From 91fd8ed84ffd7dc31f0cd0dcc8f6f97dd9c0839c Mon Sep 17 00:00:00 2001 From: Christopher Thompson Date: Tue, 26 Nov 2019 18:13:00 -0800 Subject: [PATCH] Add (known|blocked)-interception.badssl.com tests --- certs/Makefile | 28 +++++++++++++++++++ .../conf/subdomain-blocked-interception.conf | 20 +++++++++++++ .../conf/subdomain-known-interception.conf | 20 +++++++++++++ domains/cert/blocked-interception.conf | 19 +++++++++++++ domains/cert/blocked-interception/index.html | 16 +++++++++++ domains/cert/known-interception.conf | 19 +++++++++++++ domains/cert/known-interception/index.html | 16 +++++++++++ .../subdomain-blocked-interception.conf | 6 ++++ .../subdomain-known-interception.conf | 6 ++++ 9 files changed, 150 insertions(+) create mode 100644 certs/src/conf/subdomain-blocked-interception.conf create mode 100644 certs/src/conf/subdomain-known-interception.conf create mode 100644 domains/cert/blocked-interception.conf create mode 100644 domains/cert/blocked-interception/index.html create mode 100644 domains/cert/known-interception.conf create mode 100644 domains/cert/known-interception/index.html create mode 100644 nginx-includes/subdomain-blocked-interception.conf create mode 100644 nginx-includes/subdomain-known-interception.conf diff --git a/certs/Makefile b/certs/Makefile index e5de6a7e..09b875e3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -448,6 +448,34 @@ CHAINS_PROD += $(O)/gen/chain/subdomain-captive-portal.pem $(O)/gen/chain/subdomain-captive-portal.pem: $(O)/gen/crt/subdomain-captive-portal.crt $(O)/gen/crt/ca-intermediate.crt ./tool chain $@ $(D) $^ +################################ +$(O)/gen/key/leaf-blocked-interception.key: + ./tool gen-key $@ $(D) 2048 + +################################ +# Note: this is just a regular cert in `test` +$(O)/gen/csr/subdomain-blocked-interception.csr: src/conf/subdomain-blocked-interception.conf $(O)/gen/key/leaf-blocked-interception.key + ./tool gen-csr $@ $(D) $^ +$(O)/gen/crt/subdomain-blocked-interception.crt: src/conf/subdomain-blocked-interception.conf $(O)/gen/csr/subdomain-blocked-interception.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt + ./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^ +CHAINS_PROD += $(O)/gen/chain/subdomain-blocked-interception.pem +$(O)/gen/chain/subdomain-blocked-interception.pem: $(O)/gen/crt/subdomain-blocked-interception.crt $(O)/gen/crt/ca-intermediate.crt + ./tool chain $@ $(D) $^ + +################################ +$(O)/gen/key/leaf-known-interception.key: + ./tool gen-key $@ $(D) 2048 + +################################ +# Note: this is just a regular cert in `test` +$(O)/gen/csr/subdomain-known-interception.csr: src/conf/subdomain-known-interception.conf $(O)/gen/key/leaf-known-interception.key + ./tool gen-csr $@ $(D) $^ +$(O)/gen/crt/subdomain-known-interception.crt: src/conf/subdomain-known-interception.conf $(O)/gen/csr/subdomain-known-interception.csr $(O)/gen/key/ca-intermediate.key $(O)/gen/crt/ca-intermediate.crt + ./tool sign $@ $(D) $(SIGN_LEAF_DEFAULTS) $^ +CHAINS_PROD += $(O)/gen/chain/subdomain-known-interception.pem +$(O)/gen/chain/subdomain-known-interception.pem: $(O)/gen/crt/subdomain-known-interception.crt $(O)/gen/crt/ca-intermediate.crt + ./tool chain $@ $(D) $^ + ################################ $(O)/gen/dhparam/dh480.pem: diff --git a/certs/src/conf/subdomain-blocked-interception.conf b/certs/src/conf/subdomain-blocked-interception.conf new file mode 100644 index 00000000..afd07101 --- /dev/null +++ b/certs/src/conf/subdomain-blocked-interception.conf @@ -0,0 +1,20 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +encrypt_key = no +prompt = no +req_extensions = req_v3_usr + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = California +localityName = San Francisco +organizationName = BadSSL +commonName = blocked-interception.__DOMAIN__ + +[ req_v3_usr ] +basicConstraints = CA:FALSE +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = blocked-interception.__DOMAIN__ diff --git a/certs/src/conf/subdomain-known-interception.conf b/certs/src/conf/subdomain-known-interception.conf new file mode 100644 index 00000000..4bdffa7f --- /dev/null +++ b/certs/src/conf/subdomain-known-interception.conf @@ -0,0 +1,20 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +encrypt_key = no +prompt = no +req_extensions = req_v3_usr + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = California +localityName = San Francisco +organizationName = BadSSL +commonName = known-interception.__DOMAIN__ + +[ req_v3_usr ] +basicConstraints = CA:FALSE +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = known-interception.__DOMAIN__ diff --git a/domains/cert/blocked-interception.conf b/domains/cert/blocked-interception.conf new file mode 100644 index 00000000..414d6690 --- /dev/null +++ b/domains/cert/blocked-interception.conf @@ -0,0 +1,19 @@ +--- +--- +server { + listen 80; + server_name blocked-interception.{{ site.domain }}; + + return 301 https://$server_name$request_uri; +} + +server { + listen 443; + server_name blocked-interception.{{ site.domain }}; + + include {{ site.serving-path }}/nginx-includes/subdomain-blocked-interception.conf; + include {{ site.serving-path }}/nginx-includes/tls-defaults.conf; + include {{ site.serving-path }}/common/common.conf; + + root {{ site.serving-path }}/domains/cert/blocked-interception; +} \ No newline at end of file diff --git a/domains/cert/blocked-interception/index.html b/domains/cert/blocked-interception/index.html new file mode 100644 index 00000000..bda12eff --- /dev/null +++ b/domains/cert/blocked-interception/index.html @@ -0,0 +1,16 @@ +--- +subdomain: blocked-interception +layout: page +favicon: red +background: red +--- + +
+

+ {{ page.subdomain }}.
{{ site.domain }} +

+
+ + diff --git a/domains/cert/known-interception.conf b/domains/cert/known-interception.conf new file mode 100644 index 00000000..6a842678 --- /dev/null +++ b/domains/cert/known-interception.conf @@ -0,0 +1,19 @@ +--- +--- +server { + listen 80; + server_name known-interception.{{ site.domain }}; + + return 301 https://$server_name$request_uri; +} + +server { + listen 443; + server_name known-interception.{{ site.domain }}; + + include {{ site.serving-path }}/nginx-includes/subdomain-known-interception.conf; + include {{ site.serving-path }}/nginx-includes/tls-defaults.conf; + include {{ site.serving-path }}/common/common.conf; + + root {{ site.serving-path }}/domains/cert/known-interception; +} \ No newline at end of file diff --git a/domains/cert/known-interception/index.html b/domains/cert/known-interception/index.html new file mode 100644 index 00000000..ac57b9ef --- /dev/null +++ b/domains/cert/known-interception/index.html @@ -0,0 +1,16 @@ +--- +subdomain: blocked-interception +layout: page +favicon: gray +background: gray +--- + +
+

+ {{ page.subdomain }}.
{{ site.domain }} +

+
+ + diff --git a/nginx-includes/subdomain-blocked-interception.conf b/nginx-includes/subdomain-blocked-interception.conf new file mode 100644 index 00000000..b2aad24a --- /dev/null +++ b/nginx-includes/subdomain-blocked-interception.conf @@ -0,0 +1,6 @@ +--- +--- + +ssl on; +ssl_certificate {{ site.cert-path }}/subdomain-blocked-interception.pem; +ssl_certificate_key /etc/keys/leaf-blocked-interception.key; diff --git a/nginx-includes/subdomain-known-interception.conf b/nginx-includes/subdomain-known-interception.conf new file mode 100644 index 00000000..6922e119 --- /dev/null +++ b/nginx-includes/subdomain-known-interception.conf @@ -0,0 +1,6 @@ +--- +--- + +ssl on; +ssl_certificate {{ site.cert-path }}/subdomain-known-interception.pem; +ssl_certificate_key /etc/keys/leaf-known-interception.key;