samples: http_server: update cipher suites and certificates
Existing cipher suites and certificates used by HTTP server sample are included in RFC9113 Appendix A: Prohibited TLS 1.2 Cipher Suites. The RFC specifies that when using HTTP/2, these cipher suites may be treated as an error of type INADEQUATE_SECURITY, and in practice it seems that Chrome and Firefox do implement this. The certificates have been updated to use ECDSA-P265 signatures, and supported cipher suites updated to include ECDH key exchange and AES GCM and CCM modes. Some scripts are included to allow users to generate their own certificates if desired. Signed-off-by: Matt Rodgers <mrodgers@witekio.com>
This commit is contained in:
Matt Rodgers
Anas Nashif
parent
45c6553567
commit
bd83c19cc7
8 changed files with 103 additions and 0 deletions
|
|
@ -20,6 +20,20 @@ if(CONFIG_NET_SOCKETS_SOCKOPT_TLS AND
|
|||
add_dependencies(app development_psk)
|
||||
endif()
|
||||
|
||||
set(CERTS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/src/certs)
|
||||
|
||||
add_custom_target(sample_ca_cert
|
||||
WORKING_DIRECTORY ${CERTS_DIR}
|
||||
COMMAND sh gen_ca_cert.sh
|
||||
COMMENT "Generating sample CA certificate"
|
||||
)
|
||||
|
||||
add_custom_target(sample_server_cert
|
||||
WORKING_DIRECTORY ${CERTS_DIR}
|
||||
COMMAND sh gen_server_cert.sh
|
||||
COMMENT "Generating sample server certificate"
|
||||
)
|
||||
|
||||
option(INCLUDE_HTML_CONTENT "Include the HTML content" ON)
|
||||
|
||||
target_sources(app PRIVATE src/main.c)
|
||||
|
|
|
|||
|
|
@ -69,6 +69,14 @@ CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
|
|||
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
|
||||
CONFIG_TLS_CREDENTIALS=y
|
||||
CONFIG_TLS_MAX_CREDENTIALS_NUMBER=5
|
||||
CONFIG_MBEDTLS_ECDH_C=y
|
||||
CONFIG_MBEDTLS_ECDSA_C=y
|
||||
CONFIG_MBEDTLS_ECP_C=y
|
||||
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
|
||||
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
|
||||
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
|
||||
CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
|
||||
CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
|
||||
|
||||
# Networking tweaks
|
||||
# Required to handle large number of consecutive connections,
|
||||
|
|
|
|||
3
samples/net/sockets/http_server/src/certs/.gitignore
vendored
Normal file
3
samples/net/sockets/http_server/src/certs/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
*.pem
|
||||
!ca_cert.pem
|
||||
*.ext
|
||||
13
samples/net/sockets/http_server/src/certs/ca_cert.pem
Normal file
13
samples/net/sockets/http_server/src/certs/ca_cert.pem
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB5DCCAYmgAwIBAgIUXHpFEmhwtzDyteoz+ZSOhyQ6xzUwCgYIKoZIzj0EAwIw
|
||||
RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
|
||||
dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwIBcNMjQxMTI3MTE1ODUwWhgPMjEyNDEx
|
||||
MDMxMTU4NTBaMEYxFjAUBgNVBAoMDVplcGh5cnByb2plY3QxLDAqBgNVBAMMI1pl
|
||||
cGh5cnByb2plY3QgU2FtcGxlIERldmVsb3BtZW50IENBMFkwEwYHKoZIzj0CAQYI
|
||||
KoZIzj0DAQcDQgAEvCX35MoLVdt4STWeomwFjuLV8nAz+K1IIc5PrfD9nVhLZfOS
|
||||
Z35O9dTEMvn1dP2MqUqjL6wWA3oSnvItU81qD6NTMFEwHQYDVR0OBBYEFNFC9qd/
|
||||
SSYq7aDvLGsc4Fu7Fn5cMB8GA1UdIwQYMBaAFNFC9qd/SSYq7aDvLGsc4Fu7Fn5c
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALWzu1PtNJYu9sWb
|
||||
A2iBixJuoK7y8EqCkGDp0e66mA+qAiEAyz7YdO7zhcHWgaUXqLwlVqe5cstVMsLv
|
||||
4TbLwQi+wfI=
|
||||
-----END CERTIFICATE-----
|
||||
17
samples/net/sockets/http_server/src/certs/gen_ca_cert.sh
Normal file
17
samples/net/sockets/http_server/src/certs/gen_ca_cert.sh
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# Copyright (c) 2024, Witekio
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Generate a root CA private key
|
||||
openssl ecparam \
|
||||
-name prime256v1 \
|
||||
-genkey \
|
||||
-out ca_privkey.pem
|
||||
|
||||
# Generate a root CA certificate using private key
|
||||
openssl req \
|
||||
-new \
|
||||
-x509 \
|
||||
-days 36500 \
|
||||
-key ca_privkey.pem \
|
||||
-out ca_cert.pem \
|
||||
-subj "/O=Zephyrproject/CN=Zephyrproject Sample Development CA"
|
||||
48
samples/net/sockets/http_server/src/certs/gen_server_cert.sh
Normal file
48
samples/net/sockets/http_server/src/certs/gen_server_cert.sh
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
# Copyright (c) 2024, Witekio
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Generate a server private key
|
||||
openssl ecparam \
|
||||
-name prime256v1 \
|
||||
-genkey \
|
||||
-out server_privkey.pem
|
||||
|
||||
# Generate a certificate signing request using server key
|
||||
openssl req \
|
||||
-new \
|
||||
-sha256 \
|
||||
-key server_privkey.pem \
|
||||
-out server_csr.pem \
|
||||
-subj "/O=Zephyrproject/CN=zephyr"
|
||||
|
||||
# Create a file containing server CSR extensions
|
||||
echo "subjectKeyIdentifier=hash" > server_csr.ext
|
||||
echo "authorityKeyIdentifier=keyid,issuer" >> server_csr.ext
|
||||
echo "basicConstraints=critical,CA:FALSE" >> server_csr.ext
|
||||
echo "keyUsage=critical,digitalSignature" >> server_csr.ext
|
||||
echo "extendedKeyUsage=serverAuth" >> server_csr.ext
|
||||
echo "subjectAltName=DNS:zephyr.local,IP.1:192.0.2.1,IP.2:2001:db8::1" >> server_csr.ext
|
||||
|
||||
# Create a server certificate by signing the server CSR using the CA cert/key
|
||||
openssl x509 \
|
||||
-req \
|
||||
-sha256 \
|
||||
-CA ca_cert.pem \
|
||||
-CAkey ca_privkey.pem \
|
||||
-days 36500 \
|
||||
-CAcreateserial \
|
||||
-CAserial ca.srl \
|
||||
-in server_csr.pem \
|
||||
-out server_cert.pem \
|
||||
-extfile server_csr.ext
|
||||
|
||||
# Create DER encoded versions of server certificate and private key
|
||||
openssl ec \
|
||||
-outform der \
|
||||
-in server_privkey.pem \
|
||||
-out server_privkey.der
|
||||
|
||||
openssl x509 \
|
||||
-outform der \
|
||||
-in server_cert.pem \
|
||||
-out server_cert.der
|
||||
Binary file not shown.
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue