diff options
author | Yossi Gottlieb <yossigo@gmail.com> | 2020-12-11 18:31:40 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-11 18:31:40 +0200 |
commit | 8c291b97b95f2e011977b522acf77ead23e26f55 (patch) | |
tree | 14935b675574e1f8f2cc79f90219de537c8fc0f0 /utils | |
parent | 4e064fbab4d310b508593b46ed6ce539aea7aa25 (diff) | |
download | redis-8c291b97b95f2e011977b522acf77ead23e26f55.tar.gz |
TLS: Add different client cert support. (#8076)
This adds a new `tls-client-cert-file` and `tls-client-key-file`
configuration directives which make it possible to use different
certificates for the TLS-server and TLS-client functions of Redis.
This is an optional directive. If it is not specified the `tls-cert-file`
and `tls-key-file` directives are used for TLS client functions as well.
Also, `utils/gen-test-certs.sh` now creates additional server-only and client-only certs and will skip intensive operations if target files already exist.
Diffstat (limited to 'utils')
-rwxr-xr-x | utils/gen-test-certs.sh | 65 |
1 files changed, 50 insertions, 15 deletions
diff --git a/utils/gen-test-certs.sh b/utils/gen-test-certs.sh index a46edc55a..60814483b 100755 --- a/utils/gen-test-certs.sh +++ b/utils/gen-test-certs.sh @@ -1,23 +1,58 @@ #!/bin/bash + +# Generate some test certificates which are used by the regression test suite: +# +# tests/tls/ca.{crt,key} Self signed CA certificate. +# tests/tls/redis.{crt,key} A certificate with no key usage/policy restrictions. +# tests/tls/client.{crt,key} A certificate restricted for SSL client usage. +# tests/tls/server.{crt,key} A certificate restricted fro SSL server usage. +# tests/tls/redis.dh DH Params file. + +generate_cert() { + local name=$1 + local cn="$2" + local opts="$3" + + local keyfile=tests/tls/${name}.key + local certfile=tests/tls/${name}.crt + + [ -f $keyfile ] || openssl genrsa -out $keyfile 2048 + openssl req \ + -new -sha256 \ + -subj "/O=Redis Test/CN=$cn" \ + -key $keyfile | \ + openssl x509 \ + -req -sha256 \ + -CA tests/tls/ca.crt \ + -CAkey tests/tls/ca.key \ + -CAserial tests/tls/ca.txt \ + -CAcreateserial \ + -days 365 \ + $opts \ + -out $certfile +} + mkdir -p tests/tls -openssl genrsa -out tests/tls/ca.key 4096 +[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096 openssl req \ -x509 -new -nodes -sha256 \ -key tests/tls/ca.key \ -days 3650 \ -subj '/O=Redis Test/CN=Certificate Authority' \ -out tests/tls/ca.crt -openssl genrsa -out tests/tls/redis.key 2048 -openssl req \ - -new -sha256 \ - -key tests/tls/redis.key \ - -subj '/O=Redis Test/CN=Server' | \ - openssl x509 \ - -req -sha256 \ - -CA tests/tls/ca.crt \ - -CAkey tests/tls/ca.key \ - -CAserial tests/tls/ca.txt \ - -CAcreateserial \ - -days 365 \ - -out tests/tls/redis.crt -openssl dhparam -out tests/tls/redis.dh 2048 + +cat > tests/tls/openssl.cnf <<_END_ +[ server_cert ] +keyUsage = digitalSignature, keyEncipherment +nsCertType = server + +[ client_cert ] +keyUsage = digitalSignature, keyEncipherment +nsCertType = client +_END_ + +generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert" +generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert" +generate_cert redis "Generic-cert" + +[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048 |