Skip to content

Keys, certificates, scripts and configuration for badtls.io

License

Notifications You must be signed in to change notification settings

wbond/badtls.io

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

badtls.io

A server that serves up various bad (and good) TLS certificates and configurations for the sake of testing.

Domains

Various "good" configurations:

Various "bad" configurations:

CA Certificate

In order to properly test TLS connections, the CA certificate used for the various domains will need to be added to the trust store/list used by the code or application being tested.

The CA certificate is located at certs/ca.crt.

Running Locally

To use the certificates for testing, nginx must be installed. All of the domains run on non-privileged ports for ease-of-use.

To start nginx, execute:

bash ./scripts/local.sh

Installing

To install the nginx configuration, web files and certificates on a server, invoke the following command:

python scripts/install.py {nginx_conf_dir} {nginx_ssl_dir} {wwwroot_dir}
  • {nginx_conf_dir} should be a folder to copy the badtls.conf file into
  • {nginx_ssl_dir} should be a folder in which to create a subfolder named badtls_certs, which will contain all certificates, keys and related files
  • {wwwroot_dir} should be a folder in which to create a subfolder named badtls_wwwroot which will contain the webfiles

The values provided will be used to customize the badtls.conf file. All that is necessary will be to add an include directive into the main nginx.conf:

http {
    ...

    include  relative/path/to/badtls.conf;
}

By default, the install script will not overwrite existing files/directories. To have existing files and folders replaced, add the overwrite parameter to the arguments:

python scripts/install.py overwite {nginx_conf_dir} {nginx_ssl_dir} {wwwroot_dir}

Additionally, socat will need to be configured to run on port 10003 using the configuration from scripts/local.sh. This allows proper testing of a host requiring client certificates. Unfortunately nginx does not allow requiring certificates at the TLS protocol level.

Generating New Certificates

New certificates and keys can be generated if you wish to run your own instance of the domains.

Dependencies

Python 2.6, 2.7 or 3.2+ with the following packages:

The simplest way to install them is:

pip install certbuilder crlbuilder

Commands

To generate all keys and certificates, execute the following, replacing {domain} with the domain name you with to use:

python scripts/generate.py {domain}

If only domain certs need to be regenerated, use:

python scripts/generate.py --regen-certs {domain}

About

Keys, certificates, scripts and configuration for badtls.io

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published