diff options
Diffstat (limited to 'testing/hosts')
38 files changed, 1434 insertions, 34 deletions
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf index 4e525d929..312cadb8f 100755 --- a/testing/hosts/alice/etc/ipsec.conf +++ b/testing/hosts/alice/etc/ipsec.conf @@ -5,6 +5,7 @@ config setup crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf index 9040fc25d..0172c043b 100755 --- a/testing/hosts/bob/etc/ipsec.conf +++ b/testing/hosts/bob/etc/ipsec.conf @@ -5,6 +5,7 @@ config setup crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf index 43deae00f..6f1097e9e 100755 --- a/testing/hosts/carol/etc/ipsec.conf +++ b/testing/hosts/carol/etc/ipsec.conf @@ -4,6 +4,7 @@ config setup plutodebug=control crlcheckinterval=180 strictcrlpolicy=no + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf index 5fc5eef46..16e5299ce 100755 --- a/testing/hosts/dave/etc/ipsec.conf +++ b/testing/hosts/dave/etc/ipsec.conf @@ -4,6 +4,7 @@ config setup plutodebug=control crlcheckinterval=180 strictcrlpolicy=no + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf index c7d7dc2ed..b26f81911 100755 --- a/testing/hosts/moon/etc/ipsec.conf +++ b/testing/hosts/moon/etc/ipsec.conf @@ -4,6 +4,7 @@ config setup plutodebug=control crlcheckinterval=180 strictcrlpolicy=no + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets index c90b4c4a3..e86d6aa5c 100644 --- a/testing/hosts/moon/etc/ipsec.secrets +++ b/testing/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA moonKey.pem - - - - diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf index 1106ded6f..77d3fb183 100755 --- a/testing/hosts/sun/etc/ipsec.conf +++ b/testing/hosts/sun/etc/ipsec.conf @@ -5,6 +5,7 @@ config setup crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf index 8e4e47459..524640cda 100755 --- a/testing/hosts/venus/etc/ipsec.conf +++ b/testing/hosts/venus/etc/ipsec.conf @@ -5,6 +5,7 @@ config setup crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes + charonstart=no conn %default ikelifetime=60m diff --git a/testing/hosts/winnetou/etc/apache2/httpd.conf b/testing/hosts/winnetou/etc/apache2/httpd.conf new file mode 100644 index 000000000..41c74453a --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/httpd.conf @@ -0,0 +1,1103 @@ +# +# This is a modification of the default Apache 2 configuration +# file by Gentoo Linux. .... [insert more] +# +# Support: +# http://www.gentoo.org/main/en/lists.xml [mailing lists] +# http://forums.gentoo.org/ [web forums] +# +# Bug Reports: +# http://bugs.gentoo.org/ [gentoo related bugs] +# http://bugs.apache.org/ [apache httpd related bugs] + +# +# +# +# Based upon the NCSA server configuration files originally by Rob McCool. +# +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See <URL:http://httpd.apache.org/docs/2.0/> for detailed information about +# the directives. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# The configuration directives are grouped into three basic sections: +# 1. Directives that control the operation of the Apache server process as a +# whole (the 'global environment'). +# 2. Directives that define the parameters of the 'main' or 'default' server, +# which responds to requests that aren't handled by a virtual host. +# These directives also provide default values for the settings +# of all virtual hosts. +# 3. Settings for virtual hosts, which allow Web requests to be sent to +# different IP addresses or hostnames and have them handled by the +# same Apache server process. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/foo.log" +# with ServerRoot set to "/usr/lib/apache2" will be interpreted by the +# server as "/usr/lib/apache2/logs/foo.log". +# + +### Section 1: Global Environment +# +# The directives in this section affect the overall operation of Apache, +# such as the number of concurrent requests it can handle or where it +# can find its configuration files. +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the LockFile documentation (available +# at <URL:http://httpd.apache.org/docs/2.0/mod/mpm_common.html#lockfile>); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +ServerRoot "/usr/lib/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +#LockFile "/var/run/apache2.lock" + +# +# ScoreBoardFile: File used to store internal server process information. +# If unspecified (the default), the scoreboard will be stored in an +# anonymous shared memory segment, and will be unavailable to third-party +# applications. +# If specified, ensure that no two invocations of Apache share the same +# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK. +# +<IfModule !perchild.c> + #ScoreBoardFile /var/run/apache2_runtime_status +</IfModule> + + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +PidFile "/var/run/apache2.pid" + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 15 + +## +## Server-Pool Size Regulation (MPM specific) +## + +# prefork MPM [DEFAULT IF USE=-threads] +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule prefork.c> + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 0 +</IfModule> + +# worker MPM [DEFAULT IF USE=threads] +# StartServers: initial number of server processes to start +# MaxClients: maximum number of simultaneous client connections +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule worker.c> + StartServers 2 + MaxClients 150 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxRequestsPerChild 0 +</IfModule> + +# perchild MPM [THIS MPM IS NOT SUPPORTED] +# NumServers: constant number of server processes +# StartThreads: initial number of worker threads in each server process +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# MaxThreadsPerChild: maximum number of worker threads in each server process +# MaxRequestsPerChild: maximum number of connections per server process +<IfModule perchild.c> + NumServers 5 + StartThreads 5 + MinSpareThreads 5 + MaxSpareThreads 10 + MaxThreadsPerChild 20 + MaxRequestsPerChild 0 +</IfModule> + +# peruser MPM [THIS MPM IS NOT SUPPORTED] +# MinSpareServers - Minimum number of idle children, to handle request spikes +# MaxClients - Maximum number of children alive at the same time +# MaxProcessors - Maximum number of processors per vhost +# Multiplexer - Specify an Multiplexer Child configuration. +# Processor - Specify a User and Group for a specific child process. +# ServerEnvironment - Specify the server environment for this virtual host. +<IfModule peruser.c> + ServerLimit 256 + MaxClients 256 + MinSpareProcessors 2 + MaxProcessors 10 + MaxRequestsPerChild 1000 + + # kill off idle processors after this many seconds + # set to 0 to disable + ExpireTimeout 1800 + + Multiplexer nobody nobody + + Processor apache apache + + # chroot dir is optional: + # Processor user group /path/to/chroot +</IfModule> + +# itk MPM [THIS MPM IS NOT SUPPORTED] +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves +<IfModule itk.c> + StartServers 5 + MinSpareServers 2 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 1000 +</IfModule> + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the <VirtualHost> +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses (0.0.0.0) +# +#Listen 12.34.56.78:80 +Listen 80 +Listen 8880 +Listen 8881 +Listen 8882 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# The following modules are considered as the default configuration. +# If you wish to disable one of them, you may have to alter other +# configuration directives. +# +# You should always leave these three, as they are needed for normal use. +# mod_access (Order, Allow, etc..) +# mod_log_config (Transferlog, etc..) +# mod_mime (AddType, etc...) +# +# Example: +# LoadModule foo_module modules/mod_foo.so + + +# Authentication Modules +# +# These modules provide authentication and authorization for +# clients. They should not normally be disabled. +# +LoadModule access_module modules/mod_access.so +LoadModule auth_module modules/mod_auth.so +LoadModule auth_anon_module modules/mod_auth_anon.so +LoadModule auth_dbm_module modules/mod_auth_dbm.so +LoadModule auth_digest_module modules/mod_auth_digest.so + +# +# Metadata Modules +# +# These modules provide extra data to clients about +# a file, such as the mime-type or charset. +# +LoadModule charset_lite_module modules/mod_charset_lite.so +LoadModule env_module modules/mod_env.so +LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +LoadModule mime_module modules/mod_mime.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule setenvif_module modules/mod_setenvif.so + +# +# Logging Modules +# +# These modules provide logging services for Apache +# +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so + + +# +# CGI Modules +# +# These modules provide the ability to execute CGI Scripts. +# +LoadModule cgi_module modules/mod_cgi.so +LoadModule cgid_module modules/mod_cgid.so + + +# +# This `suexec` module provides the ability to exeucte CGI scripts under +# a different user than apache is run. +# +LoadModule suexec_module modules/mod_suexec.so + + +# +# Mappers +# +# These Modules provide URL mappings or translations. +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so +<IfDefine USERDIR> + LoadModule userdir_module modules/mod_userdir.so +</IfDefine> + + +# +# Handlers +# +# These modules create content for a client. +# +<IfDefine INFO> + LoadModule info_module modules/mod_info.so + LoadModule status_module modules/mod_status.so +</IfDefine> +LoadModule actions_module modules/mod_actions.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule dir_module modules/mod_dir.so + +# +# Filters +# +# These modules provide filters for Apache. +# They preform common tasks like gzip encoding or SSI +# +# +LoadModule ext_filter_module modules/mod_ext_filter.so +LoadModule deflate_module modules/mod_deflate.so +LoadModule include_module modules/mod_include.so + + +# +# Cache Modules +# +# The following modules are used for storing a cache of +# generated or proxied content. +# +#LoadModule cache_module modules/mod_cache.so +#LoadModule disk_cache_module modules/mod_disk_cache.so +#LoadModule mem_cache_module modules/mod_mem_cache.so +#LoadModule file_cache_module modules/mod_file_cache.so + +# +# Proxy Modules +# +# The following modules are only needed if you are running +# Apache as a Forward or Reverse Proxy. +# +# WARNING: Enabling these modules can be dangerous! +# READ THE DOCUMENTATION FIRST: +# http://httpd.apache.org/docs/2.0/mod/mod_proxy.html +<IfDefine PROXY> + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_connect_module modules/mod_proxy_connect.so + LoadModule proxy_ftp_module modules/mod_proxy_ftp.so + LoadModule proxy_http_module modules/mod_proxy_http.so +</IfDefine> + +# +# Uncommon Modules +# +# The following Modules are not commonly loaded for Apache +# +#LoadModule case_filter_module modules/mod_case_filter.so +#LoadModule case_filter_in_module modules/mod_case_filter_in.so +#LoadModule echo_module modules/mod_echo.so +#LoadModule mime_magic_module modules/mod_mime_magic.so +#LoadModule speling_module modules/mod_speling.so +#LoadModule unique_id_module modules/mod_unique_id.so +#LoadModule vhost_alias_module modules/mod_vhost_alias.so + +# +# Obsolete Modules +# +# The Following modules are not commonly needed and use +# obsolete technologies. +# +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule imap_module modules/mod_imap.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule asis_module modules/mod_asis.so + + +# +# Extra Modules +# +# We Include extra .conf files from /etc/apache2/modules.d +# This is used to load things like PHP and mod_ssl. +# +Include /etc/apache2/modules.d/*.conf + +### Section 2: 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# <VirtualHost> definition. These values also provide defaults for +# any <VirtualHost> containers you may define later in the file. +# +# All of these directives may appear inside <VirtualHost> containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# . On SCO (ODT 3) use "User nouser" and "Group nogroup". +# . On HPUX you may not be able to use shared memory as nobody, and the +# suggested workaround is to create a user www and use that user. +# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) +# when the value of (unsigned)Group is above 60000; +# don't use Group #-1 on these systems! +# +User apache +Group apache + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If this is not set to valid DNS name for your host, server-generated +# redirections will not work. See also the UseCanonicalName directive. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# You will have to access it by its address anyway, and this will make +# redirections work in a sensible way. +# +#ServerName localhost + +# +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +# +UseCanonicalName Off + + +# +# Each directory to which Apache has access can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# features. +# +<Directory /> + Options FollowSymLinks + AllowOverride None +</Directory> + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# UserDir: The name of the directory that is appended onto a user's home +# directory if a ~user request is received. +# enable by adding -D USERDIR to /etc/conf.d/apache2 +# +<IfModule mod_userdir.c> + UserDir public_html + +# +# Control access to UserDir directories. The following is an example +# for a site where these directories are restricted to read-only. +# + <Directory /home/*/public_html> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS PROPFIND> + Order allow,deny + Allow from all + </Limit> + <LimitExcept GET POST OPTIONS PROPFIND> + Order deny,allow + Deny from all + </LimitExcept> + </Directory> + + +# Enable this additional section if you would like to make use of a +# suexec-enabled cgi-bin directory on a per-user basis. +# +#<Directory /home/*/public_html/cgi-bin> +# Options ExecCGI +# SetHandler cgi-script +#</Directory> + +</IfModule> + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Option can be used for the +# same purpose, but it is much slower. +# +DirectoryIndex index.html ocsp.cgi + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# +<FilesMatch "^\.ht"> + Order allow,deny + Deny from all +</FilesMatch> + +# +# TypesConfig describes where the mime.types file (or equivalent) is +# to be found. +# +TypesConfig /etc/mime.types + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plain + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +<IfModule mod_mime_magic.c> + MIMEMagicFile /etc/apache2/magic +</IfModule> + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# +# EnableMMAP: Control whether memory-mapping is used to deliver +# files (assuming that the underlying OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. On some systems, turning it off (regardless of +# filesystem) can improve performance; for details, please see +# http://httpd.apache.org/docs/2.0/mod/core.html#enablemmap +# +#EnableMMAP off + +# +# EnableSendfile: Control whether the sendfile kernel support is +# used to deliver files (assuming that the OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. Please see +# http://httpd.apache.org/docs/2.0/mod/core.html#enablesendfile +# +#EnableSendfile off + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a <VirtualHost> +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a <VirtualHost> +# container, that host's errors will be logged there and not here. +# +ErrorLog logs/error_log + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + +# +# The following directives define some format nicknames for use with +# a CustomLog directive (see below). +# +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script +LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost + +# You need to enable mod_logio.c to use %I and %O +#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + +# +# The location and format of the access logfile (Common Logfile Format). +# If you do not define any access logfiles within a <VirtualHost> +# container, they will be logged here. Contrariwise, if you *do* +# define per-<VirtualHost> access logfiles, transactions will be +# logged therein and *not* in this file. +# +CustomLog logs/access_log common + +# +# If you would like to have agent and referer logfiles, uncomment the +# following directives. +# +#CustomLog logs/referer_log referer +#CustomLog logs/agent_log agent + +# +# If you prefer a single logfile with access, agent, and referer information +# (Combined Logfile Format) you can use the following directive. +# +#CustomLog logs/access_log combined + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +# +ServerTokens Prod + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature On + +# +# Aliases: Add here as many aliases as you need (with no limit). The format is +# Alias fakename realname +# +# Note that if you include a trailing / on fakename then the server will +# require it to be present in the URL. So "/icons" isn't aliased in this +# example, only "/icons/". If the fakename is slash-terminated, then the +# realname must also be slash terminated, and if the fakename omits the +# trailing slash, the realname must also omit it. +# +# We include the /icons/ alias for FancyIndexed directory listings. If you +# do not use FancyIndexing, you may comment this out. +# +Alias /icons/ "/var/www/localhost/icons/" + +<Directory "/var/www/localhost/icons/"> + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all +</Directory> + +# +# ScriptAlias: This controls which directories contain server scripts. +# ScriptAliases are essentially the same as Aliases, except that +# documents in the realname directory are treated as applications and +# run by the server when requested rather than as documents sent to the client. +# The same rules about trailing "/" apply to ScriptAlias directives as to +# Alias. +# +ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/ + +<IfModule mod_cgid.c> + # + # Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path> + # for setting UNIX socket for communicating with cgid. + # + #Scriptsock /var/run/cgisock +</IfModule> + +# +# "/var/www/localhost/cgi-bin/" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# +<Directory "/var/www/localhost/cgi-bin/"> + AllowOverride None + Options None + Order allow,deny + Allow from all +</Directory> + +# +# Redirect allows you to tell clients about documents which used to exist in +# your server's namespace, but do not anymore. This allows you to tell the +# clients where to look for the relocated document. +# Example: +# Redirect permanent /foo http://www.example.com/bar + +# +# Directives controlling the display of server-generated directory listings. +# +<IfModule mod_autoindex.c> + # + # IndexOptions: Controls the appearance of server-generated directory + # listings. + # + IndexOptions FancyIndexing VersionSort + + # + # AddIcon* directives tell the server which icon to show for different + # files or filename extensions. These are only displayed for + # FancyIndexed directories. + # + AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + + AddIconByType (TXT,/icons/text.gif) text/* + AddIconByType (IMG,/icons/image2.gif) image/* + AddIconByType (SND,/icons/sound2.gif) audio/* + AddIconByType (VID,/icons/movie.gif) video/* + + AddIcon /icons/binary.gif .bin .exe + AddIcon /icons/binhex.gif .hqx + AddIcon /icons/tar.gif .tar + AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv + AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip + AddIcon /icons/a.gif .ps .ai .eps + AddIcon /icons/layout.gif .html .shtml .htm .pdf + AddIcon /icons/text.gif .txt + AddIcon /icons/c.gif .c + AddIcon /icons/p.gif .pl .py + AddIcon /icons/f.gif .for + AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex + AddIcon /icons/bomb.gif core + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README + AddIcon /icons/folder.gif ^^DIRECTORY^^ + AddIcon /icons/blank.gif ^^BLANKICON^^ + + # + # DefaultIcon is which icon to show for files which do not have an icon + # explicitly set. + # + DefaultIcon /icons/unknown.gif + + # + # AddDescription allows you to place a short description after a file in + # server-generated indexes. These are only displayed for FancyIndexed + # directories. + # Format: AddDescription "description" filename + # + #AddDescription "GZIP compressed document" .gz + #AddDescription "tar archive" .tar + #AddDescription "GZIP compressed tar archive" .tgz + + # + # ReadmeName is the name of the README file the server will look for by + # default, and append to directory listings. + # + # HeaderName is the name of a file which should be prepended to + # directory indexes. + ReadmeName README.html + HeaderName HEADER.html + + # + # IndexIgnore is a set of filenames which directory indexing should ignore + # and not include in the listing. Shell-style wildcarding is permitted. + # + IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t .svn +</IfModule> + +# +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a +# file in a language the user can understand. +# +# Specify a default language. This means that all data +# going out without a specific language tag (see below) will +# be marked with this one. You probably do NOT want to set +# this unless you are sure it is correct for all cases. +# +# * It is generally better to not mark a page as +# * being a certain language than marking it with the wrong +# * language! +# +# DefaultLanguage nl +# +# Note 1: The suffix does not have to be the same as the language +# keyword --- those with documents in Polish (whose net-standard +# language code is pl) may wish to use "AddLanguage pl .po" to +# avoid the ambiguity with the common suffix for perl scripts. +# +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to +# the two character 'Country' code for its country, +# E.g. 'Danmark/dk' versus 'Danish/da'. +# +# Note 3: In the case of 'ltz' we violate the RFC by using a three char +# specifier. There is 'work in progress' to fix this and get +# the reference data for rfc1766 cleaned up. +# +# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) +# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) +# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) +# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) +# Norwegian (no) - Polish (pl) - Portugese (pt) +# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) +# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) +# +AddLanguage ca .ca +AddLanguage cs .cz .cs +AddLanguage da .dk +AddLanguage de .de +AddLanguage el .el +AddLanguage en .en +AddLanguage eo .eo +AddLanguage es .es +AddLanguage et .et +AddLanguage fr .fr +AddLanguage he .he +AddLanguage hr .hr +AddLanguage it .it +AddLanguage ja .ja +AddLanguage ko .ko +AddLanguage ltz .ltz +AddLanguage nl .nl +AddLanguage nn .nn +AddLanguage no .no +AddLanguage pl .po +AddLanguage pt .pt +AddLanguage pt-BR .pt-br +AddLanguage ru .ru +AddLanguage sv .sv +AddLanguage zh-CN .zh-cn +AddLanguage zh-TW .zh-tw + +# +# LanguagePriority allows you to give precedence to some languages +# in case of a tie during content negotiation. +# +# Just list the languages in decreasing order of preference. We have +# more or less alphabetized them here. You probably want to change this. +# +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW + +# +# ForceLanguagePriority allows you to serve a result page rather than +# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) +# [in case no accepted languages matched the available variants] +# +ForceLanguagePriority Prefer Fallback + +# +# Commonly used filename extensions to character sets. You probably +# want to avoid clashes with the language extensions, unless you +# are good at carefully testing your setup after each change. +# See http://www.iana.org/assignments/character-sets for the +# official list of charset names and their respective RFCs. +# +AddCharset ISO-8859-1 .iso8859-1 .latin1 +AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen +AddCharset ISO-8859-3 .iso8859-3 .latin3 +AddCharset ISO-8859-4 .iso8859-4 .latin4 +AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru +AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb +AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk +AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb +AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk +AddCharset ISO-2022-JP .iso2022-jp .jis +AddCharset ISO-2022-KR .iso2022-kr .kis +AddCharset ISO-2022-CN .iso2022-cn .cis +AddCharset Big5 .Big5 .big5 +# For russian, more than one charset is used (depends on client, mostly): +AddCharset WINDOWS-1251 .cp-1251 .win-1251 +AddCharset CP866 .cp866 +AddCharset KOI8-r .koi8-r .koi8-ru +AddCharset KOI8-ru .koi8-uk .ua +AddCharset ISO-10646-UCS-2 .ucs2 +AddCharset ISO-10646-UCS-4 .ucs4 +AddCharset UTF-8 .utf8 + +# The set below does not map to a specific (iso) standard +# but works on a fairly wide range of browsers. Note that +# capitalization actually matters (it should not, but it +# does for some browsers). +# +# See http://www.iana.org/assignments/character-sets +# for a list of sorts. But browsers support few. +# +AddCharset GB2312 .gb2312 .gb +AddCharset utf-7 .utf7 +AddCharset utf-8 .utf8 +AddCharset big5 .big5 .b5 +AddCharset EUC-TW .euc-tw +AddCharset EUC-JP .euc-jp +AddCharset EUC-KR .euc-kr +AddCharset shift_jis .sjis + +# +# AddType allows you to add to or override the MIME configuration +# file mime.types for specific file types. +# +#AddType application/x-tar .tgz +# +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +# Despite the name similarity, the following Add* directives have nothing +# to do with the FancyIndexing customization directives above. +# +#AddEncoding x-compress .Z +#AddEncoding x-gzip .gz .tgz +# +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +# +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) +# +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +# +AddHandler cgi-script .cgi + +# +# For files that include their own HTTP headers: +# +#AddHandler send-as-is asis + +# +# For server-parsed imagemap files: +# +#AddHandler imap-file map + +# +# For type maps (negotiated resources): +# (This is enabled by default to allow the Apache "It Worked" page +# to be distributed in multiple languages.) +# +AddHandler type-map var + +# +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +# +#AddType text/html .shtml +#AddOutputFilter INCLUDES .shtml + +# +# Action lets you define media types that will execute a script whenever +# a matching file is called. This eliminates the need for repeated URL +# pathnames for oft-used CGI file processors. +# Format: Action media/type /cgi-script/location +# Format: Action handler-name /cgi-script/location +# + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# Putting this all together, we can internationalize error responses. +# +# We use Alias to redirect any /error/HTTP_<error>.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_<error>.html.var files by adding the line: +# +# Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /var/www/localhost/error/include files and copying them to /your/includepath/ +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. +# +# The internationalized error documents require mod_alias, mod_include +# and mod_negotiation. To activate them, uncomment the following 30 lines. + +# Alias /error/ "/var/www/localhost/error/" +# +# <Directory "/var/www/localhost/error"> +# AllowOverride None +# Options IncludesNoExec +# AddOutputFilter Includes html +# AddHandler type-map var +# Order allow,deny +# Allow from all +# LanguagePriority en cs de es fr it nl sv pt-br ro +# ForceLanguagePriority Prefer Fallback +# </Directory> +# +# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +# ErrorDocument 410 /error/HTTP_GONE.html.var +# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + +# +# The following directives modify normal HTTP response behavior to +# handle known problems with browser implementations. +# +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4\.0" force-response-1.0 +BrowserMatch "Java/1\.0" force-response-1.0 +BrowserMatch "JDK/1\.0" force-response-1.0 + +# +# The following directive disables redirects on non-GET requests for +# a directory that does not include the trailing slash. This fixes a +# problem with Microsoft WebFolders which does not appropriately handle +# redirects for folders with DAV methods. +# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. +# +BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully +BrowserMatch "MS FrontPage" redirect-carefully +BrowserMatch "^WebDrive" redirect-carefully +BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully +BrowserMatch "^gnome-vfs" redirect-carefully +BrowserMatch "^XML Spy" redirect-carefully +BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully + +# +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Change the ".example.com" to match your domain to enable. +# +<IfDefine INFO> + ExtendedStatus On + <Location /server-status> + SetHandler server-status + Order deny,allow + Deny from all + Allow from localhost + </Location> +</IfDefine> + +# +# Allow remote server configuration reports, with the URL of +# http://localhost/server-info (This is useful for debugging) +# +<IfDefine INFO> + <Location /server-info> + SetHandler server-info + Order deny,allow + Deny from all + Allow from localhost + </Location> +</IfDefine> + + +# +# Gentoo VHosts +# +# For Gentoo we include External Virtual Hosts Files. +# Please see vhosts.d/00_default_vhost.conf for the default virtual host. +# +Include /etc/apache2/vhosts.d/*.conf diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf new file mode 100644 index 000000000..c97c30936 --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf @@ -0,0 +1,37 @@ +# OCSP Server + +<VirtualHost *:8880> + ServerAdmin root@strongswan.org + DocumentRoot /etc/openssl/ocsp + ServerName ocsp.strongswan.org + ServerAlias 192.168.0.150 + <Directory "/etc/openssl/ocsp"> + Options +ExecCGI + </Directory> + ErrorLog /var/log/apache2/ocsp/error_log + CustomLog /var/log/apache2/ocsp/access_log combined +</VirtualHost> + +<VirtualHost *:8881> + ServerAdmin root@research.strongswan.org + DocumentRoot /etc/openssl/research/ocsp + ServerName ocsp.research.strongswan.org + ServerAlias ocsp.strongswan.org 192.168.0.150 + <Directory "/etc/openssl/research/ocsp"> + Options +ExecCGI + </Directory> + ErrorLog /var/log/apache2/ocsp/error_log + CustomLog /var/log/apache2/ocsp/access_log combined +</VirtualHost> + +<VirtualHost *:8882> + ServerAdmin root@sales.strongswan.org + DocumentRoot /etc/openssl/sales/ocsp + ServerName ocsp.sales.strongswan.org + ServerAlias ocsp.strongswan.org 192.168.0.150 + <Directory "/etc/openssl/sales/ocsp"> + Options +ExecCGI + </Directory> + ErrorLog /var/log/apache2/ocsp/error_log + CustomLog /var/log/apache2/ocsp/access_log combined +</VirtualHost> diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index 9e744674d..12025d75c 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -16,3 +16,4 @@ V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 111007105811Z 10 unknown /C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org +V 120224075857Z 13 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index 4d7201a35..9e744674d 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -15,3 +15,4 @@ V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 111007105811Z 10 unknown /C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org V 111007121250Z 11 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org +V 111007122112Z 12 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/13.pem b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem new file mode 100644 index 000000000..aeca7e1db --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax +HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5 +vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8 +G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J +5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt +kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If +pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD +VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ +2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD +VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry +b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u +b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry +b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc +1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj +o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc +ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8 +pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s +pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1 +/xsH+BXYZtKJbYjlnyc8 +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi new file mode 100755 index 000000000..cb585ed08 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/openssl + +echo "Content-type: application/ocsp-response" +echo "" + +/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem new file mode 100644 index 000000000..77f5bde52 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ +IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu +Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl +bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y +ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM +BFAELGmHKfg2R25aWlE8ju//I0ByaoIsm8BPapSiiiwTdho/JPP44/nvHcDQu828 +P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD +mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ +DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb +UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr +4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW +BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt +rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0 +cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww +GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw +FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN +BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ +9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI +zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V +14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL +lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v +1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem new file mode 100644 index 000000000..1af5ecdb9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyBI4V4N1bFgoY9RJSEwEUAQsaYcp+DZHblpaUTyO7/8jQHJq +giybwE9qlKKKLBN2Gj8k8/jj+e8dwNC7zbw/e5jldtI9mmKIGAWijwELb9j+vFj+ +ySMTOqgcReOD+87VsDS2qNWflrSOmRqLukOZTIGuafUCs6OFH8cC6kIewhvuwAv4 +gRcHIxxlArpu80v08xNgjVPvb63/1xkAAQkN8SHIlkzFAqCZPVI3MvDKzPLUzUcX +3kPn2AGiTg9pFZawt3DOmV9MqHrUJ4YJiptQ/eqkwqsnxju6/57W9XO5hsmDkNH5 +sXUgYhz1BHImVOSFlyj7NMJBjGm+w07XzKvipwIDAQABAoIBABXLPk3yKQFjXQr6 +3fy9Ix8gRUI9kgnSx9cyinIc+akVDt7/V7DUcSbyv7ZvOkPw3sWfKURWUWcxb/lI +A502q2eoUR6vajx+DTsoqfuP7pIBfkZAH4kDhB24oFPQo9jzP/3Q0DD2DEtbYck1 +xhDFOlbGLZynLuMopeC/SgcAqt8UAIe5AHoUdkPUZH3MqJppH+PCjhkMzreaY9wc +mEh7tjKuItdGYt0ZmdrnQboyklMhOikn3nKOQWVINtzTLD4AsOcExPmO3m5j4m+n +h0AGDFyxUvY/l/DH2xC1C5qu13yumesJ1irURShdwO05nrWUzqT0BH4VyJCvcZiC +TnLhELkCgYEA6vmBxHXbh58VpJEfnXl8D01ZI7YgXHaNPb43j4GA26pd8JVYkPcQ +TBRZYRGEYL9CT7mfssJ6yie1ZLdGn+vkKyT2LWXxbO8kvfX5lG93sFmE1oauEuug +zau/eEh1k5fzlm6KClvFGnmMHqqxy0YMUVkAdT0Kb7PG36Bd9tDMLjsCgYEA2fkw +p8JVIAwyWF99iubxIL9sNnjJgq2j4Rj4zjtT45ZA1LCe7L1EGhQGsP/0u5u+miX6 +GdMSzwehHVBtTl/Gkg/IjWUQbL/jILeFQM2i6hdo8BCmi8k4f6ZF/Pf+m7ZRcLb/ +opJhvhhelnxfNwxHrshohCvGpGVGvSS8xtXzuoUCgYEAmxeuwHauPNkTFvk27eD2 +sr7x/DFFMOKLHVrFH3JyFAtiT96zg5OfbSftSrWeM6Fp6mdx8jKNi4skHmMeOYYg +px2RY6uq66T5Em0dnAzq6jpcBKEGmrRuAfK/wWvKN24POJajhGzIL05U3xT5n1sP +3E2rkLaGge4ecRJPkw6EBmsCgYBQWhL8lJ/Ku5RHjZP7A106JDag8e/e02HJFeqK +I8at6/KkNSOww6h6MI2y6/fsvOILcxp6MJwLY5WZ988DiDzsFRNqRCpE3Iu+wMhH +dkarIswVSx4KA7hnHgVI1qauAgyNj3g3Ft0fNV6Q/PIgmc9G+CvHJVgJvCfSi9tn +NPGu/QKBgExju7N5hrJUlfylwydp7X7jymHJGAac9J2+VhqWIhveCnTYrlwTcuJ6 +NqQDdBvDT0F+7fMxQ9wRglMadfnrwWh0Y7BGybzhlR4NDAAZk1GoxegWOR7HnacT +bbHir6keeWggJgWHsRew3Yxckzqvi+vn/v3MF/wfRijzXzSAenNl +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf index dbe31abbd..165d8bbeb 100644 --- a/testing/hosts/winnetou/etc/openssl/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -43,7 +43,7 @@ crl_extensions = crl_ext # The extentions to add to the CRL default_days = 1825 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. +default_md = sha1 # which md to use. preserve = no # keep passed DN ordering email_in_dn = no # allow/forbid EMail in DN @@ -146,7 +146,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = DNS:$ENV::COMMON_NAME -#extendedKeyUsage = OCSPSigner +#extendedKeyUsage = OCSPSigning crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl #################################################################### @@ -158,6 +158,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreemen subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = email:$ENV::COMMON_NAME +#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880 crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 4bd650072..2ccf6489c 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -1,2 +1,3 @@ V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 148bab7d6..4bd650072 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -1 +1,2 @@ V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem new file mode 100644 index 000000000..279b4191d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz +MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm +BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT +HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2 +ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA +TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs +qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo +h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io +HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV +HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw +5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv +bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo +hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG +9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn +l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D +4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78 +d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj +1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r +qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi new file mode 100755 index 000000000..c193e8779 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/openssl/research + +echo "Content-type: application/ocsp-response" +echo "" + +/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem new file mode 100644 index 000000000..279b4191d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz +MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm +BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT +HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2 +ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA +TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs +qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo +h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io +HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV +HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw +5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv +bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo +hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG +9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn +l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D +4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78 +d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj +1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r +qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem new file mode 100644 index 000000000..adbfe0f92 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr +/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s +yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX +BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG +xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I +h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH +GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp +zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS +VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu +KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M +SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF +KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13 +PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI +4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3 +ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t +WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e +Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p +pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj +T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie +eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA +UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5 +CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0 +8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm +SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM +p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58 +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf index b5afd3d2e..706a52635 100644 --- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -145,7 +145,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = DNS:$ENV::COMMON_NAME -#extendedKeyUsage = OCSPSigner +#extendedKeyUsage = OCSPSigning crlDistributionPoints = URI:http://crl.strongswan.org/research.crl #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index 75016ea36..64969239d 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -03 +04 diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index 9e22bcb8e..75016ea36 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -02 +03 diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt index 5093b34e9..ab3c06416 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -1,2 +1,3 @@ V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old index 7378ebb8a..5093b34e9 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -1 +1,2 @@ V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem new file mode 100644 index 000000000..ce2ff7b9d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT +HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs +ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV +AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9 +K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO +yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8 +N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT +oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw +ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV +HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8 +DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3 +csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg +pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH +XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl +is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH +kiJdzc42Apd8uw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi new file mode 100755 index 000000000..c53cb9a76 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi @@ -0,0 +1,11 @@ +#!/bin/bash + +cd /etc/openssl/sales + +echo "Content-type: application/ocsp-response" +echo "" + +/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem new file mode 100644 index 000000000..ce2ff7b9d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT +HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs +ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV +AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9 +K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO +yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8 +N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT +oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw +ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV +HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8 +DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3 +csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg +pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH +XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl +is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH +kiJdzc42Apd8uw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem new file mode 100644 index 000000000..5d10a3467 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4 +O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP +dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz +4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq +4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb +aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw +mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s +gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4 +qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T +v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE +SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD +BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc +CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U +NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC +E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz +07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB +Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ +s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr +NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z +IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be +GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp +DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e +nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4 +xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx +EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf index adb204bc2..687956d60 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -145,7 +145,7 @@ keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = DNS:$ENV::COMMON_NAME -#extendedKeyUsage = OCSPSigner +#extendedKeyUsage = OCSPSigning crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial index 75016ea36..64969239d 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -1 +1 @@ -03 +04 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old index 9e22bcb8e..75016ea36 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial.old +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -1 +1 @@ -02 +03 diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index b1bd38b62..8351c1939 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -13 +14 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index 48082f72f..b1bd38b62 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -12 +13 diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp deleted file mode 100755 index bdc5dab38..000000000 --- a/testing/hosts/winnetou/etc/openssl/start-ocsp +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh -# start an OpenSSL-based OCSP server -# -# Copyright (C) 2004 Andreas Steffen -# Zuercher Hochschule Winterthur -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $ - -cd /etc/openssl -openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 & |