install -y apache2
	RUN a2enmod ssl
	RUN a2ensite default-ssl
	RUN service apache2 restart
	ADD ./openssl.conf /etc/ssl/openssl.cnf
	ADD ./openssl-client.conf /root/
	ADD ./openssl-ca.conf /root/
	ADD ./default-ssl.conf /etc/apache2/sites-enabled/
	ADD ./ssl/demoCA/cacert.pem /etc/apache2/ssl.crt/cacert.pem
	ADD ./ssl/server/server.pem /etc/apache2/ssl.crt/
	ADD ./ssl/server/server.key /etc/apache2/ssl.crt/
	ADD ./000-default.conf /etc/apache2/sites-enabled/
	WORKDIR /root/
	#CA
	SSLEAY_CONFIG="-config /root/openssl-ca.conf" /usr/lib/ssl/misc/CA.sh -newca

	#client
	SSLEAY_CONFIG="-config /root/openssl-client.conf" /usr/lib/ssl/misc/CA.sh -newreq
	/usr/lib/ssl/misc/CA.sh -sign
	mkdir client
	mv *.pem client/
	openssl pkcs12 -export -in client/newcert.pem -inkey client/newkey.pem -out client/client.local.pfx -name "client.local"

	#server
	/usr/lib/ssl/misc/CA.sh -newreq
	/usr/lib/ssl/misc/CA.sh -sign
	mkdir server
	mv *.pem server/
	openssl rsa -in server/newkey.pem -out ./server/server.key
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	"io"
	"io/ioutil"
	"log"
	"net/http"
	"fmt"
	)

	func HelloServer(w http.ResponseWriter, req *http.Request) {
	cert := req.TLS.PeerCertificates[0]
	io.WriteString(w, "hello, world!\n")
	fmt.Fprint(w, cert.EmailAddresses)
	fmt.Fprint(w, cert.OCSPServer)
	fmt.Fprint(w, cert.AuthorityKeyId)
	fmt.Fprint(w, cert.Subject.CommonName)
	fmt.Fprint(w, req.TLS.ServerName)
	}

	func main() {
	http.HandleFunc("/hello", HelloServer)

	caCert, err := ioutil.ReadFile("./cacert.pem")
	if err != nil {
	log.Fatal(err)
	}
	caCertPool := x509.NewCertPool()
	if !caCertPool.AppendCertsFromPEM(caCert) {
	log.Fatal("AppendCertsFromPEM faile")
	}

	// Setup HTTPS client
	tlsConfig := &tls.Config{
	ClientCAs: caCertPool,
	ClientAuth: tls.RequireAndVerifyClientCert,
	}
	log.Println("Setup HTTPS")
	tlsConfig.BuildNameToCertificate()
	log.Println("BuildNameToCertificate")
	server := &http.Server{
	Addr: ":443",
	TLSConfig: tlsConfig,
	}

	log.Fatal(server.ListenAndServeTLS("server.pem", "server.key"))
	}