chore: update tls cert for test

2023-03-07 21:25:42 +08:00 · 2023-03-07 21:25:42 +08:00 · d079d66223
parent ee5c7b4a77
commit d079d66223
8 changed files with 101 additions and 42 deletions
--- a/docs/transport.md
+++ b/docs/transport.md
@ -6,11 +6,11 @@ By default, `rathole` forwards traffic as it is. Different options can be enable
 Checkout the [example](../examples/tls)
 ### Client
 Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. `trusted_root` is the path to the root CA's certificate PEM file.
-`hostname` is the hostname that the client used to validate aginst the certificate that the server presents.
+`hostname` is the hostname that the client used to validate aginst the certificate that the server presents. Note that it does not have to be the same with the `remote_addr` in `[client]`.
 ```
 [client.transport.tls]
-trusted_root = "example/tls/ca-cert.pem"
+trusted_root = "example/tls/rootCA.crt"
-hostname = "0.0.0.0"
+hostname = "localhost"
 ```
 ### Server
@ -18,9 +18,17 @@ PKCS#12 archives are needed to run the server.
 It can be created using openssl like:
 ```
-openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile ca_chain_certs.crt
 ```
 Aruguments are:
 - `-inkey`: Server Private Key
 - `-in`: Server Certificate
 - `-certfile`: CA Certificate
 Creating self-signed certificate with one's own CA is a non-trival task. However, a script is provided under tls example folder for reference.
 ## Noise Protocol
 ### Quickstart for the Noise Protocl
 In one word, the [Noise Protocol](http://noiseprotocol.org/noise.html) is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.
--- a/examples/tls/ca-cert.pem
+++ b/examples/tls/ca-cert.pem
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFazCCA1OgAwIBAgIUXTmJtkI6aK16A8HPkP2IvowmSKwwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjAxMDIwODEzMzhaFw0yMzAy
 MDMwODEzMzhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
 AQUAA4ICDwAwggIKAoICAQDAAq3LEmJigEuRT9sswUx6Kfc4T04oZvZTSYNIRrBF
 Zcc/EGZF/t/k2ciGDSAB1mL2rUdIfWveQ/5kRCSFffX5qvKFkzogRQQjFPLFjfoC
 lKXxvy/BOIwF786gvHbz5EI1dcAL+nRco3U6dHPdewvbQwX9cZrUD3pq+r1qlipY
 w5rZL7Z5cNoczhRAgFhIBHvsgBazkkOB7PDUkmkYAYnw3uK+r4coAqnnfjpxoaCQ
 dQi4JX2VvqOdgxzw9vIRqbL+p2NBPnVjcSj067Y9sxtfR3Xmt2dlMJuReFN8phnK
 8GiYiuiYA01O84htjHt+A8oVYKalXdPeikoSgPmhoJCQQs0NkBzGCc33U7XEa6kM
 j6Y81Id4uXAK5LxyVGo5zOEvOyF3EhceIJDeGS9NsGJyT757OuKrsCK0v8KNPsEh
 VvrcngnRQOWFTg/rp/vSrj7S5i0NPjkEpRitxaYBOg40DXyG1GfYf1SvneXpT0gh
 ZbgjipPrwvuZnJVqqIv1hVVNOKo7nJS24rZ/andZS8g6OE0bL9AlE1Sp2lMXuagJ
 2haPa2rSFZPqNPrP9wh5KVreD9UNeTb37NbXWeZXwKR8v20GAWjb2QQKY92zlMpI
 gmViEvJHrHbKVoU/8gyS9R7iL9JOehk3sqVhbjaDyouC9mosPrQFzp1frKvSlKNg
 1wIDAQABo1MwUTAdBgNVHQ4EFgQU98MJp09MMFw5s4sacYozQFzTNFwwHwYDVR0j
 BBgwFoAU98MJp09MMFw5s4sacYozQFzTNFwwDwYDVR0TAQH/BAUwAwEB/zANBgkq
 hkiG9w0BAQsFAAOCAgEABOtNqqKFEA3vynOFteZV+VquaRKqDuYn0doMMPH9cY20
 4ASioa3aqbmvBiSTDsOdvgP6j5nSVEtQCt5P3fBRMa8a3YnTGPNx8uGPuOA+ZD+b
 USR5FcXJHtkjSfpVF9DOZr34+khRpfHPEZQiaAAiKwaRnI4Gqhv6e6JoaimkQDYj
 xcKw+f1NcCdhSTkpcx9K/Qfa0cXKSL+0Hwl5AbDMsnRAkKu62YKdOv36nnBOMc2S
 6laNIx20nt8Evm3KBNDRiHAw8pwMGfnxCCG6hGo2IvYh6hOjZupVpP55iMgQUkfF
 Gmvxe/4wjuPCvI/Liy0PFfiCHVKASWIiMWG8u8WfJUw1/4RFZu4l2LVVuJOujr6n
 1k5vzIozuo6Ym8mKnnHQmYf5K9T/YuRW3EFa9Ar6/krjw6K/I97P+Wh/DVZiaGC5
 n90ZcRj+abb+zOfz0AHTOp7zlr3w4si7AF3tZ9WhW2R0BC3wwmXygli0I6iMXE7E
 tvXM5UwxLJoJen2fWqn75/91BifEqPWckPb1h14i73hAPVSte1wvstf8mER/DFSX
 Is/GxAhRsZChHn2lEJsvPlrfyMxYwcXTTvd//sp+iOZjfky5vhRuMDUYsHx6/znT
 q/rpT3CMnAVlMTf8n/0dY4mdcaQj0cRJfVnUlvZnhw0tJzCP3rH3smlpWloexds=
 -----END CERTIFICATE-----
--- a/examples/tls/client.toml
+++ b/examples/tls/client.toml
@ -1,12 +1,12 @@
 [client]
-remote_addr = "localhost:2333"
+remote_addr = "127.0.0.1:2333"
 default_token = "123"
 [client.transport]
 type = "tls"
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
+trusted_root = "examples/tls/rootCA.crt"
-hostname = "0.0.0.0"
+hostname = "localhost"
 [client.services.foo1]
 local_addr = "127.0.0.1:80"
--- a/examples/tls/create_self_signed_cert.sh
+++ b/examples/tls/create_self_signed_cert.sh
@ -0,0 +1,62 @@
 #!/bin/sh
 # create CA 
 openssl req -x509 \
            -sha256 -days 356 \
            -nodes \
            -newkey rsa:2048 \
            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
            -keyout rootCA.key -out rootCA.crt 
 # create server private key
 openssl genrsa -out server.key 2048
 # create certificate signing request (CSR)
 cat > csr.conf <<EOF
 [ req ]
 default_bits = 2048
 prompt = no
 default_md = sha256
 req_extensions = req_ext
 distinguished_name = dn
 [ dn ]
 C = US
 ST = California
 L = San Fransisco
 O = Someone
 OU = Someone
 CN = localhost
 [ req_ext ]
 subjectAltName = @alt_names
 [ alt_names ]
 DNS.1 = localhost
 EOF
 openssl req -new -key server.key -out server.csr -config csr.conf
 # create server cert
 cat > cert.conf <<EOF
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = localhost
 EOF
 openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -out server.crt \
    -days 365 \
    -sha256 -extfile cert.conf
 # create pkcs12
 openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt -passout pass:1234
 # clean up
 rm server.csr csr.conf cert.conf
--- a/examples/tls/identity.pfx
+++ b/examples/tls/identity.pfx
--- a/examples/tls/rootCA.crt
+++ b/examples/tls/rootCA.crt
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDTzCCAjegAwIBAgIUT2Hjb+eORMuX0zIwClSygNTJiSQwDQYJKoZIhvcNAQEL
 BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
 biBGcmFuc2lzY28wHhcNMjMwMzA3MTIzOTM5WhcNMjQwMjI2MTIzOTM5WjA3MRAw
 DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
 aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4hFcu/+GeSQRR0
 XniadepJtCp3juIaHaYLMIsKg4fUSOiVlOCJU27wYa6xaYOcjSKpv7tmZ7YwFBwO
 dGdlcqAFD1nj+JCsHQAJKRIYWY6UklrQb0rd+67HXF03cN4sPGiAKXy52jaPYJIS
 oz5w8mfcz66b3q6fYmefyjwvqBl5nJApiWzBEtLPDKhmT6ST3VuQLdmYNEmL3lL9
 wVJu3R1L7gnzoUFdHyeOpAoALFAI8zfezI8IJsDLLdVfKZNZYm0PDB98ldlBQ2wf
 uXFTzuVHeifBFcUxhV5/U9c3Fp7UnuMD7/RAcABBE8aW6wFl246WjTk4v6r0QYgZ
 49BrnGMCAwEAAaNTMFEwHQYDVR0OBBYEFIwCXoKvHjF6mWhgNLwSEktXT9S/MB8G
 A1UdIwQYMBaAFIwCXoKvHjF6mWhgNLwSEktXT9S/MA8GA1UdEwEB/wQFMAMBAf8w
 DQYJKoZIhvcNAQELBQADggEBAIlSJqo9QJUZTE1SzafqihkSXBuLAKMNq+Box02o
 2tticlBV3BVpNZ4SbOs8oYN/Hmr2cDSmgbf4ZB1BqExarsrLnFuIrM4XWVzuFHSt
 oMSlE/OE6cO0wzqUlihmUfx2azuXKPLotAObD6fwNbUb03YxTpNrEqFxIjYn6g56
 Mp1Eo/Na2ptr41Nin2gHsynPOWdPhpBqBxnWMFz1pfZ7TB1h92DVqFN92fMzgvAT
 oJdTGl9hFTcS4XrYwOhhITNGn7oM9uTFpTd/IZbjAakcAnLcwRumthD32YJPpXqV
 JC2zJNBvEbQ4hdvZu3eNx5J8GU8wiMoJgYNy4zNMbM3qM+E=
 -----END CERTIFICATE-----
--- a/tests/for_tcp/tls_transport.toml
+++ b/tests/for_tcp/tls_transport.toml
@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
+trusted_root = "examples/tls/rootCA.crt"
-hostname = "0.0.0.0"
+hostname = "localhost"
 [client.services.echo] 
 local_addr = "127.0.0.1:8080" 
--- a/tests/for_udp/tls_transport.toml
+++ b/tests/for_udp/tls_transport.toml
@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
+trusted_root = "examples/tls/rootCA.crt"
-hostname = "0.0.0.0"
+hostname = "localhost"
 [client.services.echo] 
 type = "udp"