mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-09 08:16:58 +08:00
104 lines
3.4 KiB
Bash
Executable File
104 lines
3.4 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Copyright (C) 2016 Red Hat, Inc.
|
|
#
|
|
# This file is part of ocserv.
|
|
#
|
|
# ocserv is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
# Free Software Foundation; either version 2 of the License, or (at
|
|
# your option) any later version.
|
|
#
|
|
# ocserv is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
SERV="${SERV:-../src/ocserv}"
|
|
srcdir=${srcdir:-.}
|
|
NO_NEED_ROOT=1
|
|
TEMPLATE=temp-key.$$.tmpl.tmp
|
|
SERVER_CERT=server-cert-temp.pem.tmp
|
|
SERVER_KEY=server-key-temp.pem.tmp
|
|
|
|
. `dirname $0`/common.sh
|
|
|
|
eval "${GETPORT}"
|
|
|
|
echo "Testing ocserv and SIGHUP behavior on server key change... "
|
|
|
|
cat <<_EOF_>"${TEMPLATE}"
|
|
cn = "VPN server"
|
|
dns_name = $ADDRESS
|
|
expiration_days = -1
|
|
signing_key
|
|
encryption_key
|
|
tls_www_server
|
|
_EOF_
|
|
|
|
update_config test-sighup-key-change.config
|
|
|
|
# changing server cert
|
|
sed -i 's/server-cert.pem/'"${SERVER_CERT}"'/' "${CONFIG}"
|
|
sed -i 's/server-key.pem/'"${SERVER_KEY}"'/' "${CONFIG}"
|
|
cp "${srcdir}/certs/server-cert.pem" "${SERVER_CERT}"
|
|
cp "${srcdir}/certs/server-key.pem" "${SERVER_KEY}"
|
|
|
|
launch_simple_sr_server -d 1 -f -c "${CONFIG}"
|
|
PID=$!
|
|
|
|
wait_server $PID
|
|
|
|
echo -n "Connecting to obtain cookie (with certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3" --cookieonly </dev/null >/dev/null 2>&1 ) ||
|
|
fail $PID "Could not connect with certificate!"
|
|
|
|
echo ok
|
|
sleep 5
|
|
|
|
#updating the certificate
|
|
certtool --generate-self-signed --load-privkey "${SERVER_KEY}" --template "${TEMPLATE}" --outfile "${SERVER_CERT}" 2>/dev/null
|
|
|
|
echo "Reloading server with new certificate"
|
|
kill -HUP $PID
|
|
sleep 5
|
|
|
|
echo -n "Connecting to obtain cookie (with certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="sha1:a82547f68f44d6351bef6cacd1d7b96e84f9dfa3" --cookieonly </dev/null >/dev/null 2>&1 ) ||
|
|
fail $PID "Could not connect with certificate!"
|
|
|
|
echo ok
|
|
|
|
sleep 10
|
|
#updating the certificate and key
|
|
certtool --generate-privkey --outfile "${SERVER_KEY}" 2>/dev/null
|
|
certtool --generate-self-signed --load-privkey "${SERVER_KEY}" --template "${TEMPLATE}" --outfile "${SERVER_CERT}" 2>/dev/null
|
|
|
|
CERTARG=`certtool --key-id < "${SERVER_CERT}" 2>/dev/null | grep -v '^Invalid option'`
|
|
if test -n "$CERTARG";then
|
|
CERTARG="sha1:${CERTARG}"
|
|
else
|
|
CERTARG=`certtool -i < "${SERVER_CERT}" 2>/dev/null | sed -n '/SHA-*1 fingerprint:/{x;N;s/.*\s\([0-9a-f]\+\).*/\1/;p}'`
|
|
fi
|
|
|
|
echo "Reloading server with new key/cert pair"
|
|
kill -HUP $PID
|
|
sleep 5
|
|
|
|
echo -n "Connecting to obtain cookie (with certificate)... "
|
|
( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert="${CERTARG}" --cookieonly </dev/null >/dev/null 2>&1 ) ||
|
|
fail $PID "Could not connect with certificate!"
|
|
|
|
echo ok
|
|
|
|
rm -f "${SERVER_CERT}"
|
|
rm -f "${SERVER_KEY}"
|
|
rm -f "${TEMPLATE}"
|
|
cleanup
|
|
|
|
exit 0
|