From 749d4f89cc36e130500eee97a8d166b0543ef877 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 22 Oct 2015 03:30:27 +0200 Subject: [PATCH 01/13] First pass at client TLS support --- server/client.go | 3 +- server/client_test.go | 4 +-- server/opts.go | 69 ++++++++++++++++++++++++++++++++++++++++--- server/opts_test.go | 56 +++++++++++++++++++++++++++++++++-- server/route.go | 6 ++-- server/server.go | 20 +++++++++++-- test/opts_test.go | 15 ++++++++++ test/test.go | 12 +++++++- 8 files changed, 170 insertions(+), 15 deletions(-) diff --git a/server/client.go b/server/client.go index 10a20d45..d183c72b 100644 --- a/server/client.go +++ b/server/client.go @@ -244,7 +244,7 @@ func (c *client) processRouteInfo(info *Info) { } } -// Process the information messages from Clients and other routes. +// Process the information messages from Clients and other Routes. func (c *client) processInfo(arg []byte) error { info := Info{} if err := json.Unmarshal(arg, &info); err != nil { @@ -293,6 +293,7 @@ func (c *client) processConnect(arg []byte) error { func (c *client) authTimeout() { c.sendErr("Authorization Timeout") + c.Debugf("Authorization Timeout") c.closeConnection() } diff --git a/server/client_test.go b/server/client_test.go index 4a787f19..19bcb845 100644 --- a/server/client_test.go +++ b/server/client_test.go @@ -18,7 +18,7 @@ type serverInfo struct { Port uint `json:"port"` Version string `json:"version"` AuthRequired bool `json:"auth_required"` - SslRequired bool `json:"ssl_required"` + TLSRequired bool `json:"ssl_required"` MaxPayload int64 `json:"max_payload"` } @@ -93,7 +93,7 @@ func TestClientCreateAndInfo(t *testing.T) { } // Sanity checks if info.MaxPayload != MAX_PAYLOAD_SIZE || - info.AuthRequired || info.SslRequired || + info.AuthRequired || info.TLSRequired || info.Port != DEFAULT_PORT { t.Fatalf("INFO inconsistent: %+v\n", info) } diff --git a/server/opts.go b/server/opts.go index d47b066d..680ced48 100644 --- a/server/opts.go +++ b/server/opts.go @@ -1,8 +1,10 @@ -// Copyright 2012-2013 Apcera Inc. All rights reserved. +// Copyright 2012-2015 Apcera Inc. All rights reserved. package server import ( + "crypto/tls" + "crypto/x509" "fmt" "io/ioutil" "net" @@ -30,7 +32,6 @@ type Options struct { PingInterval time.Duration `json:"ping_interval"` MaxPingsOut int `json:"ping_max"` HTTPPort int `json:"http_port"` - SslTimeout float64 `json:"ssl_timeout"` AuthTimeout float64 `json:"auth_timeout"` MaxControlLine int `json:"max_control_line"` MaxPayload int `json:"max_payload"` @@ -48,6 +49,8 @@ type Options struct { Routes []*url.URL `json:"-"` RoutesStr string `json:"-"` BufSize int `json:"-"` + TLSTimeout float64 `json:"tls_timeout"` + TLSConfig *tls.Config `json:"-"` } type authorization struct { @@ -56,6 +59,12 @@ type authorization struct { timeout float64 } +// This struct holds the parsed tls config information. +type tlsConfig struct { + certFile string + keyFile string +} + // ProcessConfigFile processes a configuration file. // FIXME(dlc): Hacky func ProcessConfigFile(configFile string) (*Options, error) { @@ -118,6 +127,11 @@ func ProcessConfigFile(configFile string) (*Options, error) { opts.MaxPending = int(v.(int64)) case "max_connections", "max_conn": opts.MaxConn = int(v.(int64)) + case "tls": + tlsm := v.(map[string]interface{}) + if err := parseTLS(tlsm, opts); err != nil { + return nil, err + } } } return opts, nil @@ -176,6 +190,53 @@ func parseAuthorization(am map[string]interface{}) authorization { return auth } +// Helper function to parse TLS configs. +func parseTLS(tlsm map[string]interface{}, opts *Options) error { + tc := tlsConfig{} + for mk, mv := range tlsm { + switch strings.ToLower(mk) { + case "cert_file": + certFile, ok := mv.(string) + if !ok { + return fmt.Errorf("error parsing tls config, expected 'cert_file' to be filename") + } + tc.certFile = certFile + case "key_file": + keyFile, ok := mv.(string) + if !ok { + return fmt.Errorf("error parsing tls config, expected 'key_file' to be filename") + } + tc.keyFile = keyFile + default: + return fmt.Errorf("error parsing tls config, unknown field [%q]", mk) + } + } + // Now load in cert and private key + cert, err := tls.LoadX509KeyPair(tc.certFile, tc.keyFile) + if err != nil { + return fmt.Errorf("error parsing X509 certificate/key pair: %v", err) + } + cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0]) + if err != nil { + return fmt.Errorf("error parsing certificate: %v", err) + } + // Create TLSConfig + // We will determine the cipher suites that we prefer. + config := tls.Config{ + Certificates: []tls.Certificate{cert}, + PreferServerCipherSuites: true, + MinVersion: tls.VersionTLS12, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + } + opts.TLSConfig = &config + return nil +} + // MergeOptions will merge two options giving preference to the flagOpts // if the item is present. func MergeOptions(fileOpts, flagOpts *Options) *Options { @@ -349,8 +410,8 @@ func processOptions(opts *Options) { if opts.MaxPingsOut == 0 { opts.MaxPingsOut = DEFAULT_PING_MAX_OUT } - if opts.SslTimeout == 0 { - opts.SslTimeout = float64(SSL_TIMEOUT) / float64(time.Second) + if opts.TLSTimeout == 0 { + opts.TLSTimeout = float64(SSL_TIMEOUT) / float64(time.Second) } if opts.AuthTimeout == 0 { opts.AuthTimeout = float64(AUTH_TIMEOUT) / float64(time.Second) diff --git a/server/opts_test.go b/server/opts_test.go index 821dc51a..00eef8dc 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -1,8 +1,9 @@ -// Copyright 2013-2014 Apcera Inc. All rights reserved. +// Copyright 2013-2015 Apcera Inc. All rights reserved. package server import ( + "crypto/tls" "net/url" "reflect" "testing" @@ -16,7 +17,7 @@ func TestDefaultOptions(t *testing.T) { MaxConn: DEFAULT_MAX_CONNECTIONS, PingInterval: DEFAULT_PING_INTERVAL, MaxPingsOut: DEFAULT_PING_MAX_OUT, - SslTimeout: float64(SSL_TIMEOUT) / float64(time.Second), + TLSTimeout: float64(SSL_TIMEOUT) / float64(time.Second), AuthTimeout: float64(AUTH_TIMEOUT) / float64(time.Second), MaxControlLine: MAX_CONTROL_LINE_SIZE, MaxPayload: MAX_PAYLOAD_SIZE, @@ -77,6 +78,57 @@ func TestConfigFile(t *testing.T) { } } +func TestTLSConfigFile(t *testing.T) { + golden := &Options{ + Host: "apcera.me", + Port: 4443, + Username: "derek", + Password: "buckley", + AuthTimeout: 1.0, + } + opts, err := ProcessConfigFile("./configs/tls/test.conf") + if err != nil { + t.Fatalf("Received an error reading config file: %v\n", err) + } + tlsConfig := opts.TLSConfig + if tlsConfig == nil { + t.Fatal("Expected opts.TLSConfig to be non-nil") + } + opts.TLSConfig = nil + if !reflect.DeepEqual(golden, opts) { + t.Fatalf("Options are incorrect.\nexpected: %+v\ngot: %+v", + golden, opts) + } + // Now check TLSConfig a bit more closely + // CipherSuites + ciphers := []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + } + if !reflect.DeepEqual(tlsConfig.CipherSuites, ciphers) { + t.Fatalf("Got incorrect cipher suite list: [%+v]", tlsConfig.CipherSuites) + } + if tlsConfig.MinVersion != tls.VersionTLS12 { + t.Fatalf("Expected MinVersion of 1.2 [%v], got [%v]", tls.VersionTLS12, tlsConfig.MinVersion) + } + if tlsConfig.PreferServerCipherSuites != true { + t.Fatal("Expected PreferServerCipherSuites to be true") + } + // Verify hostname is correct in certificate + if len(tlsConfig.Certificates) != 1 { + t.Fatal("Expected 1 certificate") + } + if len(tlsConfig.Certificates) < 1 { + t.Fatalf("Expected certificates") + } + cert := tlsConfig.Certificates[0].Leaf + if err := cert.VerifyHostname("apcera.me:4443"); err != nil { + t.Fatalf("Could not verify hostname in certificate: %v\n", err) + } +} + func TestMergeOverrides(t *testing.T) { golden := &Options{ Host: "apcera.me", diff --git a/server/route.go b/server/route.go index 9fc5ffea..60ec2c74 100644 --- a/server/route.go +++ b/server/route.go @@ -24,7 +24,7 @@ type connectInfo struct { Pedantic bool `json:"pedantic"` User string `json:"user,omitempty"` Pass string `json:"pass,omitempty"` - Ssl bool `json:"ssl_required"` + TLS bool `json:"ssl_required"` Name string `json:"name"` } @@ -42,7 +42,7 @@ func (c *client) sendConnect() { Pedantic: false, User: user, Pass: pass, - Ssl: false, + TLS: false, Name: c.srv.info.ID, } b, err := json.Marshal(cinfo) @@ -301,7 +301,7 @@ func (s *Server) StartRouting() { Host: s.opts.ClusterHost, Port: s.opts.ClusterPort, AuthRequired: false, - SslRequired: false, + TLSRequired: false, MaxPayload: MAX_PAYLOAD_SIZE, } // Check for Auth items diff --git a/server/server.go b/server/server.go index 82e50e8d..d46ab8d7 100644 --- a/server/server.go +++ b/server/server.go @@ -3,6 +3,8 @@ package server import ( + "bufio" + "crypto/tls" "encoding/json" "fmt" "io/ioutil" @@ -30,7 +32,7 @@ type Info struct { Host string `json:"host"` Port int `json:"port"` AuthRequired bool `json:"auth_required"` - SslRequired bool `json:"ssl_required"` + TLSRequired bool `json:"ssl_required"` // ssl json used for older clients MaxPayload int `json:"max_payload"` } @@ -80,7 +82,7 @@ func New(opts *Options) *Server { Host: opts.Host, Port: opts.Port, AuthRequired: false, - SslRequired: false, + TLSRequired: opts.TLSConfig != nil, MaxPayload: opts.MaxPayload, } @@ -393,6 +395,7 @@ func (s *Server) createClient(conn net.Conn) *client { s.mu.Lock() info := s.infoJSON authRequired := s.info.AuthRequired + tlsRequired := s.info.TLSRequired s.mu.Unlock() // Grab lock @@ -412,6 +415,19 @@ func (s *Server) createClient(conn net.Conn) *client { // Send our information. s.sendInfo(c, info) + // Check for TLS + if tlsRequired { + c.Debugf("Starting TLS client connection handshake") + c.nc = tls.Server(c.nc, s.opts.TLSConfig) + conn := c.nc.(*tls.Conn) + err := conn.Handshake() + if err != nil { + c.Debugf("TLS handshake error: %v", err) + } + // Rewrap bw + c.bw = bufio.NewWriterSize(c.nc, s.opts.BufSize) + } + // Unlock to register c.mu.Unlock() diff --git a/test/opts_test.go b/test/opts_test.go index b94ac7c3..d94ad0fb 100644 --- a/test/opts_test.go +++ b/test/opts_test.go @@ -3,6 +3,7 @@ package test import ( + "fmt" "testing" ) @@ -19,3 +20,17 @@ func TestServerConfig(t *testing.T) { opts.MaxPayload, sinfo.MaxPayload) } } + +func TestTLSConfig(t *testing.T) { + srv, opts := RunServerWithConfig("./configs/tls.conf") + defer srv.Shutdown() + + c := createClientConn(t, opts.Host, opts.Port) + defer c.Close() + + sinfo := checkInfoMsg(t, c) + fmt.Printf("sinfo is %+v\n", sinfo) + if sinfo.TLSRequired != true { + t.Fatal("Expected TLSRequired to be true when configured") + } +} diff --git a/test/test.go b/test/test.go index 59a6857c..619e6b12 100644 --- a/test/test.go +++ b/test/test.go @@ -15,6 +15,7 @@ import ( "strings" "time" + "github.com/nats-io/gnatsd/auth" "github.com/nats-io/gnatsd/server" ) @@ -53,7 +54,16 @@ func RunServerWithConfig(configFile string) (srv *server.Server, opts *server.Op panic(fmt.Sprintf("Error processing configuration file: %v", err)) } opts.NoSigs, opts.NoLog = true, true - srv = RunServer(opts) + + // Check for auth + var a server.Auth + if opts.Authorization != "" { + a = &auth.Token{Token: opts.Authorization} + } + if opts.Username != "" { + a = &auth.Plain{Username: opts.Username, Password: opts.Password} + } + srv = RunServerWithAuth(opts, a) return } From 5004efe54b26fcb5d0cbbf19d7af7e0cf0665fdd Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 22 Oct 2015 03:32:11 +0200 Subject: [PATCH 02/13] new files for TLS --- server/configs/tls/certs/nats.crt | 88 ++++++++++++++++++++++++++++++ server/configs/tls/certs/nats.key | 27 ++++++++++ server/configs/tls/test.conf | 16 ++++++ test/configs/certs/localhost.crt | 89 +++++++++++++++++++++++++++++++ test/configs/certs/localhost.key | 27 ++++++++++ test/configs/certs/nats.crt | 88 ++++++++++++++++++++++++++++++ test/configs/certs/nats.key | 27 ++++++++++ test/configs/tls.conf | 16 ++++++ test/tls_test.go | 75 ++++++++++++++++++++++++++ 9 files changed, 453 insertions(+) create mode 100644 server/configs/tls/certs/nats.crt create mode 100644 server/configs/tls/certs/nats.key create mode 100644 server/configs/tls/test.conf create mode 100644 test/configs/certs/localhost.crt create mode 100644 test/configs/certs/localhost.key create mode 100644 test/configs/certs/nats.crt create mode 100644 test/configs/certs/nats.key create mode 100644 test/configs/tls.conf create mode 100644 test/tls_test.go diff --git a/server/configs/tls/certs/nats.crt b/server/configs/tls/certs/nats.crt new file mode 100644 index 00000000..f56f9ef9 --- /dev/null +++ b/server/configs/tls/certs/nats.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c8:77:4b:d6:10:0a:9f:f3 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Validity + Not Before: Oct 21 12:44:12 2015 GMT + Not After : Oct 20 12:44:12 2016 GMT + Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: + 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: + f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: + 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: + 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: + 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: + ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: + a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: + 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: + 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: + 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: + 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: + 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: + 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: + 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: + 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: + 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: + 86:5f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + X509v3 Authority Key Identifier: + keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io + serial:C8:77:4B:D6:10:0A:9F:F3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: + 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: + 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: + 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: + 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: + 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: + d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: + 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: + 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: + 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: + d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: + 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: + 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: + 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: + b8:61:97:bf +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo +tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo +jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO +pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci +4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar +4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 +jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm +TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB +nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh +biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg +VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW +DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu +kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx +9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm +m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR +HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY +YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ +-----END CERTIFICATE----- diff --git a/server/configs/tls/certs/nats.key b/server/configs/tls/certs/nats.key new file mode 100644 index 00000000..81507bfe --- /dev/null +++ b/server/configs/tls/certs/nats.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E +gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi +HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x +/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F +IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb +4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q +tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC +2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ +5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ +n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC +jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z +c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l +SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO +DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP +mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN +OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK +dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR +Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq +1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u +C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq +4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA +H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF +vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT +cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck +BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= +-----END RSA PRIVATE KEY----- diff --git a/server/configs/tls/test.conf b/server/configs/tls/test.conf new file mode 100644 index 00000000..85880f19 --- /dev/null +++ b/server/configs/tls/test.conf @@ -0,0 +1,16 @@ + +# Simple TLS config file + +port: 4443 +net: apcera.me # net interface + +tls { + cert_file: "./configs/tls/certs/nats.crt" + key_file: "./configs/tls/certs/nats.key" +} + +authorization { + user: derek + password: buckley + timeout: 1 +} diff --git a/test/configs/certs/localhost.crt b/test/configs/certs/localhost.crt new file mode 100644 index 00000000..244fa57d --- /dev/null +++ b/test/configs/certs/localhost.crt @@ -0,0 +1,89 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + bf:bc:38:a0:02:6d:12:1f + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=nats://localhost:4443//emailAddress=derek@nats.io + Validity + Not Before: Oct 21 23:34:25 2015 GMT + Not After : Nov 20 23:34:25 2015 GMT + Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=nats://localhost:4443//emailAddress=derek@nats.io + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c9:21:1f:b0:92:24:09:21:84:35:92:86:9c:88: + c7:7b:1d:24:94:31:f6:e5:1e:0f:75:01:0a:bf:26: + b3:47:3b:f7:2c:07:01:3f:58:54:ec:00:ef:7c:72: + 70:d9:dd:9a:00:4b:3d:5d:69:3a:ca:7f:7a:71:ce: + 88:38:5a:5c:5b:f8:a9:da:fa:db:4a:9c:d1:00:3c: + ae:b4:c4:f3:d0:7a:6a:fc:98:1c:e9:bf:73:13:9e: + 84:8b:2b:84:9f:2e:9a:f6:6f:a6:15:5e:67:38:9d: + 5b:26:86:ed:fa:ba:ba:ac:67:c8:fe:46:b2:d0:b3: + 62:1a:75:f3:ef:13:fb:94:96:8b:52:ee:4f:65:58: + 73:0f:b9:31:ff:2f:ef:af:99:ab:54:7c:5e:cb:a3: + a1:ec:ff:cb:78:96:8c:f3:eb:63:0e:dc:df:c1:69: + e8:4b:0e:0b:b5:83:ab:f5:49:5e:41:c4:68:e3:58: + a6:b0:a4:fa:c0:7e:3a:6d:9a:dc:b4:0f:ef:24:a4: + dc:a1:d2:f4:31:0e:b1:7f:00:37:41:1f:77:c7:07: + a2:9f:bf:07:2e:f7:55:7f:69:58:c2:30:ed:6e:d4: + 6e:27:79:35:59:44:92:0a:ce:9b:25:ff:1f:1e:00: + 2a:70:17:9a:22:d2:1b:b0:c8:63:33:83:91:2f:ca: + e3:cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B7:FA:28:75:23:46:9F:20:38:A7:77:55:24:F4:EC:FA:B2:66:A8:61 + X509v3 Authority Key Identifier: + keyid:B7:FA:28:75:23:46:9F:20:38:A7:77:55:24:F4:EC:FA:B2:66:A8:61 + DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=nats://localhost:4443//emailAddress=derek@nats.io + serial:BF:BC:38:A0:02:6D:12:1F + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 70:63:bd:94:cf:6a:15:05:0a:29:7b:98:e0:40:32:69:90:90: + b6:31:02:35:7c:d2:50:01:ee:83:31:a7:db:b2:82:17:3d:46: + 18:08:fb:e6:e0:b2:ba:30:b1:c7:48:85:3a:be:51:fb:4d:9d: + 1b:0c:7f:eb:8b:6d:8a:6d:07:e0:40:d0:af:53:71:8a:86:13: + 0c:9f:59:df:01:84:7f:8c:f3:0d:ed:c4:78:03:6a:79:d8:de: + 3e:68:c7:7f:bb:fa:91:95:15:69:a3:41:51:6e:bf:d9:6a:42: + 7c:a3:4c:62:91:23:d1:e2:b8:26:94:cf:95:01:ee:c0:3f:ec: + 66:99:28:5a:dc:e8:72:89:9c:55:16:e4:69:68:cc:a3:4b:50: + c5:d5:77:a7:9c:e8:7f:d0:d1:91:67:a1:95:3d:43:ba:fb:6b: + 9d:4f:80:35:5c:56:b9:71:ce:04:e0:67:89:89:7d:b2:25:08: + b4:89:44:44:c3:ff:f3:d2:25:9a:72:5f:c4:7b:50:b7:6a:cd: + 20:02:10:61:c3:a9:0c:3c:62:9d:96:68:9b:45:92:83:ba:43: + 48:c5:01:36:4c:fe:ca:e5:35:fd:43:72:57:2d:7d:13:74:94: + bb:08:66:be:92:65:85:1c:f0:8d:c3:06:23:e9:da:3f:2c:2e: + 61:d8:dc:f8 +-----BEGIN CERTIFICATE----- +MIIE3zCCA8egAwIBAgIJAL+8OKACbRIfMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MR8wHQYDVQQDExZuYXRzOi8vbG9jYWxob3N0OjQ0NDMvMRwwGgYJKoZIhvcNAQkB +Fg1kZXJla0BuYXRzLmlvMB4XDTE1MTAyMTIzMzQyNVoXDTE1MTEyMDIzMzQyNVow +gaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T +YW4gRnJhbmNpc2NvMRMwEQYDVQQKEwpBcGNlcmEgSW5jMRUwEwYDVQQLEwxOQVRT +IFRlc3RpbmcxHzAdBgNVBAMTFm5hdHM6Ly9sb2NhbGhvc3Q6NDQ0My8xHDAaBgkq +hkiG9w0BCQEWDWRlcmVrQG5hdHMuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDJIR+wkiQJIYQ1koaciMd7HSSUMfblHg91AQq/JrNHO/csBwE/WFTs +AO98cnDZ3ZoASz1daTrKf3pxzog4Wlxb+Kna+ttKnNEAPK60xPPQemr8mBzpv3MT +noSLK4SfLpr2b6YVXmc4nVsmhu36urqsZ8j+RrLQs2IadfPvE/uUlotS7k9lWHMP +uTH/L++vmatUfF7Lo6Hs/8t4lozz62MO3N/BaehLDgu1g6v1SV5BxGjjWKawpPrA +fjptmty0D+8kpNyh0vQxDrF/ADdBH3fHB6Kfvwcu91V/aVjCMO1u1G4neTVZRJIK +zpsl/x8eACpwF5oi0huwyGMzg5EvyuPPAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQU +t/oodSNGnyA4p3dVJPTs+rJmqGEwgdoGA1UdIwSB0jCBz4AUt/oodSNGnyA4p3dV +JPTs+rJmqGGhgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y +bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKEwpBcGNlcmEgSW5j +MRUwEwYDVQQLEwxOQVRTIFRlc3RpbmcxHzAdBgNVBAMTFm5hdHM6Ly9sb2NhbGhv +c3Q6NDQ0My8xHDAaBgkqhkiG9w0BCQEWDWRlcmVrQG5hdHMuaW+CCQC/vDigAm0S +HzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBwY72Uz2oVBQope5jg +QDJpkJC2MQI1fNJQAe6DMafbsoIXPUYYCPvm4LK6MLHHSIU6vlH7TZ0bDH/ri22K +bQfgQNCvU3GKhhMMn1nfAYR/jPMN7cR4A2p52N4+aMd/u/qRlRVpo0FRbr/ZakJ8 +o0xikSPR4rgmlM+VAe7AP+xmmSha3OhyiZxVFuRpaMyjS1DF1XennOh/0NGRZ6GV +PUO6+2udT4A1XFa5cc4E4GeJiX2yJQi0iUREw//z0iWacl/Ee1C3as0gAhBhw6kM +PGKdlmibRZKDukNIxQE2TP7K5TX9Q3JXLX0TdJS7CGa+kmWFHPCNwwYj6do/LC5h +2Nz4 +-----END CERTIFICATE----- diff --git a/test/configs/certs/localhost.key b/test/configs/certs/localhost.key new file mode 100644 index 00000000..b872dd58 --- /dev/null +++ b/test/configs/certs/localhost.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAySEfsJIkCSGENZKGnIjHex0klDH25R4PdQEKvyazRzv3LAcB +P1hU7ADvfHJw2d2aAEs9XWk6yn96cc6IOFpcW/ip2vrbSpzRADyutMTz0Hpq/Jgc +6b9zE56EiyuEny6a9m+mFV5nOJ1bJobt+rq6rGfI/kay0LNiGnXz7xP7lJaLUu5P +ZVhzD7kx/y/vr5mrVHxey6Oh7P/LeJaM8+tjDtzfwWnoSw4LtYOr9UleQcRo41im +sKT6wH46bZrctA/vJKTcodL0MQ6xfwA3QR93xwein78HLvdVf2lYwjDtbtRuJ3k1 +WUSSCs6bJf8fHgAqcBeaItIbsMhjM4ORL8rjzwIDAQABAoIBAQDGbomnWOd4orqf +aCqqsT+ttTjrhMgDkD7LvvVtVa82rnDT3S1b47gVB28/pmC0ca+IbrLiP/mi41ZY +hd1bS7snehOKWkiUOlbxFu1+p3msy7pV73VHIH1Wc+Rsscisi/yS+eAv4O2Rq53M +Sv7rieK2ScbBJ9svkGtPk+PQkjR5iLTThpQYSZGlMkBXhzBC8AhYzjx55fSAgW5R +QkMSWzGsNiO6H2yszoSBAsGz9n0ntkI4njOPRAJTYOxLr8WsZksaaBNJxEmVKpOp +f9xSpXTHadNPTdE2X6pbrcyXKv0lV1QNWAUCw/Gy/nnDasCxBfaQQF0L0iQkZXRf +KRzZwjyBAoGBAPHCjlcthYCa4j1FABGptbNcj9mqK40tNGx7ySw70e2IipW1VimO +570PdPMS7LobNqH3IOJl4aFW5YCNBArXwCYZ9Pk9Gq+l5uREBaOv85vK1+mbTeOW +NHkFS/dlrvr2FkCyqmStAZ9U0v3rJ9mDIor/cL9Ahmu77HxwU2M5qobhAoGBANT5 +6ILkkb7nQ390MkqL94O4ZAnCNO4Kk+v9tenqBGVBHR293FXmXegGkHMYSWUF2C4r +cjKDUcA2yTZ/Y2IWzGj2d1vR5ygB1KlBhX4vVIP/jKcDkQJiqnQIj8VqswqI8UNE +8pkKrdDEoa4GjWw3hDtE4c/KD2EoD+pjAM99PrCvAoGAOy1ufjRsW2CORIUhUTGD +gpYDuDoJUxNfo7ZhNeympEgp9B9hKecLHqIr9FwLijqjEt5VNFXP9xg4MVFTTfwl +0q3D40Zrw9cOP43O+5RUQyxR0aLsW+smiQEc6UAApvmZ1NhnESGwJfozc2geZwXM +bM2+IXJ/9NsZNhSgtMcm0MECgYAsVEwSGpM/ghFpkPz6yUFemF2yLksoFOmPIELi +CkSZ8sCltSQMeSOorN0aJ773GQ1TJtXhL7YvZPfisQc1nnszicF0Si9sA12JUUsA +5ccYpnNXPAXN0k2aU0HhnIDhu3lEQDCirDdbkeH5QAHluXR7ha3euzcSSO1vIuZD +SdVnnwKBgEitmCzRIFb2PYTkJnjcaXuXXdZzVZtx0s2rNSKqQyRGK5lQ3tqVibHI +ddtkUZayQfcc6f9ZFd8Qof83skgLYEjeYQCn2FTV/NfZ2I0scgG7PSZ0iQmFUt8h +fzdtNAJ4ERhVJ8nJe4MLKgLGGkpNokq+mFSnC9BSVeIVbnx8QfQX +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/nats.crt b/test/configs/certs/nats.crt new file mode 100644 index 00000000..f56f9ef9 --- /dev/null +++ b/test/configs/certs/nats.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c8:77:4b:d6:10:0a:9f:f3 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Validity + Not Before: Oct 21 12:44:12 2015 GMT + Not After : Oct 20 12:44:12 2016 GMT + Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: + 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: + f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: + 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: + 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: + 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: + ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: + a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: + 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: + 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: + 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: + 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: + 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: + 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: + 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: + 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: + 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: + 86:5f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + X509v3 Authority Key Identifier: + keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io + serial:C8:77:4B:D6:10:0A:9F:F3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: + 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: + 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: + 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: + 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: + 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: + d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: + 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: + 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: + 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: + d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: + 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: + 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: + 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: + b8:61:97:bf +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo +tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo +jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO +pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci +4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar +4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 +jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm +TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB +nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh +biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg +VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW +DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu +kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx +9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm +m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR +HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY +YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ +-----END CERTIFICATE----- diff --git a/test/configs/certs/nats.key b/test/configs/certs/nats.key new file mode 100644 index 00000000..81507bfe --- /dev/null +++ b/test/configs/certs/nats.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E +gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi +HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x +/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F +IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb +4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q +tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC +2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ +5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ +n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC +jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z +c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l +SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO +DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP +mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN +OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK +dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR +Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq +1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u +C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq +4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA +H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF +vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT +cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck +BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/tls.conf b/test/configs/tls.conf new file mode 100644 index 00000000..66702a76 --- /dev/null +++ b/test/configs/tls.conf @@ -0,0 +1,16 @@ + +# Simple TLS config file + +port: 4443 +net: localhost + +tls { + cert_file: "./configs/certs/localhost.crt" + key_file: "./configs/certs/localhost.key" +} + +authorization { + user: derek + password: boo + timeout: 1 +} diff --git a/test/tls_test.go b/test/tls_test.go new file mode 100644 index 00000000..b4955579 --- /dev/null +++ b/test/tls_test.go @@ -0,0 +1,75 @@ +// Copyright 2015 Apcera Inc. All rights reserved. + +package test + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "testing" + + "github.com/nats-io/nats" +) + +func TestTLSConnection(t *testing.T) { + srv, opts := RunServerWithConfig("./configs/tls.conf") + defer srv.Shutdown() + + endpoint := fmt.Sprintf("%s:%d", opts.Host, opts.Port) + nurl := fmt.Sprintf("nats://%s/", endpoint) + nc, err := nats.Connect(nurl) + if err == nil { + t.Fatalf("Expected error trying to connect to secure server") + } + + // Do simple SecureConnect + nc, err = nats.SecureConnect(nurl) + if err == nil { + t.Fatalf("Expected error trying to connect to secure server with no auth") + } + + // Add in the user/pass + purl := fmt.Sprintf("nats://%s:%s@%s/", opts.Username, opts.Password, endpoint) + + nc, err = nats.SecureConnect(purl) + if err != nil { + t.Fatalf("Got an error on SecureConnect: %+v\n", err) + } + subj := "foo-tls" + sub, _ := nc.SubscribeSync(subj) + + nc.Publish(subj, []byte("We are Secure!")) + nc.Flush() + nmsgs, _ := sub.QueuedMsgs() + if nmsgs != 1 { + t.Fatalf("Expected to receive a message over the TLS connection") + } + defer nc.Close() + + // Now do more advanced checking + + // Setup our own TLSConfig using Root from our self signed cert. + pool := x509.NewCertPool() + pool.AddCert(opts.TLSConfig.Certificates[0].Leaf) + + config := &tls.Config{ + ServerName: nurl, + RootCAs: pool, + MinVersion: tls.VersionTLS12, + } + + copts := nats.DefaultOptions + copts.Url = purl + copts.Secure = true + copts.TLSConfig = config + + nc, err = copts.Connect() + if err != nil { + t.Fatalf("Got an error on Connect with Secure Options: %+v\n", err) + } + nc.Flush() + defer nc.Close() + + // nc.conn = tls.Client(nc.conn, &tls.Config{ServerName: nc.url.String()}) + +} From b75c7b1522b8af87bdd9f1407f0158f4bed69b5f Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Fri, 23 Oct 2015 08:43:03 -0700 Subject: [PATCH 03/13] comment out 1.5 only ciphers for now. --- server/opts.go | 5 +++-- server/opts_test.go | 3 --- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/server/opts.go b/server/opts.go index 680ced48..def9e41e 100644 --- a/server/opts.go +++ b/server/opts.go @@ -227,9 +227,10 @@ func parseTLS(tlsm map[string]interface{}, opts *Options) error { PreferServerCipherSuites: true, MinVersion: tls.VersionTLS12, CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + // The SHA384 versions are only in Go1.5 + // tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + // tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, } diff --git a/server/opts_test.go b/server/opts_test.go index 00eef8dc..02e7a487 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -120,9 +120,6 @@ func TestTLSConfigFile(t *testing.T) { if len(tlsConfig.Certificates) != 1 { t.Fatal("Expected 1 certificate") } - if len(tlsConfig.Certificates) < 1 { - t.Fatalf("Expected certificates") - } cert := tlsConfig.Certificates[0].Leaf if err := cert.VerifyHostname("apcera.me:4443"); err != nil { t.Fatalf("Could not verify hostname in certificate: %v\n", err) From eb46d7b05be96b17a0549d9b8930c3517b5cc9ab Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Fri, 23 Oct 2015 08:47:13 -0700 Subject: [PATCH 04/13] Comment ciphers from test too --- server/opts_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/opts_test.go b/server/opts_test.go index 02e7a487..0f61c975 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -102,9 +102,9 @@ func TestTLSConfigFile(t *testing.T) { // Now check TLSConfig a bit more closely // CipherSuites ciphers := []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + // tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + // tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, } if !reflect.DeepEqual(tlsConfig.CipherSuites, ciphers) { From 7b866f221588c69a702151f04caf25b9d24698ae Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 5 Nov 2015 15:33:32 -0800 Subject: [PATCH 05/13] Moving around keys and certs --- server/configs/certs/key.pem | 51 +++++++++++++++++++ server/configs/certs/nats.crt | 88 +++++++++++++++++++++++++++++++++ server/configs/certs/nats.key | 27 ++++++++++ server/configs/certs/server.pem | 31 ++++++++++++ 4 files changed, 197 insertions(+) create mode 100644 server/configs/certs/key.pem create mode 100644 server/configs/certs/nats.crt create mode 100644 server/configs/certs/nats.key create mode 100644 server/configs/certs/server.pem diff --git a/server/configs/certs/key.pem b/server/configs/certs/key.pem new file mode 100644 index 00000000..240baa40 --- /dev/null +++ b/server/configs/certs/key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAozmlMIBZAr0Om149W5yhZ5UCpjw+viV1oehHhmb51Rrns599 +i7R/ErxXDLGne0uFYFZDp619H77wHG6EHs4ekgnffRjtU0klerlTPRPRpx9bmRL/ +yOqmtlAODU15hSMYCik/LuF8jrm54L+ZUGttERvI1Iz5zbYEzyEuNM0SW8dWxzff +jQMkxPEGoSh+NKOyK6XOtioNuk8s1MxI7yamYRMqRUKYoPwcjxTSLgyAn8DBQrNV +pEAoqVN1SoBCvJ0rQUSiAI2097gOzuRqeWpa+g+wPri+dXJeQoTvvFQVxo5KFXQ6 +HeK1xV6XqaWWeP1/sC+DApfm3QCqpPPoQRyL+Cudl+vgBFo8CO9bg7HB4rChie7y +lt5VUdhjhclBiEkaok4fC1DlrLIuz+Uo4TQ27K8rnLXqAOCGbAb5YlzeroEesSyU +MoVFNNzvhmBbFB9dnU3ZpDUKL8w0n/E2Cje+m87kSKSwa8XdzMlJobqIm1n/wqlv +pV10aKjVNPAqz0ICon4+4oF7wHSfeBZyfAgK28ZyqzjO6t4tEU/iuczr49HYsk4O +KM9z8magTL+stseglmD8S7Eq5qr8UWOllL/GO0e1zFwrETz+9Wr0VlZCUkL+UboY +uvt4no8ycQz7VhcVYJdT0ZjZ+A0TOQ/sJGTdYy2ZRvLXk1LjaDUqNDamoJ8CAwEA +AQKCAgALOuMXpCz7mEBSBjjYfb1JICJvh4OVl4QxYIbTQ3B67f/1Bssfeoqnolem +4u4v+HEzwJulBLWwInXort3eNLY7u/wpYjap3UV73RZSBHQPOIQX0wvQKfzQXE+r +MKJku5Zi1JWpRxBHzZVxVh1ZQBrf63Z00UI6mgRYr+K69UUHFX7t8/UogYfdGOwo +2F1eh8ixYhYHyHrrT5k5BtkZwyH9WdE1tLBFmzLn0Tnouyl6VEu3qBkDVPq3M6vF +NW/iBDo+olc3DIjf5kT2jRaaRev+emfY2OMZt4Wus/C+l1ZsM8v7D+UTu05gRvLO +VDs3FdHcMFimLAdRO0OCV9mp6SnkDA6S9fbnWXT/bJhQhUMfSIzDIyk5fsrTj2XY +CSySUv1y0iL+WzvZA5RBfVVEuVN6MFQPso53wcLL2HhGuto4xi5PW4QEe0+3RjW7 +2Kj1ve+Wc3ZFDf6kOBUc/Jod2b79JA8wqy7gtkBwA3muf7HO2hKmrr0IbYwap8zQ +6+OOVvzxHxe7+IP1KX8l2pRjFhbbpB015BEaCYJuVDOYiJzVCyOZM5pkqUAadkjA +7cF5YOhC7hIaaOKSfObfi/D/dL3o2/KzIl2eiE/pXD1UINPAJMnOIlIMjmxbYRO4 +7QtxCrj7jm4oG+H8mFKqdysNXjtNN2/kbzIDmgz/Kfofx9K4eQKCAQEA0/gwMIme +QhY5EAUOOouTHVC9/ZjL8CD83Q5moEEfUr8lW1nXTNwD4AJBYbObhX20uL0WFECC +R0Wu1PLbNRlfv+3FP3Ut3rwdtrsUgnFZjpEJiLc2biE9RuzPxTELRR9h9IDpYqft +9phE57lYu/IKVxcrhWPOrKeGf6rMPUJXu6Ixy8hSSFiozaVP8+e0M5s1YLJeQw5r +Q3N9SEIhDwr87C0GHa5WVYZbfXCu66l+CZlDevZ78VG3HeN2QImaSxNrKvgLUuEb +r2OhuZzIt8kBwHNpehzGLOELzS97AMKHkwrQMuE5fxhScIO6jHHBs6CJ22RSZ85P +V3NaeAPR+OLh/QKCAQEAxSFmyvVaGCDEB4ysOJv26TbPsb3oOcEO2fuBb++wlLd5 +kLrXkpbJ9BxCHgOpWKQDHaY4lkwx4dZOwJTaNdqQFIhTNeLHmS6dMzS5uNmGZR7E +FUKl2yOkEqHa3KRII5JJokZ9KEhtKsjzXJzyj6G4XQoLghUVZPmcY6ycUwtQYDUr +06DM9Wh9ez4Y0jD7ILBGj/GU0mGe92mXSW8pDYN4IU4WZ3gp7jekD43LclYMmzBh +srInd80vWppy2fOlMa7N9n/ryM5ddLbEnD0+zlel+6W1p+3wlCzYy0KbKeUAWu89 +P/UXDEuVeEQqUz8U5N1/Z2C8gDkyCZj5+4eYziwxywKCAQBL+Y88NndU9KYrScSZ +02E9hq0yckvWm9xGV10NX4ocnIqFPaRf1hRFfEl2/Wtm43GdLZj2VVDcvus1RH6x +f5DEODMU1alFRmPYFSH6xyn0YaPrLtABlURjYYnvAe8qLV9sxa/hPpOaaWV5MQPP +CagPIyzkOKvhUoJwzAU8h8TuaeozQm/LoouOegw4Pfpm7OCq8gO7QTXNDV4AQkOb +IrMY6+JfTReAvBGa2oK30R5tzlNThXlTO5jIy7ic1TVKZ4Fn+1QDts+3g5x57Oo8 +hX1tP3C05g9aEqeqObR6xz7Uw3Fway2ykkMqNOzuXe+xtH709fZbYqUpkR0CG0xt +StT5AoIBAEr/6EHzkvF3Fd3hcWygOhKEngR7wiym/OWGQLq7sK0EGSYtT/Mfl3pe +ffE5Z2aoD99p7EGSf6/yf0fZ2iN/Ii4Np8rqmxH2oCxpNPfVGsLCL8v+7Wcwai4E +kmY7wo52C7nHo7p9w7rxdVWZCNgIqUIMnlBBgUBHj26Er30Q4uWXlTMRDKmZtZP8 +Dil6JTFMn6wIN5zLM1XiQILZ3f6cNEpHkVKQbzOIy8x3IB5CCs3IXINGMKnt0MRh +2qx9fC4o2YedJ7HggcHz/12KF6kdw7K4WyKm7k8RuPGsR6hqzfXK67y3nKs63oVB +OfEuIN7qPpywO0d1e0oXf5RpBIP8YH0CggEAMVARycAMd6YFgpQE2fHFq8anZhLS +EJlztsJPEUHapy1YioaFrqTbeiJXW3cikFOly3YX76piqOiF/PlTaxB8VBO9xKMY +gH4GgEsn0ZPe/4p9KmFlXcwvPBDm1plqiZX/bD7jtIddqW6fXKUeQNJ/L4wJZ4Lc +s7viSuDZWrtDNM/Wua2CC61vziPm0FchAF5etrqWBEth6wRQR5XkIKlpS965+zSG +ns6nM7Q71zmbRG2ZzMQlXYIiBeH2XtKtZJ7sSy/8aP1VgWOXGvLHoK2roDEbYLrK +D2E5Q5aQpicZB4d5+eXQiLmS84FomC3rnshhWTGhcl+eSsh5aeJIFm8x+A== +-----END RSA PRIVATE KEY----- diff --git a/server/configs/certs/nats.crt b/server/configs/certs/nats.crt new file mode 100644 index 00000000..f56f9ef9 --- /dev/null +++ b/server/configs/certs/nats.crt @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c8:77:4b:d6:10:0a:9f:f3 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Validity + Not Before: Oct 21 12:44:12 2015 GMT + Not After : Oct 20 12:44:12 2016 GMT + Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: + 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: + f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: + 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: + 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: + 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: + ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: + a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: + 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: + 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: + 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: + 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: + 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: + 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: + 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: + 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: + 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: + 86:5f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + X509v3 Authority Key Identifier: + keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 + DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io + serial:C8:77:4B:D6:10:0A:9F:F3 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: + 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: + 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: + 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: + 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: + 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: + d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: + 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: + 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: + 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: + d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: + 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: + 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: + 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: + b8:61:97:bf +-----BEGIN CERTIFICATE----- +MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j +aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n +MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA +bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo +tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo +jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO +pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci +4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar +4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 +jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm +TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB +nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh +biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg +VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW +DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu +kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx +9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm +m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR +HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY +YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ +-----END CERTIFICATE----- diff --git a/server/configs/certs/nats.key b/server/configs/certs/nats.key new file mode 100644 index 00000000..81507bfe --- /dev/null +++ b/server/configs/certs/nats.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E +gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi +HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x +/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F +IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb +4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q +tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC +2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ +5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ +n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC +jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z +c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l +SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO +DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP +mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN +OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK +dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR +Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq +1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u +C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq +4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA +H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF +vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT +cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck +BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= +-----END RSA PRIVATE KEY----- diff --git a/server/configs/certs/server.pem b/server/configs/certs/server.pem new file mode 100644 index 00000000..8bf518d6 --- /dev/null +++ b/server/configs/certs/server.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgIJAMBAkt0mj5R8MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDUx +NzE3MjZaFw0xOTExMDQxNzE3MjZaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKM5pTCAWQK9DptePVucoWeVAqY8 +Pr4ldaHoR4Zm+dUa57OffYu0fxK8Vwyxp3tLhWBWQ6etfR++8BxuhB7OHpIJ330Y +7VNJJXq5Uz0T0acfW5kS/8jqprZQDg1NeYUjGAopPy7hfI65ueC/mVBrbREbyNSM ++c22BM8hLjTNElvHVsc3340DJMTxBqEofjSjsiulzrYqDbpPLNTMSO8mpmETKkVC +mKD8HI8U0i4MgJ/AwUKzVaRAKKlTdUqAQrydK0FEogCNtPe4Ds7kanlqWvoPsD64 +vnVyXkKE77xUFcaOShV0Oh3itcVel6mllnj9f7AvgwKX5t0AqqTz6EEci/grnZfr +4ARaPAjvW4OxweKwoYnu8pbeVVHYY4XJQYhJGqJOHwtQ5ayyLs/lKOE0NuyvK5y1 +6gDghmwG+WJc3q6BHrEslDKFRTTc74ZgWxQfXZ1N2aQ1Ci/MNJ/xNgo3vpvO5Eik +sGvF3czJSaG6iJtZ/8Kpb6VddGio1TTwKs9CAqJ+PuKBe8B0n3gWcnwICtvGcqs4 +zureLRFP4rnM6+PR2LJODijPc/JmoEy/rLbHoJZg/EuxKuaq/FFjpZS/xjtHtcxc +KxE8/vVq9FZWQlJC/lG6GLr7eJ6PMnEM+1YXFWCXU9GY2fgNEzkP7CRk3WMtmUby +15NS42g1KjQ2pqCfAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATANBgkqhkiG9w0BAQsFAAOCAgEAC7q54dnr9ESCQZrVn+47hZcfweukjJAjgTr6 +7lj2yM6AAe2JaK6kds8uXfluxkJQxtLz7PdA0DDLDlAphx3Qx1ss86mcRuhNZWob +GAsKH4GM0y+d2U7ar8GpQRaJXdgRGlKOxgEZ2pyagY4I4dwn/0M35ccHaySz2Xx2 +zfNcIIt8Z1B29BmdNGfI+EfUTFkfyqovjh4mFuLEFsCNyluYKYagN4A7P5NEJpUF +/8wf9c6suJCzIjtBkWLOs95syDy1vw92x29vDQClArPksM6G4ReLYUXoygT9y2SI +URPRYYVjGupDcXD989yVIYNYkert6Ib3Cf2wlvvgXe4c3QnT3Rm7jg2RvR7B73Fc +j4EqnOGvI5XGQPFHYBzSJPs9sVVP9b8c7G/SpMTCdd3hK5idOkBAS3WOecnvE23t +JSHQvdegenEFL0yXYe6Rhag1Bj9Q01QizwCBDwoH3Pfvi5ZAHEXW253n6bD3p6OK +NuzoCzSFZBfrzFP4V/2VUtUYKudQ3bJMKKP2snvPyphG/UmGGfZUXb/kVA19Mpd4 +TMIaZD7dgo3toXXygPyWzyblRcvMY2UUWM5n43f6JEovFfxEvagErbAbJvCzR1XW +N441LebEnCrYf8XslEsulKd7nGZioi31M4971rtoawpD29HBAlNWHKBR2k4hh90F +laaNJWY= +-----END CERTIFICATE----- From a579687e95486259ce412dc2619bf95cfc13007e Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 5 Nov 2015 15:34:47 -0800 Subject: [PATCH 06/13] Removed old cert --- server/configs/certs/nats.crt | 88 ----------------------------------- server/configs/certs/nats.key | 27 ----------- 2 files changed, 115 deletions(-) delete mode 100644 server/configs/certs/nats.crt delete mode 100644 server/configs/certs/nats.key diff --git a/server/configs/certs/nats.crt b/server/configs/certs/nats.crt deleted file mode 100644 index f56f9ef9..00000000 --- a/server/configs/certs/nats.crt +++ /dev/null @@ -1,88 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - c8:77:4b:d6:10:0a:9f:f3 - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Validity - Not Before: Oct 21 12:44:12 2015 GMT - Not After : Oct 20 12:44:12 2016 GMT - Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: - 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: - f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: - 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: - 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: - 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: - ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: - a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: - 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: - 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: - 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: - 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: - 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: - 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: - 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: - 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: - 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: - 86:5f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - X509v3 Authority Key Identifier: - keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io - serial:C8:77:4B:D6:10:0A:9F:F3 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: - 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: - 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: - 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: - 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: - 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: - d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: - 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: - 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: - 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: - d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: - 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: - 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: - 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: - b8:61:97:bf ------BEGIN CERTIFICATE----- -MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo -tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo -jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO -pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci -4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar -4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 -jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm -TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB -nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg -VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW -DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 -DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu -kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx -9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm -m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR -HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY -YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ ------END CERTIFICATE----- diff --git a/server/configs/certs/nats.key b/server/configs/certs/nats.key deleted file mode 100644 index 81507bfe..00000000 --- a/server/configs/certs/nats.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E -gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi -HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x -/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F -IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb -4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q -tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC -2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ -5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ -n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC -jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z -c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l -SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO -DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP -mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN -OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK -dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR -Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq -1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u -C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq -4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA -H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF -vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT -cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck -BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= ------END RSA PRIVATE KEY----- From ec258ac18df84a631807af690f599dc128630565 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 5 Nov 2015 15:35:50 -0800 Subject: [PATCH 07/13] Moved certs and changed to simple hostname --- server/configs/{tls/test.conf => tls.conf} | 4 +- server/configs/tls/certs/nats.crt | 88 ---------------------- server/configs/tls/certs/nats.key | 27 ------- server/opts_test.go | 4 +- 4 files changed, 4 insertions(+), 119 deletions(-) rename server/configs/{tls/test.conf => tls.conf} (62%) delete mode 100644 server/configs/tls/certs/nats.crt delete mode 100644 server/configs/tls/certs/nats.key diff --git a/server/configs/tls/test.conf b/server/configs/tls.conf similarity index 62% rename from server/configs/tls/test.conf rename to server/configs/tls.conf index 85880f19..54fe8788 100644 --- a/server/configs/tls/test.conf +++ b/server/configs/tls.conf @@ -5,8 +5,8 @@ port: 4443 net: apcera.me # net interface tls { - cert_file: "./configs/tls/certs/nats.crt" - key_file: "./configs/tls/certs/nats.key" + cert_file: "./configs/certs/server.pem" + key_file: "./configs/certs/key.pem" } authorization { diff --git a/server/configs/tls/certs/nats.crt b/server/configs/tls/certs/nats.crt deleted file mode 100644 index f56f9ef9..00000000 --- a/server/configs/tls/certs/nats.crt +++ /dev/null @@ -1,88 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - c8:77:4b:d6:10:0a:9f:f3 - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Validity - Not Before: Oct 21 12:44:12 2015 GMT - Not After : Oct 20 12:44:12 2016 GMT - Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: - 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: - f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: - 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: - 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: - 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: - ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: - a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: - 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: - 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: - 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: - 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: - 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: - 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: - 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: - 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: - 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: - 86:5f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - X509v3 Authority Key Identifier: - keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io - serial:C8:77:4B:D6:10:0A:9F:F3 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: - 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: - 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: - 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: - 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: - 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: - d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: - 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: - 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: - 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: - d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: - 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: - 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: - 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: - b8:61:97:bf ------BEGIN CERTIFICATE----- -MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo -tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo -jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO -pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci -4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar -4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 -jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm -TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB -nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg -VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW -DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 -DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu -kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx -9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm -m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR -HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY -YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ ------END CERTIFICATE----- diff --git a/server/configs/tls/certs/nats.key b/server/configs/tls/certs/nats.key deleted file mode 100644 index 81507bfe..00000000 --- a/server/configs/tls/certs/nats.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E -gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi -HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x -/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F -IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb -4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q -tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC -2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ -5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ -n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC -jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z -c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l -SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO -DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP -mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN -OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK -dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR -Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq -1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u -C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq -4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA -H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF -vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT -cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck -BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= ------END RSA PRIVATE KEY----- diff --git a/server/opts_test.go b/server/opts_test.go index 0f61c975..a1b0cefc 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -86,7 +86,7 @@ func TestTLSConfigFile(t *testing.T) { Password: "buckley", AuthTimeout: 1.0, } - opts, err := ProcessConfigFile("./configs/tls/test.conf") + opts, err := ProcessConfigFile("./configs/tls.conf") if err != nil { t.Fatalf("Received an error reading config file: %v\n", err) } @@ -121,7 +121,7 @@ func TestTLSConfigFile(t *testing.T) { t.Fatal("Expected 1 certificate") } cert := tlsConfig.Certificates[0].Leaf - if err := cert.VerifyHostname("apcera.me:4443"); err != nil { + if err := cert.VerifyHostname("localhost"); err != nil { t.Fatalf("Could not verify hostname in certificate: %v\n", err) } } From a7b74468dd193bfd7dcd257cf0228d6c96c82c2d Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 5 Nov 2015 18:09:07 -0800 Subject: [PATCH 08/13] more cleanup --- test/configs/certs/ca.pem | 38 +++++++++++++ test/configs/certs/localhost.crt | 89 ------------------------------ test/configs/certs/localhost.key | 27 --------- test/configs/certs/nats.crt | 88 ----------------------------- test/configs/certs/nats.key | 27 --------- test/configs/certs/server-cert.pem | 31 +++++++++++ test/configs/certs/server-key.pem | 51 +++++++++++++++++ test/configs/tls.conf | 5 +- test/opts_test.go | 2 - test/tls_test.go | 31 ++++++----- 10 files changed, 139 insertions(+), 250 deletions(-) create mode 100644 test/configs/certs/ca.pem delete mode 100644 test/configs/certs/localhost.crt delete mode 100644 test/configs/certs/localhost.key delete mode 100644 test/configs/certs/nats.crt delete mode 100644 test/configs/certs/nats.key create mode 100644 test/configs/certs/server-cert.pem create mode 100644 test/configs/certs/server-key.pem diff --git a/test/configs/certs/ca.pem b/test/configs/certs/ca.pem new file mode 100644 index 00000000..17447f94 --- /dev/null +++ b/test/configs/certs/ca.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGjzCCBHegAwIBAgIJAKT2W9SKY7o4MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDUy +MzA2MTdaFw0xOTExMDQyMzA2MTdaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECBMC +Q0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMx +EDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxvY2FsaG9zdDEcMBoGCSqGSIb3 +DQEJARYNZGVyZWtAbmF0cy5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAJOyBvFaREbmO/yaw8UD8u5vSk+Qrwdkfa0iHMo11nkcVtynHNKcgRUTkZBC +xEZILVsuPa+WSUcUc0ej0TmuimrtOjXGn+LD0TrDVz6dd6lBufLXjo1fbUnKUjml +TBYB2h7StDksrBPFnbEOVKN+qb1No4YxfvbJ6EK3xfnsm3dvamnetJugrmQ2EUlu +glPNZDIShu9Fcsiq2hjw+dJ2Erl8kx2/PE8nOdcDG9I4wAM71pw9L1dHGmMOnTsq +opLDVkMNjeIgMPxj5aIhvS8Tcnj16ZNi4h10587vld8fIdz+OgTDFMNi91PgZQmX +9puXraBGi5UEn0ly57IIY+aFkx74jPWgnVYz8w8G+W2GTFYQEVgHcPTJ4aIPjyRd +m/cLelV34TMNCoTXmpIKVBkJY01t2awUYN0AcauhmD1L+ihY2lVk330lxQR11ZQ/ +rjSRpG6jzb6diVK5wpNjsRRt5zJgZr6BMp0LYwJESGjt0sF0zZxixvHu8EctVle4 +zX6NHDic7mf4Wvo4rfnUyCGr7Y3OxB2vakq1fDZ1Di9OzpW/k8i/TE+mPRI5GTZt +lR+c8mBxdV595EKHDxj0gY7PCM3Pe35p3oScWtfbpesTX6a7IL801ZwKKtN+4DOV +mZhwiefztb/9IFPNXiuQnNh7mf7W2ob7SiGYct8iCLLjT64DAgMBAAGjgfMwgfAw +HQYDVR0OBBYEFPDMEiYb7Np2STbm8j9qNj1aAvz2MIHABgNVHSMEgbgwgbWAFPDM +EiYb7Np2STbm8j9qNj1aAvz2oYGRpIGOMIGLMQswCQYDVQQGEwJVUzELMAkGA1UE +CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJ +bmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxvY2FsaG9zdDEcMBoGCSqG +SIb3DQEJARYNZGVyZWtAbmF0cy5pb4IJAKT2W9SKY7o4MAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggIBAIkoO+svWiudydr4sQNv/XhDvH0GiWMjaI738fAB +sGUKWXarXM9rsRtoQ78iwEBZmusEv0fmJ9hX275aZdduTJt4AnCBVptnSyMJS6K5 +RZF4ZQ3zqT3QOeWepLqszqRZHf+xNfl9JiXZc3pqNhoh1YXPubCgY+TY1XFSrL+u +Wmbs3n56Cede5+dKwMpT9SfQ7nL1pwKihx16vlBGTjjvJ0RE5Tx+0VRcDgbtIF52 +pNlvjg9DL+UqP3S1WR0PcsUss/ygiC1NDegZr+I/04/wEG9Drwk1yPSshWsH90W0 +7TmLDoWf5caAX62jOJtXbsA9JZ16RnIWy2iZYwg4YdE0rEeMbnDzrRucbyBahMX0 +mKc8C+rroW0TRTrqxYDQTE5gmAghCa9EixcwSTgMH/U6zsRbbY62m9WA5fKfu3n0 +z82+c36ijScHLgppTVosq+kkr/YE84ct56RMsg9esEKTxGxje812OSdHp/i2RzqW +J59yo7KUn1nX7HsFvBVh9D8147J5BxtPztc0GtCQTXFT73nQapJjAd5J+AC5AB4t +ShE+MRD+XIlPB/aMgtzz9Th8UCktVKoPOpFMC0SvFbbINWL/JO1QGhuZLMTKLjQN +QBzjrETAOA9PICpI5hcPtTXz172X+I8/tIEFrZfew0Fdt/oAVcnb659zKiR8EuAq ++Svp +-----END CERTIFICATE----- diff --git a/test/configs/certs/localhost.crt b/test/configs/certs/localhost.crt deleted file mode 100644 index 244fa57d..00000000 --- a/test/configs/certs/localhost.crt +++ /dev/null @@ -1,89 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - bf:bc:38:a0:02:6d:12:1f - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=nats://localhost:4443//emailAddress=derek@nats.io - Validity - Not Before: Oct 21 23:34:25 2015 GMT - Not After : Nov 20 23:34:25 2015 GMT - Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=nats://localhost:4443//emailAddress=derek@nats.io - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c9:21:1f:b0:92:24:09:21:84:35:92:86:9c:88: - c7:7b:1d:24:94:31:f6:e5:1e:0f:75:01:0a:bf:26: - b3:47:3b:f7:2c:07:01:3f:58:54:ec:00:ef:7c:72: - 70:d9:dd:9a:00:4b:3d:5d:69:3a:ca:7f:7a:71:ce: - 88:38:5a:5c:5b:f8:a9:da:fa:db:4a:9c:d1:00:3c: - ae:b4:c4:f3:d0:7a:6a:fc:98:1c:e9:bf:73:13:9e: - 84:8b:2b:84:9f:2e:9a:f6:6f:a6:15:5e:67:38:9d: - 5b:26:86:ed:fa:ba:ba:ac:67:c8:fe:46:b2:d0:b3: - 62:1a:75:f3:ef:13:fb:94:96:8b:52:ee:4f:65:58: - 73:0f:b9:31:ff:2f:ef:af:99:ab:54:7c:5e:cb:a3: - a1:ec:ff:cb:78:96:8c:f3:eb:63:0e:dc:df:c1:69: - e8:4b:0e:0b:b5:83:ab:f5:49:5e:41:c4:68:e3:58: - a6:b0:a4:fa:c0:7e:3a:6d:9a:dc:b4:0f:ef:24:a4: - dc:a1:d2:f4:31:0e:b1:7f:00:37:41:1f:77:c7:07: - a2:9f:bf:07:2e:f7:55:7f:69:58:c2:30:ed:6e:d4: - 6e:27:79:35:59:44:92:0a:ce:9b:25:ff:1f:1e:00: - 2a:70:17:9a:22:d2:1b:b0:c8:63:33:83:91:2f:ca: - e3:cf - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - B7:FA:28:75:23:46:9F:20:38:A7:77:55:24:F4:EC:FA:B2:66:A8:61 - X509v3 Authority Key Identifier: - keyid:B7:FA:28:75:23:46:9F:20:38:A7:77:55:24:F4:EC:FA:B2:66:A8:61 - DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=nats://localhost:4443//emailAddress=derek@nats.io - serial:BF:BC:38:A0:02:6D:12:1F - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 70:63:bd:94:cf:6a:15:05:0a:29:7b:98:e0:40:32:69:90:90: - b6:31:02:35:7c:d2:50:01:ee:83:31:a7:db:b2:82:17:3d:46: - 18:08:fb:e6:e0:b2:ba:30:b1:c7:48:85:3a:be:51:fb:4d:9d: - 1b:0c:7f:eb:8b:6d:8a:6d:07:e0:40:d0:af:53:71:8a:86:13: - 0c:9f:59:df:01:84:7f:8c:f3:0d:ed:c4:78:03:6a:79:d8:de: - 3e:68:c7:7f:bb:fa:91:95:15:69:a3:41:51:6e:bf:d9:6a:42: - 7c:a3:4c:62:91:23:d1:e2:b8:26:94:cf:95:01:ee:c0:3f:ec: - 66:99:28:5a:dc:e8:72:89:9c:55:16:e4:69:68:cc:a3:4b:50: - c5:d5:77:a7:9c:e8:7f:d0:d1:91:67:a1:95:3d:43:ba:fb:6b: - 9d:4f:80:35:5c:56:b9:71:ce:04:e0:67:89:89:7d:b2:25:08: - b4:89:44:44:c3:ff:f3:d2:25:9a:72:5f:c4:7b:50:b7:6a:cd: - 20:02:10:61:c3:a9:0c:3c:62:9d:96:68:9b:45:92:83:ba:43: - 48:c5:01:36:4c:fe:ca:e5:35:fd:43:72:57:2d:7d:13:74:94: - bb:08:66:be:92:65:85:1c:f0:8d:c3:06:23:e9:da:3f:2c:2e: - 61:d8:dc:f8 ------BEGIN CERTIFICATE----- -MIIE3zCCA8egAwIBAgIJAL+8OKACbRIfMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MR8wHQYDVQQDExZuYXRzOi8vbG9jYWxob3N0OjQ0NDMvMRwwGgYJKoZIhvcNAQkB -Fg1kZXJla0BuYXRzLmlvMB4XDTE1MTAyMTIzMzQyNVoXDTE1MTEyMDIzMzQyNVow -gaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T -YW4gRnJhbmNpc2NvMRMwEQYDVQQKEwpBcGNlcmEgSW5jMRUwEwYDVQQLEwxOQVRT -IFRlc3RpbmcxHzAdBgNVBAMTFm5hdHM6Ly9sb2NhbGhvc3Q6NDQ0My8xHDAaBgkq -hkiG9w0BCQEWDWRlcmVrQG5hdHMuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDJIR+wkiQJIYQ1koaciMd7HSSUMfblHg91AQq/JrNHO/csBwE/WFTs -AO98cnDZ3ZoASz1daTrKf3pxzog4Wlxb+Kna+ttKnNEAPK60xPPQemr8mBzpv3MT -noSLK4SfLpr2b6YVXmc4nVsmhu36urqsZ8j+RrLQs2IadfPvE/uUlotS7k9lWHMP -uTH/L++vmatUfF7Lo6Hs/8t4lozz62MO3N/BaehLDgu1g6v1SV5BxGjjWKawpPrA -fjptmty0D+8kpNyh0vQxDrF/ADdBH3fHB6Kfvwcu91V/aVjCMO1u1G4neTVZRJIK -zpsl/x8eACpwF5oi0huwyGMzg5EvyuPPAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQU -t/oodSNGnyA4p3dVJPTs+rJmqGEwgdoGA1UdIwSB0jCBz4AUt/oodSNGnyA4p3dV -JPTs+rJmqGGhgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y -bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKEwpBcGNlcmEgSW5j -MRUwEwYDVQQLEwxOQVRTIFRlc3RpbmcxHzAdBgNVBAMTFm5hdHM6Ly9sb2NhbGhv -c3Q6NDQ0My8xHDAaBgkqhkiG9w0BCQEWDWRlcmVrQG5hdHMuaW+CCQC/vDigAm0S -HzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBwY72Uz2oVBQope5jg -QDJpkJC2MQI1fNJQAe6DMafbsoIXPUYYCPvm4LK6MLHHSIU6vlH7TZ0bDH/ri22K -bQfgQNCvU3GKhhMMn1nfAYR/jPMN7cR4A2p52N4+aMd/u/qRlRVpo0FRbr/ZakJ8 -o0xikSPR4rgmlM+VAe7AP+xmmSha3OhyiZxVFuRpaMyjS1DF1XennOh/0NGRZ6GV -PUO6+2udT4A1XFa5cc4E4GeJiX2yJQi0iUREw//z0iWacl/Ee1C3as0gAhBhw6kM -PGKdlmibRZKDukNIxQE2TP7K5TX9Q3JXLX0TdJS7CGa+kmWFHPCNwwYj6do/LC5h -2Nz4 ------END CERTIFICATE----- diff --git a/test/configs/certs/localhost.key b/test/configs/certs/localhost.key deleted file mode 100644 index b872dd58..00000000 --- a/test/configs/certs/localhost.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAySEfsJIkCSGENZKGnIjHex0klDH25R4PdQEKvyazRzv3LAcB -P1hU7ADvfHJw2d2aAEs9XWk6yn96cc6IOFpcW/ip2vrbSpzRADyutMTz0Hpq/Jgc -6b9zE56EiyuEny6a9m+mFV5nOJ1bJobt+rq6rGfI/kay0LNiGnXz7xP7lJaLUu5P -ZVhzD7kx/y/vr5mrVHxey6Oh7P/LeJaM8+tjDtzfwWnoSw4LtYOr9UleQcRo41im -sKT6wH46bZrctA/vJKTcodL0MQ6xfwA3QR93xwein78HLvdVf2lYwjDtbtRuJ3k1 -WUSSCs6bJf8fHgAqcBeaItIbsMhjM4ORL8rjzwIDAQABAoIBAQDGbomnWOd4orqf -aCqqsT+ttTjrhMgDkD7LvvVtVa82rnDT3S1b47gVB28/pmC0ca+IbrLiP/mi41ZY -hd1bS7snehOKWkiUOlbxFu1+p3msy7pV73VHIH1Wc+Rsscisi/yS+eAv4O2Rq53M -Sv7rieK2ScbBJ9svkGtPk+PQkjR5iLTThpQYSZGlMkBXhzBC8AhYzjx55fSAgW5R -QkMSWzGsNiO6H2yszoSBAsGz9n0ntkI4njOPRAJTYOxLr8WsZksaaBNJxEmVKpOp -f9xSpXTHadNPTdE2X6pbrcyXKv0lV1QNWAUCw/Gy/nnDasCxBfaQQF0L0iQkZXRf -KRzZwjyBAoGBAPHCjlcthYCa4j1FABGptbNcj9mqK40tNGx7ySw70e2IipW1VimO -570PdPMS7LobNqH3IOJl4aFW5YCNBArXwCYZ9Pk9Gq+l5uREBaOv85vK1+mbTeOW -NHkFS/dlrvr2FkCyqmStAZ9U0v3rJ9mDIor/cL9Ahmu77HxwU2M5qobhAoGBANT5 -6ILkkb7nQ390MkqL94O4ZAnCNO4Kk+v9tenqBGVBHR293FXmXegGkHMYSWUF2C4r -cjKDUcA2yTZ/Y2IWzGj2d1vR5ygB1KlBhX4vVIP/jKcDkQJiqnQIj8VqswqI8UNE -8pkKrdDEoa4GjWw3hDtE4c/KD2EoD+pjAM99PrCvAoGAOy1ufjRsW2CORIUhUTGD -gpYDuDoJUxNfo7ZhNeympEgp9B9hKecLHqIr9FwLijqjEt5VNFXP9xg4MVFTTfwl -0q3D40Zrw9cOP43O+5RUQyxR0aLsW+smiQEc6UAApvmZ1NhnESGwJfozc2geZwXM -bM2+IXJ/9NsZNhSgtMcm0MECgYAsVEwSGpM/ghFpkPz6yUFemF2yLksoFOmPIELi -CkSZ8sCltSQMeSOorN0aJ773GQ1TJtXhL7YvZPfisQc1nnszicF0Si9sA12JUUsA -5ccYpnNXPAXN0k2aU0HhnIDhu3lEQDCirDdbkeH5QAHluXR7ha3euzcSSO1vIuZD -SdVnnwKBgEitmCzRIFb2PYTkJnjcaXuXXdZzVZtx0s2rNSKqQyRGK5lQ3tqVibHI -ddtkUZayQfcc6f9ZFd8Qof83skgLYEjeYQCn2FTV/NfZ2I0scgG7PSZ0iQmFUt8h -fzdtNAJ4ERhVJ8nJe4MLKgLGGkpNokq+mFSnC9BSVeIVbnx8QfQX ------END RSA PRIVATE KEY----- diff --git a/test/configs/certs/nats.crt b/test/configs/certs/nats.crt deleted file mode 100644 index f56f9ef9..00000000 --- a/test/configs/certs/nats.crt +++ /dev/null @@ -1,88 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - c8:77:4b:d6:10:0a:9f:f3 - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Validity - Not Before: Oct 21 12:44:12 2015 GMT - Not After : Oct 20 12:44:12 2016 GMT - Subject: C=US, ST=California, L=San Francisco, O=Apcera Inc, OU=NATS Testing, CN=apcera.me:4443/emailAddress=derek@nats.io - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a1:e3:36:e3:e4:88:53:e8:b7:37:56:96:c9:a8: - 1d:0a:53:d2:b8:87:96:b3:aa:35:26:f2:e6:20:65: - f2:6a:6f:31:e1:0d:44:82:fc:97:bc:3e:db:c9:25: - 68:ee:81:84:b9:88:49:bf:cc:46:46:68:8c:fa:0e: - 05:9a:3d:0f:cc:90:54:0a:58:ee:3e:85:fe:64:75: - 85:49:17:a1:ed:10:04:6d:34:22:1e:81:d0:ca:4c: - ec:a4:1c:e6:fd:7d:a0:05:b4:3c:e3:5d:e8:32:8e: - a6:04:a6:af:42:cd:09:15:39:12:9b:7c:32:9d:ce: - 3e:06:aa:bf:13:98:36:ff:b1:f7:aa:1d:f1:fe:ba: - 1d:c2:38:86:52:ce:7e:d3:86:44:8c:2f:65:e3:50: - 4a:67:22:e2:39:51:ab:30:0e:e3:a8:ce:c9:9a:d1: - 9f:4c:1c:25:49:da:fa:b7:a1:0f:8e:d6:c0:d6:6d: - 05:22:cc:58:06:fa:7c:4a:b0:b9:ab:d5:e6:0b:60: - 48:ed:cf:c8:46:ab:e1:fa:55:91:88:21:8d:e0:fc: - 21:21:26:3f:a5:9f:b5:95:40:59:27:03:84:3f:2c: - 61:b2:2b:5b:e0:75:5c:fb:70:eb:c3:d3:3a:3a:e8: - 2e:47:7e:3d:51:82:7a:b8:b4:8e:17:ff:e4:0d:fb: - 86:5f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - X509v3 Authority Key Identifier: - keyid:1E:A4:01:43:CF:10:7B:1A:A8:47:40:90:13:CE:5B:66:4C:B4:3B:69 - DirName:/C=US/ST=California/L=San Francisco/O=Apcera Inc/OU=NATS Testing/CN=apcera.me:4443/emailAddress=derek@nats.io - serial:C8:77:4B:D6:10:0A:9F:F3 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 8c:4c:4a:36:de:84:81:9e:fa:25:0c:50:d1:dd:96:33:34:f9: - 7a:f2:40:ed:9b:14:af:86:1e:f0:32:bc:03:67:96:fe:34:16: - 2e:92:9b:97:c1:76:93:04:d7:d6:e1:d0:75:66:a2:0e:2b:1a: - 60:ac:df:e6:14:78:ef:32:3a:91:e8:19:4c:e5:25:5b:ee:3f: - 77:5a:30:2e:f1:e2:0b:cb:33:80:af:ec:71:f4:c2:eb:4f:14: - 5a:b4:c7:df:d9:86:7a:ef:23:fc:c2:fd:35:00:e0:77:4c:50: - d3:b7:f6:ca:4b:5b:19:26:6a:8e:53:66:6a:e5:fc:7f:46:54: - 7f:78:ad:98:45:e4:66:9b:78:7b:e4:8e:da:13:50:2c:a1:6b: - 03:6d:a7:36:b9:f8:10:ed:e4:23:02:d8:9f:0f:f7:fe:6e:c8: - 75:58:8d:34:bf:45:52:58:8c:d0:86:09:e4:aa:6d:61:d8:8c: - d1:1d:fb:f1:4c:3d:d5:dc:9e:17:49:d8:2f:8c:b1:34:aa:81: - 93:de:50:c0:f7:c7:17:83:7f:66:a0:d2:c5:8c:63:70:b6:34: - 0b:0a:77:41:41:19:ca:92:8a:ed:02:e6:98:62:e6:66:8f:2f: - 46:16:b6:71:b2:4a:76:15:ba:ce:a8:7a:a1:3a:44:d1:84:12: - b8:61:97:bf ------BEGIN CERTIFICATE----- -MIIExzCCA6+gAwIBAgIJAMh3S9YQCp/zMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzAeFw0xNTEwMjExMjQ0MTJaFw0xNjEwMjAxMjQ0MTJaMIGdMQswCQYD -VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j -aXNjbzETMBEGA1UEChMKQXBjZXJhIEluYzEVMBMGA1UECxMMTkFUUyBUZXN0aW5n -MRcwFQYDVQQDEw5hcGNlcmEubWU6NDQ0MzEcMBoGCSqGSIb3DQEJARYNZGVyZWtA -bmF0cy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKHjNuPkiFPo -tzdWlsmoHQpT0riHlrOqNSby5iBl8mpvMeENRIL8l7w+28klaO6BhLmISb/MRkZo -jPoOBZo9D8yQVApY7j6F/mR1hUkXoe0QBG00Ih6B0MpM7KQc5v19oAW0PONd6DKO -pgSmr0LNCRU5Ept8Mp3OPgaqvxOYNv+x96od8f66HcI4hlLOftOGRIwvZeNQSmci -4jlRqzAO46jOyZrRn0wcJUna+rehD47WwNZtBSLMWAb6fEqwuavV5gtgSO3PyEar -4fpVkYghjeD8ISEmP6WftZVAWScDhD8sYbIrW+B1XPtw68PTOjroLkd+PVGCeri0 -jhf/5A37hl8CAwEAAaOCAQYwggECMB0GA1UdDgQWBBQepAFDzxB7GqhHQJATzltm -TLQ7aTCB0gYDVR0jBIHKMIHHgBQepAFDzxB7GqhHQJATzltmTLQ7aaGBo6SBoDCB -nTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh -biBGcmFuY2lzY28xEzARBgNVBAoTCkFwY2VyYSBJbmMxFTATBgNVBAsTDE5BVFMg -VGVzdGluZzEXMBUGA1UEAxMOYXBjZXJhLm1lOjQ0NDMxHDAaBgkqhkiG9w0BCQEW -DWRlcmVrQG5hdHMuaW+CCQDId0vWEAqf8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 -DQEBBQUAA4IBAQCMTEo23oSBnvolDFDR3ZYzNPl68kDtmxSvhh7wMrwDZ5b+NBYu -kpuXwXaTBNfW4dB1ZqIOKxpgrN/mFHjvMjqR6BlM5SVb7j93WjAu8eILyzOAr+xx -9MLrTxRatMff2YZ67yP8wv01AOB3TFDTt/bKS1sZJmqOU2Zq5fx/RlR/eK2YReRm -m3h75I7aE1AsoWsDbac2ufgQ7eQjAtifD/f+bsh1WI00v0VSWIzQhgnkqm1h2IzR -HfvxTD3V3J4XSdgvjLE0qoGT3lDA98cXg39moNLFjGNwtjQLCndBQRnKkortAuaY -YuZmjy9GFrZxskp2FbrOqHqhOkTRhBK4YZe/ ------END CERTIFICATE----- diff --git a/test/configs/certs/nats.key b/test/configs/certs/nats.key deleted file mode 100644 index 81507bfe..00000000 --- a/test/configs/certs/nats.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAoeM24+SIU+i3N1aWyagdClPSuIeWs6o1JvLmIGXyam8x4Q1E -gvyXvD7bySVo7oGEuYhJv8xGRmiM+g4Fmj0PzJBUCljuPoX+ZHWFSReh7RAEbTQi -HoHQykzspBzm/X2gBbQ8413oMo6mBKavQs0JFTkSm3wync4+Bqq/E5g2/7H3qh3x -/rodwjiGUs5+04ZEjC9l41BKZyLiOVGrMA7jqM7JmtGfTBwlSdr6t6EPjtbA1m0F -IsxYBvp8SrC5q9XmC2BI7c/IRqvh+lWRiCGN4PwhISY/pZ+1lUBZJwOEPyxhsitb -4HVc+3Drw9M6OuguR349UYJ6uLSOF//kDfuGXwIDAQABAoIBABVtHzy2aJzCdk1q -tnZmO8G8Km2l9Ho/Et3e1DqBg742jWF+Ag1cJTETGL/cpbC7j7eGpEwwWzTCbbZC -2Nb7MfYfPCBKeO3piiv9qfBsok/gCNXzSnjDMcE0wTVPZfsy/1UB7/Uf3rWiT7LZ -5ORwgr0+WoodvA1K2MbFHpkXUmAxFevx6reGmWYlx8UPbyS9PfONHt2SfG8wVmcJ -n3qqw5Flywp8uDCTrd8L/yM54onq4RCZ/iSKLphLjOFgWzx2PnuRog4obNJtAlHC -jTcrW1/QCgwU9J2uBfMvzQLWwgU6prlrh20k42UbWknqoozwdSW7N3vEawt3ri5Z -c76wkGECgYEA0xj+AbZ6FyqA5lJbebSZs1KpBsgcJK5LI/XAvKnlLNnKXIi5uT2l -SM37j9/G5BhnrOIUuc756WJrX5CTqkXHvc5eINO1sR4o1uTf3H44JKWXFBanzdvO -DXI11a0810AbJEiXqz7e/ldEovVsBWJCMtv+F7j7TCNG4qlPMa7xhCcCgYEAxFKP -mR2nHlvFJQYUkiGRpTYg82utNiQhifwGUjZK0kBeMXH10fL2K1KOx/OfrlTOQmyN -OC/db88sFtsh0sD44SzkAUS0iP8FWlWYrm+ZLWc1xkOaOcDE294p+BgX3xxTLKWK -dO9gKsG5MxscZ8yTvX67jRmfeiRAlVr8bPOKtwkCgYAWSH8XozGEHIJ6zZrGYCAR -Y9pf0uPVo2hfJWPxBmYgs+S+m9gvC6jU5Jl3eIHANitLfpn9ezG6Rx9aeSJ9SNxq -1svs3yxAxBQ/iu1ukwxOIgSupC2Wd2tq0/GG2sCfYC79R4RrGTnk00V1hj6e2t5u -C/bofihYwyiKaKDpd7Qa5QKBgBt3dZG1fVkY+8cHR79+JNNZdFi6Gty1R1/3u6aq -4+LwkH0YdYzvEhPTlBhTdGa+hLD0YPmYcMGg2YlFFUFYMDnIvwmSZDO6gjQ2P4tA -H80jYHmhoaUs3B3qwjJspIJZgyV+75UWnHy+57tHsryu+YiMf47pI8/B3KtItIJF -vIWJAoGAXoQbPCdxl//vVxvlnKl8TTlaW0GYJk+GAow6V3s/nMmMQKlFuurZpHcT -cmYkpTbTOgVhhmgqr8Iw7qIRS95NzfjbsV6wzbFJZNI/pU5tJAtcFgsmaTA5Uxck -BQZmojzJgiQ1cZT9BCKAeuwi5G/tKyJzA6Q1zSbSs8HrHV1BU98= ------END RSA PRIVATE KEY----- diff --git a/test/configs/certs/server-cert.pem b/test/configs/certs/server-cert.pem new file mode 100644 index 00000000..46bc9133 --- /dev/null +++ b/test/configs/certs/server-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgIJAO+k4G7bNTyoMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDUy +MzA2MzRaFw0xOTExMDQyMzA2MzRaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALYBy3IEY3kqlf5h2vEtk9CB4Vnt +AD+eaVc3Y9xuFHJ4k0ScsjwrYH3YcwQW0fDpOQCI0102YoQT7tPCBT+rC0w1mM82 +0ZSKS/y2SIK9cM6LHWkUbQcWfeaL+uz2HB3jTEm8tmEEFTLBJFMbMpUsvjA5GLqG +URswsNjYEl8M9wS1BETw2e+eCFa4wxq9oGHp/Dgh0vZglHzQL5osEpRct1aaQo6O +jWzZc1Cgx4SxmMOoMWF8BQzlO7aikbZEJxk03TIFNph/azJt7mviMseW72mP+bX9 +sm/8bsINiYgJMM2HAyjIgFVMXX8AYfEFC4wozYloLqn0yy9TdjhyGbsUjg0yTd4l +A9LkGKroBdY1drPSek5Nj9br27UGGGfU2ddAD5xYBIeeFY+3nqST868oIXB/m1P7 +1p8tpkgujx/RqKr3nvOqBHizmoQaWZsPC3X/Jc4NvVHihpuNzN/u1D5mxGhxsx+R +qnrIkhS0IqNrokggPZazugmHntd95HgTb3JpjY3RGEYXAQNr+mZGUCc+CVu0mhFX +xAMZcfVp5nDg4hKHiaRv0KcaqBmnn8AB5w5FiTppzUbRP0zz7GkwrdulwR6c2Eb5 +75+/022TbgCx8B9SH4zJRTj5mtrK56eFgTcnuXB+YnWaP7/7qmKIZzxrd3UDvnza +bhnMiiIK7vL8qiOTAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATANBgkqhkiG9w0BAQsFAAOCAgEAOrh8XfW6quwBAcCxHf6/uvu/iNq4yHCg2qH6 +VtWs/x38I2t3BRSNsLsJGieh6yLlZDzOus+XYui4uDE50XmcwaIsY0VcXnvdyZVZ +w9+lMyfp00kRF1o3B6eVxq0pRE5VB0cai7XI7tyfpRwGzA+oNLF4vBvxAHm9Ony5 +Q57DC/HFzyUogdkMYciO/kd9oa4HosDEXwaE8UvZUL8OVl/dptMXLL/GGwzZsUAE +1sLAbgm044YChLUDzgBAtDTkB/HNkcPzSKwULuskhe7ndoaEQNXVZuP7quGiZ/W1 +1lE59gnmnyG8ySFCL05jHrKLtFAJe88gQjgDK65ZJv4W/k7ocmT+HhCxWyQWcX6v +abJ0EssqeSQuzRMuZebMJJ8s46d6RcYuMdIX3RDXq+1moJDFopE7lgNrlRhWgaky +Og8f/u8s1j75tk1YaYcY9uBKjKk7f681R9wMumkd6IEmEvkUwHNFsctxi4fGI7h1 +PRdKL0DlhVmnpHlKs6Kvm2sJ3twSAGSrC4u0LuxACeR3XbiBfyhFV/291LSuw/y1 +JtWOW5koh0g1k9xtkiu3/ePVdG/CLp796IyRhdB1jP/vD7W5RLLG/VAlomfjsPsB +AnwFYbVZ8KrmMKYUpTJOH31CRzFdOB6nWqXu5tk3nOtLKo1nIOuVtmp9XLz3VtHe +NiZPnqA= +-----END CERTIFICATE----- diff --git a/test/configs/certs/server-key.pem b/test/configs/certs/server-key.pem new file mode 100644 index 00000000..113a87e1 --- /dev/null +++ b/test/configs/certs/server-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEAtgHLcgRjeSqV/mHa8S2T0IHhWe0AP55pVzdj3G4UcniTRJyy +PCtgfdhzBBbR8Ok5AIjTXTZihBPu08IFP6sLTDWYzzbRlIpL/LZIgr1wzosdaRRt +BxZ95ov67PYcHeNMSby2YQQVMsEkUxsylSy+MDkYuoZRGzCw2NgSXwz3BLUERPDZ +754IVrjDGr2gYen8OCHS9mCUfNAvmiwSlFy3VppCjo6NbNlzUKDHhLGYw6gxYXwF +DOU7tqKRtkQnGTTdMgU2mH9rMm3ua+Iyx5bvaY/5tf2yb/xuwg2JiAkwzYcDKMiA +VUxdfwBh8QULjCjNiWguqfTLL1N2OHIZuxSODTJN3iUD0uQYqugF1jV2s9J6Tk2P +1uvbtQYYZ9TZ10APnFgEh54Vj7eepJPzryghcH+bU/vWny2mSC6PH9Goqvee86oE +eLOahBpZmw8Ldf8lzg29UeKGm43M3+7UPmbEaHGzH5GqesiSFLQio2uiSCA9lrO6 +CYee133keBNvcmmNjdEYRhcBA2v6ZkZQJz4JW7SaEVfEAxlx9WnmcODiEoeJpG/Q +pxqoGaefwAHnDkWJOmnNRtE/TPPsaTCt26XBHpzYRvnvn7/TbZNuALHwH1IfjMlF +OPma2srnp4WBNye5cH5idZo/v/uqYohnPGt3dQO+fNpuGcyKIgru8vyqI5MCAwEA +AQKCAgEAl6zBNUAxAW2a2AYGZgx8bTt/Z+hY16uUz8jqIG1f/tE6sOgApKHlZJp3 +pwW5aRGCnk5oDfrfeH///Fpo81kALj9QHAbr+uSRVIU3wjRLCOTn2oTaIxj8TJ+E +ueqTHdko3x4zwn+bhtNsCRHWQnip+hfq4q5Ccu1Nwze1f56XUEXly+oHRGenPVX1 +yZgTSuWqecC+RPHRbH413T4zMY5efv5IzvI/K2G/doa2Hn+99fd5R2sJ7mguLhIm +agU7rAbg+ulbSRSOadUw5pj3hlrjI06HY8GK7UYpqu+LGGHIWM7VtCv6vprII6lW +9Xsl12S9fG/ky1+j38mm8H0tsjj78t2L6ZDS2Fb9usbM5VhdQfQpTBTSfAEZPeus +X2QTpTXnp5oHM7CzcQuGE25CruSHEJPy/Y0hTaunNBQ9VY6M/Pcq0sB0xAa0hN5H +PqOae1/fNKR/7iwdptesNGguZoLnNd1yeVBdZ55SZw7+9hjIPAjn3iLNqfieSpXL +5lG+Z0JEUMW0f1MRmU9AsR2x4Dlpvulrn39Oc5vgc0JP+r7+MMpY5BpWS5WhTxqm +tx1qh49yXFXIIEXqxjIIxQ3NO1del8QNDUGROnqlh5gFRADIcJpZMv8uAhSHEXm3 ++3PndJoCIfNv9gE8zNsB3r3PPgelG3wagy/eDe59PH0JvUmTWZkCggEBANxBkHAT +LB5hkp3hAwmop62HgkG8k6Ht11q2qGgkO/EhfsgsZXTpI3LZZ3Nrf+5IZiwStloW +iZwY/xocGL6tIFcuXHRqDDDPNRFUVxhSdcQd2mL7R6uin9eJ4ccQdaOXplQXOXFG +G7wAIhfGR7JnyzS1+eKItdFYrU63BeavPLltE4GV4pFJIFXEXc3v87j/Ba9uIop1 +/zytEn37yzDxdptH0HYtCm4Ve17n0STwvf9Le7b3ZFbs/cj3akAoSOTy/bYKNZl4 +EtaT0T7AGr8qJIaAlUYtva30+sQ2ytXHOdjkKD38xTN2oXoHgAfn7wIinzM+rbGi +d6FFIiARlp1g0O0CggEBANOLMJSvNeMxlM+8LJ0xo2J20Lk+1EGyb0+Ltp6jkrRW +SPCvnNC7Ww6L6tRfCvatnb0qTvfR/HfM1oE2e2Q2QL+hZoZyxXEiZHd/ERyAj398 +uImSz8bkRPWzPZU0wqYO621MEdY+fPcQfZDMBlcA25cFlvuiCRoeRQ1DIREDKMMG +Cnhbvv0f2J7e9rVAIqrTRtxKaRAIwU4YVIG2ymwWA+P/3/NFlYC344MGfoeum0NI +qazULaAVKE99jV3sYC2twcrGgXel/OSGCX33WCVsQKIhIOGDib1KzyJHTBr+D8Tu +rbO4fmyJtUpKC+XCIXto7ebbo0sVE2+7dp5ofBhCtn8CggEBALvBABkpnsA/OLZw +qyA+rsET9IuI7uhoUN25OxGbYaWJggOtJMdmPZuXi8It7x32hXIoeV2OPLvd6wgc +z1MrTZhDovhxtfadi4U8Ogo3sL//Grypq0y6EjuwA9CnTUCo81ZXfdX7h4TZMDbI +BTIlnGlQfrUHCMZuKz4gcl1VIBSI0Mn0NPDYP0IdZEE6vK4EZppG7hbNw0e72Tmf +vHP6QbrYmvFCL9PraAFc50HwHmZTuCAd/2DCIQyBLAeIz6qrIG9fgJVUb+qOkx5E +sAgpKn2lepoaP8jcPi+o7XsSm1MyGsPMh2X5SGk3n4IdyfYuATuzwGjeL9A/mHlx +xMxfTXkCggEAGYuTYEEQNtFD8Rn+ITVfT4KdjeEibJSJkIeEk/+YtaI9yKLMQwB8 +7HLE9sRLZKJui+tSAecfn6/ir1PO7rkGdJ2e7dlqMlE+5Jc5j8GOkoyTFDngUVo7 +YZg1dZEbeEYQ8+/dr4t4N7WMFDIvCc6WtdP8+YIFq1vAZuuWUKGbCIHwPbyGgbaY +yAaQsC6AgTRmOC/cJA2Kmk2h1tAl/YtjCONbPdtHRHXwSWA9Y1EYerWJl88/ezdS +2NaGfbMPojR7VGtIMxSeR1JQTx/RSyOZYnqxp8nkljE0diU58YCAkv1niG5dBepT +NBdg/GvG80omgFxBic2PvUxb9KEVazCTLQKCAQEAwx3aNk2lMovLzuMRqj2O7rqs +4usiHDllR1S7vAySUqhBaL8l+y1lsulgCDExClt3SQpsaM5xep1sK5jN8REzKsE9 +xBgXkNRgy+/1VGa1Tx0DR6xLoAIYT7Ttm27kellAFLE1tEFsSdZP9ZcfwjYKQEuu +Bsm4zf5duDb+hLraxK9ISqcc8ZUSlCLkj9GdhLwf+/8C81LXkS2ScR8Edumn8qe7 +IYqqWSYqKhaoqmx6sr8E0SIn6PKd7uXZnXTTxTf6AR1RNzFcStIL5lC06V6Savpa +tSX2voU3DgUIDYrYUhDweukR8i+0nrkR8wRUUjxaAeegUIRHN5ffpk57lQNaNg== +-----END RSA PRIVATE KEY----- diff --git a/test/configs/tls.conf b/test/configs/tls.conf index 66702a76..029cc141 100644 --- a/test/configs/tls.conf +++ b/test/configs/tls.conf @@ -5,8 +5,9 @@ port: 4443 net: localhost tls { - cert_file: "./configs/certs/localhost.crt" - key_file: "./configs/certs/localhost.key" +# ca_file: "./configs/certs/ca.pem" + cert_file: "./configs/certs/server-cert.pem" + key_file: "./configs/certs/server-key.pem" } authorization { diff --git a/test/opts_test.go b/test/opts_test.go index d94ad0fb..4c8a4d1b 100644 --- a/test/opts_test.go +++ b/test/opts_test.go @@ -3,7 +3,6 @@ package test import ( - "fmt" "testing" ) @@ -29,7 +28,6 @@ func TestTLSConfig(t *testing.T) { defer c.Close() sinfo := checkInfoMsg(t, c) - fmt.Printf("sinfo is %+v\n", sinfo) if sinfo.TLSRequired != true { t.Fatal("Expected TLSRequired to be true when configured") } diff --git a/test/tls_test.go b/test/tls_test.go index b4955579..546567cb 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -6,6 +6,7 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "io/ioutil" "testing" "github.com/nats-io/nats" @@ -16,22 +17,19 @@ func TestTLSConnection(t *testing.T) { defer srv.Shutdown() endpoint := fmt.Sprintf("%s:%d", opts.Host, opts.Port) - nurl := fmt.Sprintf("nats://%s/", endpoint) + nurl := fmt.Sprintf("nats://%s:%s@%s/", opts.Username, opts.Password, endpoint) nc, err := nats.Connect(nurl) if err == nil { t.Fatalf("Expected error trying to connect to secure server") } // Do simple SecureConnect - nc, err = nats.SecureConnect(nurl) + nc, err = nats.SecureConnect(fmt.Sprintf("nats://%s/", endpoint)) if err == nil { t.Fatalf("Expected error trying to connect to secure server with no auth") } - // Add in the user/pass - purl := fmt.Sprintf("nats://%s:%s@%s/", opts.Username, opts.Password, endpoint) - - nc, err = nats.SecureConnect(purl) + nc, err = nats.SecureConnect(nurl) if err != nil { t.Fatalf("Got an error on SecureConnect: %+v\n", err) } @@ -46,20 +44,26 @@ func TestTLSConnection(t *testing.T) { } defer nc.Close() - // Now do more advanced checking - - // Setup our own TLSConfig using Root from our self signed cert. + // Now do more advanced checking, verifying servername and using rootCA. + // Setup our own TLSConfig using RootCA from our self signed cert. + rootPEM, err := ioutil.ReadFile("./configs/certs/ca.pem") + if err != nil || rootPEM == nil { + t.Fatalf("failed to read root certificate") + } pool := x509.NewCertPool() - pool.AddCert(opts.TLSConfig.Certificates[0].Leaf) + ok := pool.AppendCertsFromPEM([]byte(rootPEM)) + if !ok { + t.Fatalf("failed to parse root certificate") + } config := &tls.Config{ - ServerName: nurl, + ServerName: opts.Host, RootCAs: pool, MinVersion: tls.VersionTLS12, } copts := nats.DefaultOptions - copts.Url = purl + copts.Url = nurl copts.Secure = true copts.TLSConfig = config @@ -69,7 +73,4 @@ func TestTLSConnection(t *testing.T) { } nc.Flush() defer nc.Close() - - // nc.conn = tls.Client(nc.conn, &tls.Config{ServerName: nc.url.String()}) - } From 1c7f7082178db3974b82f16371c60935e3e673df Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Sun, 8 Nov 2015 10:48:39 -0800 Subject: [PATCH 09/13] Added in support for requiring client certificates --- TODO.md | 1 + server/opts.go | 19 +++++++++++++ server/server.go | 13 +++++++-- test/configs/tls.conf | 7 +++-- test/configs/tlsverify.conf | 16 +++++++++++ test/tls_test.go | 55 +++++++++++++++++++++++++++++++++++++ 6 files changed, 106 insertions(+), 5 deletions(-) create mode 100644 test/configs/tlsverify.conf diff --git a/TODO.md b/TODO.md index 68c70b53..9f9f1d7a 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ # General - [ ] SSL/TLS support +- [ ] Better user/pass support using bcrypt etc. - [ ] Pedantic state - [ ] brew, apt-get, rpm, chocately (windows) - [ ] Dynamic socket buffer sizes diff --git a/server/opts.go b/server/opts.go index def9e41e..0031dd6f 100644 --- a/server/opts.go +++ b/server/opts.go @@ -63,6 +63,8 @@ type authorization struct { type tlsConfig struct { certFile string keyFile string + caFile string + verify bool } // ProcessConfigFile processes a configuration file. @@ -207,6 +209,19 @@ func parseTLS(tlsm map[string]interface{}, opts *Options) error { return fmt.Errorf("error parsing tls config, expected 'key_file' to be filename") } tc.keyFile = keyFile + case "ca_file": + caFile, ok := mv.(string) + if !ok { + return fmt.Errorf("error parsing tls config, expected 'ca_file' to be filename") + } + tc.caFile = caFile + case "verify": + verify, ok := mv.(bool) + if !ok { + return fmt.Errorf("error parsing tls config, expected 'veridy' to be a boolean") + } + tc.verify = verify + default: return fmt.Errorf("error parsing tls config, unknown field [%q]", mk) } @@ -234,6 +249,10 @@ func parseTLS(tlsm map[string]interface{}, opts *Options) error { tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, } + // Require client certificates as needed + if tc.verify == true { + config.ClientAuth = tls.RequireAnyClientCert + } opts.TLSConfig = &config return nil } diff --git a/server/server.go b/server/server.go index d46ab8d7..d5aa685a 100644 --- a/server/server.go +++ b/server/server.go @@ -32,7 +32,9 @@ type Info struct { Host string `json:"host"` Port int `json:"port"` AuthRequired bool `json:"auth_required"` - TLSRequired bool `json:"ssl_required"` // ssl json used for older clients + SSLRequired bool `json:"ssl_required"` // ssl json used for older clients + TLSRequired bool `json:"tls_required"` + TLSVerify bool `json:"tls_verify"` MaxPayload int `json:"max_payload"` } @@ -75,6 +77,11 @@ type stats struct { // New will setup a new server struct after parsing the options. func New(opts *Options) *Server { processOptions(opts) + + // Process TLS options, including whether we require client certificates. + tlsReq := opts.TLSConfig != nil + verify := (tlsReq == true && opts.TLSConfig.ClientAuth == tls.RequireAnyClientCert) + info := Info{ ID: genID(), Version: VERSION, @@ -82,7 +89,9 @@ func New(opts *Options) *Server { Host: opts.Host, Port: opts.Port, AuthRequired: false, - TLSRequired: opts.TLSConfig != nil, + TLSRequired: tlsReq, + SSLRequired: tlsReq, + TLSVerify: verify, MaxPayload: opts.MaxPayload, } diff --git a/test/configs/tls.conf b/test/configs/tls.conf index 029cc141..ac6a9aa2 100644 --- a/test/configs/tls.conf +++ b/test/configs/tls.conf @@ -5,9 +5,10 @@ port: 4443 net: localhost tls { -# ca_file: "./configs/certs/ca.pem" - cert_file: "./configs/certs/server-cert.pem" - key_file: "./configs/certs/server-key.pem" + # Server cert + cert_file: "./configs/certs/server-cert.pem" + # Server private key + key_file: "./configs/certs/server-key.pem" } authorization { diff --git a/test/configs/tlsverify.conf b/test/configs/tlsverify.conf new file mode 100644 index 00000000..531b477e --- /dev/null +++ b/test/configs/tlsverify.conf @@ -0,0 +1,16 @@ + +# Simple TLS config file + +port: 4443 +net: localhost + +tls { + # Server cert + cert_file: "./configs/certs/server-cert.pem" + # Server private key + key_file: "./configs/certs/server-key.pem" + # Optional certificate authority for clients + ca_file: "./configs/certs/ca.pem" + # Require a client certificate + verify: true +} diff --git a/test/tls_test.go b/test/tls_test.go index 546567cb..415e193a 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -74,3 +74,58 @@ func TestTLSConnection(t *testing.T) { nc.Flush() defer nc.Close() } + +func TestTLSClientCertificate(t *testing.T) { + srv, opts := RunServerWithConfig("./configs/tlsverify.conf") + defer srv.Shutdown() + + nurl := fmt.Sprintf("nats://%s:%d", opts.Host, opts.Port) + + _, err := nats.Connect(nurl) + if err == nil { + t.Fatalf("Expected error trying to connect to secure server without a certificate") + } + + _, err = nats.SecureConnect(nurl) + if err == nil { + t.Fatalf("Expected error trying to secure connect to secure server without a certificate") + } + + // Load client certificate to sucessfully connect. + certFile := "./configs/certs/client-cert.pem" + keyFile := "./configs/certs/client-key.pem" + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + t.Fatalf("error parsing X509 certificate/key pair: %v", err) + } + + // Load in root CA for server verification + rootPEM, err := ioutil.ReadFile("./configs/certs/ca.pem") + if err != nil || rootPEM == nil { + t.Fatalf("failed to read root certificate") + } + pool := x509.NewCertPool() + ok := pool.AppendCertsFromPEM([]byte(rootPEM)) + if !ok { + t.Fatalf("failed to parse root certificate") + } + + config := &tls.Config{ + Certificates: []tls.Certificate{cert}, + ServerName: opts.Host, + RootCAs: pool, + MinVersion: tls.VersionTLS12, + } + + copts := nats.DefaultOptions + copts.Url = nurl + copts.Secure = true + copts.TLSConfig = config + + nc, err := copts.Connect() + if err != nil { + t.Fatalf("Got an error on Connect with Secure Options: %+v\n", err) + } + nc.Flush() + defer nc.Close() +} From ec0c6583442004de4beebc602ddff9ec5629174b Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Sun, 8 Nov 2015 10:58:40 -0800 Subject: [PATCH 10/13] Adding in client cert/key pair --- test/configs/certs/client-cert.pem | 30 ++++++++++++++++++ test/configs/certs/client-key.pem | 51 ++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 test/configs/certs/client-cert.pem create mode 100644 test/configs/certs/client-key.pem diff --git a/test/configs/certs/client-cert.pem b/test/configs/certs/client-cert.pem new file mode 100644 index 00000000..549c9b38 --- /dev/null +++ b/test/configs/certs/client-cert.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFPDCCAySgAwIBAgIJAO+k4G7bNTypMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDUy +MzEwNDdaFw0xOTExMDQyMzEwNDdaMBYxFDASBgNVBAMTC25hdHMtY2xpZW50MIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArgLxszD5/vDrDUwwIEgQx9I0 +J/H6MXPO0Tj9D2BnR+nwjCe9M03fsq4Il96BVzoaAiAQD1r4NyAX2adKydlnE3/m +bUFiSVHErJceEi9aSs+WlLdmKEgU2qrsIal9KzthlI786qtjb7OFSCxP14R4xYA5 +dlZXhJ9oUuFhVTdaVmRMzWuWj8RbBx8VptSZ0f7Q+Uv8GuB0kyiVkv6GYcH/IWuI +7jnM0QcVWBmxJfWmqd0yx/FLlX/LRXqdiyoFSIlMaP0VOwto3uEhAoBk83Z+/zrZ +Brymx1Nnz3qzTCf8/mdMjPuWibXDTLbo0/Kf6neHs6wxx8irb1ZfIwhn8grXTcgd +rg9bfcyyUOBey7QXiedpU0xFqoH26E+Aq+CV4R56i1sJKsSYEGu8O69H8zu5dgan +LZRhcCHcZhMe7Nbiu5BcuOW4r3rGDMTLXSugEX91iy5jJaYmRjtPN5imQIJtf+GK +Vq7YLv4MQV6R3xRiZXaocCae1qzIMc4kxCKvZTmxuJsvIUPjNnGumwbjV/a2fLFX +9tMqUKyEmiPtFtqNH/kmkHCQ5FGYIIj3wGuD5yWfK5Tr3iHOdNJoNNPgPBg9tMRw +j3+W8+uyBxc+FUEb8a9m3R4VmAYyiqgzCA0DWZBF1fOYLWfRnwS5OBKiP4OUlUEb +YZUEzfvDbLOwQrb123cCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJ +KoZIhvcNAQELBQADggIBACNKPbvaXwl5rRTqFw37Am1r6e+LkUg9dFogSwXDnuT/ +RRZJi5MHsC5MUOkHB28lTmPwkAogs+LBmKrM0Npzk6OPkT/LCgKqpVoz2Tc1nGMI +Jy8jxPYogMmDCOhoEoC7zsWABMLiX5KDAuKommk61w7AwKu4kK198ngwbfF2fzdH +1DUGID7iV4fyPGI+pCU3Ullv51c5xkhqjVy1JYdYc0+s6rFyVTibSABa7PfHE2ML +A+cNFWoKQhugVHQU7qYvuWvnEqZro2T6nmSmpK3oOaUgVnDuY2q4JwiMbZAtuyD7 +8LFwCim49WzgYcfs/BwKlUrTV/QBYurruHWjElZzwA39/ZlbnOjJJ85j/YqxR+4S +fK/KktegyrPJU3fxdl2+77zVlfgzxaQ//58vx5LgXWhl2KeHyakeD0jQFVn1R7GD +bynAlHlSOr+nGkwP2WVqXKf+l/gb/gUEY7bC8fCVRCctkcK+smEl+sIKH3O9JY8l +rBWjOXkMY91ZDh77hfTNni/s2/DGAoNrEft8rgu3/NPxhCTfQH3ranCryth9mF6I +qsOFr5/81WGKqU+Kec8st/RSU2vBjBp41HILAEEhUiB6prhc9B3+exwkvQSPz22W +PIvhkzqeOYRoEDE2bWGC1ukd818qvQp618eLBmJSvwGh4YfUcmgqHaEk2NjoPIMV +-----END CERTIFICATE----- diff --git a/test/configs/certs/client-key.pem b/test/configs/certs/client-key.pem new file mode 100644 index 00000000..bb44aa5a --- /dev/null +++ b/test/configs/certs/client-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEArgLxszD5/vDrDUwwIEgQx9I0J/H6MXPO0Tj9D2BnR+nwjCe9 +M03fsq4Il96BVzoaAiAQD1r4NyAX2adKydlnE3/mbUFiSVHErJceEi9aSs+WlLdm +KEgU2qrsIal9KzthlI786qtjb7OFSCxP14R4xYA5dlZXhJ9oUuFhVTdaVmRMzWuW +j8RbBx8VptSZ0f7Q+Uv8GuB0kyiVkv6GYcH/IWuI7jnM0QcVWBmxJfWmqd0yx/FL +lX/LRXqdiyoFSIlMaP0VOwto3uEhAoBk83Z+/zrZBrymx1Nnz3qzTCf8/mdMjPuW +ibXDTLbo0/Kf6neHs6wxx8irb1ZfIwhn8grXTcgdrg9bfcyyUOBey7QXiedpU0xF +qoH26E+Aq+CV4R56i1sJKsSYEGu8O69H8zu5dganLZRhcCHcZhMe7Nbiu5BcuOW4 +r3rGDMTLXSugEX91iy5jJaYmRjtPN5imQIJtf+GKVq7YLv4MQV6R3xRiZXaocCae +1qzIMc4kxCKvZTmxuJsvIUPjNnGumwbjV/a2fLFX9tMqUKyEmiPtFtqNH/kmkHCQ +5FGYIIj3wGuD5yWfK5Tr3iHOdNJoNNPgPBg9tMRwj3+W8+uyBxc+FUEb8a9m3R4V +mAYyiqgzCA0DWZBF1fOYLWfRnwS5OBKiP4OUlUEbYZUEzfvDbLOwQrb123cCAwEA +AQKCAgAQUkBfYVGhgvFZDvNYo8nHJEU2FfE0oDsezqyVu6IUUbH5Q2TwofZAaShv +LjSNfOqhlmZLOmobqYvzI0jVg+myH4X6a26Pl/bNhWMRq5VZfP0Pt+ACGTizheKe +Caqu2mP9rie0zxyFhp4Ste1LNqapR6ycF98flmAPngomFwoHHmNBxTybAXzUPysl +ub0vwCnTqDfeQX1NrDnTTsJF+w82EEMIrS0z0elDmS1PdSoLtq6jqFNBk3n6a1TJ +j8htFEuxcUODhT9x4EXbWTWezFd/EwL2Kc2u1njfMhANLZcCOagpdROamQzXbjSK +ZLBxKoL07ErDBWRnDf/gZlJxlmi5QFgy3LFvmZ93sbedzRaTDsjXEpbTse/l36QY +6YCjSnb2zUX2AElKmyC/QwR8BZ9afRQM7x3eqLkE1q4jkLsk3+W3VroyaoOfQxiB +k+xtL5cxoa9SiTgETNHpFQhiTNyX7FlH1ykoJzTryLsbccTd1iP7DF5ZPt8DfgIZ +PLzwh7PDiK5cpitm8g6TdvuLA9FT+bEtd/78odN++VDhkcCmSQMWKk3Xt8wznNcY +8Ye5JC/4aHRueWCziWaJYJHi6ZNCt4CR5wzEGBmPlf0562UpQpfEuDOQDRX3FaMs +qYbCrRVeQL3wXcu3sVToj9zSES2R+kQfTwaqdypgS79y0Dp6eQKCAQEA2BAu0Cqn +xmjuqn/qpPXtW3kryHPP7eyzt53o8Xg7RqQ0oT+FNiO3o4aGoVlxkMjBW+NOpWo1 +VtsTrsB+RxIiuugb9/D2dy1z5BK2x4bvurxkyOovU3J2WHSNIUsbQ5FSN8w5sAcl ++1QFNcM5ooBa7VahRV2vJcGe9P+QFR75c4xSCvG6AOu8WzZNUNOw97s/N24NevU5 +26Ql20zwn+E0avd3yuFU7bKrvXh9v6lNqWhjkJePk8eTh/5O4cTuF/cB3wPcgjiC +24uyNI29lAVHS/+h0nVTdm0F1Fel8nwPkOLyRJUyEzWm8SX2rnwI3EegWaRyDohp +a1hmjHsCcpoxhQKCAQEAzizucnHqwxEQiMaJPUKBi3v3j+a/me3PfsY1760LdLVY +AcMuGr+wg2/e9d7jMvEIxlACng4aU2kKG0fOxS0G0e7AefB9DiwzexJ+pHu0R49p +PmkAoPl2+mAlfeqvwEJ4gQEH8hKoIEkU0XAPZfWMTlshCJgAyYYpsLlJl0f8ooa3 +4VRg3hjfWj+Z5pQryojN/Pfl4XRoM11xdaa79odvtptpN3KWxs9IhesM1o4mi4kC +Dd996iQpNau1bF6LHmEXJhbkEJ+SDXUDvEx6d3HYAFNPyWLe4DtJn38qb1gtuesZ +vGntToaAN12z4vJIj75vuduSJei8ceXcixYo1WZrywKCAQEAiz9avERRXpjwAChy +lB/++i4MnqKtBjy/0n3NzBndsfhQBwAGHU9FofkoOUKI43PO0iab4BWkDLciZ0Sd +3bX9dhHzPIcqgMJlZz78V3lKdUHHfokXOSOSzA1Ji4R5LMGyiE1xfFYPD3wl43FP +asBoWX+0bh0jrSStCl7OgB43TFXJ5k3Fv6Qt/2buy0GzUuV1p4ag33a99CVFVKGw +jom4m5ujs7gnYQ3+ixzlhilZ6O1jBaP4H5jHJyUpt22QuRczOISnj7FV/KJ6lk4n +OQdx3LQCmb2NrcwzrpdSVwXHjmwFEVhKLoEsd0wtQGSl3Tm4SS2naGBX+Ju/c5gv +iqZ/dQKCAQAzDJcByUkKgZgpdZcXjvcKdWhnvgek8mgVCLjkHmGexSQEU7J/twTa +loGLOWPiAiJdEASF5BIKoxB4jsAYvDxbEJWh27TrJHCewYaP7X1G1rCFXnRkZ0BZ +YCMIWWqo3Qx/TKUOACaWz+GStf9qDHFwGUpFmXVgcJK0Cjy5c36PM3ImHcFaXKg4 +7VSK7hclr9fpEexedXczeKiWK/GQahp0CWj07K9+jGZ1mix0l3/dvs++ZZ8EsW1u +t5RVP9eMbxfPO42+u/Pq1xVUs08DcjG8auRvhcaPmL5y+oakSR4RUa/uof+7GLx4 +eQAIalsjFFEPoNk//69hODvySEtWA2UfAoIBACGXYc0SuE9m2KxnxLiy4yEvDbw1 +3KO9Gwv+0iRaeCizdCTwaSu/weQrw9ddpfmeqdGhwsvH1S5WyFqtwsjS7abdj4cg +KJ3nuR1EDInFQcu9ii+T8MSTc64cPkJVIYHwYiwE2Whj+6F7KFc1mf33/zrivruT +6Mm1YJv11KkBDAaM4Bj37DQfCrYh6quxczCT827YX7Wuw9YGQZYZh/xzss0Tkfzm +LgHriX+8U7+rL24Fi+merhDhjO95NVkRSIDmg+pULaWkeDOyVxfLCIMmy7JByHW4 +fyDr/w1dfkx/yiV0xvkrfT+sOFmnMjfgMwmit3tfm7zkmkzNfmASugDPWjA= +-----END RSA PRIVATE KEY----- From 416cf990682226b1aa0cbbbd2ef2b967ae198a9d Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Sun, 8 Nov 2015 11:11:03 -0800 Subject: [PATCH 11/13] larger buffer needed for info message --- test/maxpayload_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/maxpayload_test.go b/test/maxpayload_test.go index 29b027f6..829d82e3 100644 --- a/test/maxpayload_test.go +++ b/test/maxpayload_test.go @@ -34,12 +34,11 @@ func TestMaxPayload(t *testing.T) { if err != nil { t.Fatalf("Could not make a raw connection to the server: %v", err) } - info := make([]byte, 200) + info := make([]byte, 512) _, err = conn.Read(info) if err != nil { t.Fatalf("Expected an info message to be sent by the server: %s", err) } - pub := fmt.Sprintf("PUB bar %d\r\n", size) conn.Write([]byte(pub)) if err != nil { From b8af53e67a9e7fa87aaf5e59aaeede0451fceb82 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Sun, 8 Nov 2015 14:20:01 -0800 Subject: [PATCH 12/13] Added in clustered TLS --- server/client.go | 24 ---------- server/opts.go | 42 ++++++++++++----- server/route.go | 79 ++++++++++++++++++++++++++++---- test/cluster_tls_test.go | 59 ++++++++++++++++++++++++ test/configs/certs/srva-cert.pem | 31 +++++++++++++ test/configs/certs/srva-key.pem | 51 +++++++++++++++++++++ test/configs/certs/srvb-cert.pem | 31 +++++++++++++ test/configs/certs/srvb-key.pem | 51 +++++++++++++++++++++ test/configs/srv_a_tls.conf | 29 ++++++++++++ test/configs/srv_b_tls.conf | 29 ++++++++++++ 10 files changed, 382 insertions(+), 44 deletions(-) create mode 100644 test/cluster_tls_test.go create mode 100644 test/configs/certs/srva-cert.pem create mode 100644 test/configs/certs/srva-key.pem create mode 100644 test/configs/certs/srvb-cert.pem create mode 100644 test/configs/certs/srvb-key.pem create mode 100644 test/configs/srv_a_tls.conf create mode 100644 test/configs/srv_b_tls.conf diff --git a/server/client.go b/server/client.go index d183c72b..37d26c26 100644 --- a/server/client.go +++ b/server/client.go @@ -220,30 +220,6 @@ func (c *client) traceOp(format, op string, arg []byte) { c.Tracef(format, opa) } -// Process the info message if we are a route. -func (c *client) processRouteInfo(info *Info) { - c.mu.Lock() - if c.route == nil { - c.mu.Unlock() - return - } - c.route.remoteID = info.ID - - // Check to see if we have this remote already registered. - // This can happen when both servers have routes to each other. - s := c.srv - c.mu.Unlock() - - if s.addRoute(c) { - c.Debugf("Registering remote route %q", info.ID) - // Send our local subscriptions to this route. - s.sendLocalSubsToRoute(c) - } else { - c.Debugf("Detected duplicate remote route %q", info.ID) - c.closeConnection() - } -} - // Process the information messages from Clients and other Routes. func (c *client) processInfo(arg []byte) error { info := Info{} diff --git a/server/opts.go b/server/opts.go index 0031dd6f..747dd1ba 100644 --- a/server/opts.go +++ b/server/opts.go @@ -41,6 +41,7 @@ type Options struct { ClusterUsername string `json:"-"` ClusterPassword string `json:"-"` ClusterAuthTimeout float64 `json:"auth_timeout"` + ClusterTLSConfig *tls.Config `json:"-"` ProfPort int `json:"-"` PidFile string `json:"-"` LogFile string `json:"-"` @@ -131,7 +132,7 @@ func ProcessConfigFile(configFile string) (*Options, error) { opts.MaxConn = int(v.(int64)) case "tls": tlsm := v.(map[string]interface{}) - if err := parseTLS(tlsm, opts); err != nil { + if opts.TLSConfig, err = parseTLS(tlsm); err != nil { return nil, err } } @@ -164,6 +165,12 @@ func parseCluster(cm map[string]interface{}, opts *Options) error { } opts.Routes = append(opts.Routes, url) } + case "tls": + var err error + tlsm := mv.(map[string]interface{}) + if opts.ClusterTLSConfig, err = parseTLS(tlsm); err != nil { + return err + } } } return nil @@ -193,47 +200,47 @@ func parseAuthorization(am map[string]interface{}) authorization { } // Helper function to parse TLS configs. -func parseTLS(tlsm map[string]interface{}, opts *Options) error { +func parseTLS(tlsm map[string]interface{}) (*tls.Config, error) { tc := tlsConfig{} for mk, mv := range tlsm { switch strings.ToLower(mk) { case "cert_file": certFile, ok := mv.(string) if !ok { - return fmt.Errorf("error parsing tls config, expected 'cert_file' to be filename") + return nil, fmt.Errorf("error parsing tls config, expected 'cert_file' to be filename") } tc.certFile = certFile case "key_file": keyFile, ok := mv.(string) if !ok { - return fmt.Errorf("error parsing tls config, expected 'key_file' to be filename") + return nil, fmt.Errorf("error parsing tls config, expected 'key_file' to be filename") } tc.keyFile = keyFile case "ca_file": caFile, ok := mv.(string) if !ok { - return fmt.Errorf("error parsing tls config, expected 'ca_file' to be filename") + return nil, fmt.Errorf("error parsing tls config, expected 'ca_file' to be filename") } tc.caFile = caFile case "verify": verify, ok := mv.(bool) if !ok { - return fmt.Errorf("error parsing tls config, expected 'veridy' to be a boolean") + return nil, fmt.Errorf("error parsing tls config, expected 'verify' to be a boolean") } tc.verify = verify default: - return fmt.Errorf("error parsing tls config, unknown field [%q]", mk) + return nil, fmt.Errorf("error parsing tls config, unknown field [%q]", mk) } } // Now load in cert and private key cert, err := tls.LoadX509KeyPair(tc.certFile, tc.keyFile) if err != nil { - return fmt.Errorf("error parsing X509 certificate/key pair: %v", err) + return nil, fmt.Errorf("error parsing X509 certificate/key pair: %v", err) } cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0]) if err != nil { - return fmt.Errorf("error parsing certificate: %v", err) + return nil, fmt.Errorf("error parsing certificate: %v", err) } // Create TLSConfig // We will determine the cipher suites that we prefer. @@ -253,8 +260,21 @@ func parseTLS(tlsm map[string]interface{}, opts *Options) error { if tc.verify == true { config.ClientAuth = tls.RequireAnyClientCert } - opts.TLSConfig = &config - return nil + // Add in CAs if applicable. + if tc.caFile != "" { + rootPEM, err := ioutil.ReadFile(tc.caFile) + if err != nil || rootPEM == nil { + return nil, err + } + pool := x509.NewCertPool() + ok := pool.AppendCertsFromPEM([]byte(rootPEM)) + if !ok { + return nil, fmt.Errorf("failed to parse root ca certificate") + } + config.RootCAs = pool + } + + return &config, nil } // MergeOptions will merge two options giving preference to the flagOpts diff --git a/server/route.go b/server/route.go index 60ec2c74..71934235 100644 --- a/server/route.go +++ b/server/route.go @@ -1,9 +1,11 @@ -// Copyright 2013-2014 Apcera Inc. All rights reserved. +// Copyright 2013-2015 Apcera Inc. All rights reserved. package server import ( + "bufio" "bytes" + "crypto/tls" "encoding/json" "fmt" "net" @@ -24,14 +26,14 @@ type connectInfo struct { Pedantic bool `json:"pedantic"` User string `json:"user,omitempty"` Pass string `json:"pass,omitempty"` - TLS bool `json:"ssl_required"` + TLS bool `json:"tls_required"` Name string `json:"name"` } const conProto = "CONNECT %s" + _CRLF_ // Lock should be held entering here. -func (c *client) sendConnect() { +func (c *client) sendConnect(tlsRequired bool) { var user, pass string if userInfo := c.route.url.User; userInfo != nil { user = userInfo.Username() @@ -42,18 +44,43 @@ func (c *client) sendConnect() { Pedantic: false, User: user, Pass: pass, - TLS: false, + TLS: tlsRequired, Name: c.srv.info.ID, } b, err := json.Marshal(cinfo) if err != nil { Errorf("Error marshalling CONNECT to route: %v\n", err) c.closeConnection() + return } c.bw.WriteString(fmt.Sprintf(conProto, b)) c.bw.Flush() } +// Process the info message if we are a route. +func (c *client) processRouteInfo(info *Info) { + c.mu.Lock() + if c.route == nil { + c.mu.Unlock() + return + } + c.route.remoteID = info.ID + + // Check to see if we have this remote already registered. + // This can happen when both servers have routes to each other. + s := c.srv + c.mu.Unlock() + + if s.addRoute(c) { + c.Debugf("Registering remote route %q", info.ID) + // Send our local subscriptions to this route. + s.sendLocalSubsToRoute(c) + } else { + c.Debugf("Detected duplicate remote route %q", info.ID) + c.closeConnection() + } +} + // This will send local subscription state to a new route connection. // FIXME(dlc) - This could be a DOS or perf issue with many clients // and large subscription space. Plus buffering in place not a good idea. @@ -88,9 +115,11 @@ func (s *Server) createRoute(conn net.Conn, rURL *url.URL) *client { r := &route{didSolicit: didSolicit} c := &client{srv: s, nc: conn, opts: clientOpts{}, typ: ROUTER, route: r} - // Grab JSON info string + // Grab server variables. s.mu.Lock() info := s.routeInfoJSON + authRequired := s.routeInfo.AuthRequired + tlsRequired := s.routeInfo.TLSRequired s.mu.Unlock() // Grab lock @@ -101,18 +130,46 @@ func (s *Server) createRoute(conn net.Conn, rURL *url.URL) *client { c.Debugf("Route connection created") + // Check for TLS + if tlsRequired { + // Copy off the config to add in ServerName if we + tlsConfig := *s.opts.ClusterTLSConfig + + // If we solicited, we will act like the client, otherwise the server. + if didSolicit { + c.Debugf("Starting TLS route client handshake") + // Specify the ServerName we are expecting. + host, _, _ := net.SplitHostPort(rURL.Host) + tlsConfig.ServerName = host + c.nc = tls.Client(c.nc, &tlsConfig) + } else { + c.Debugf("Starting TLS route server handshake") + c.nc = tls.Server(c.nc, &tlsConfig) + } + + conn := c.nc.(*tls.Conn) + err := conn.Handshake() + if err != nil { + c.Debugf("TLS route handshake error: %v", err) + c.closeConnection() + return nil + } + // Rewrap bw + c.bw = bufio.NewWriterSize(c.nc, s.opts.BufSize) + } + // Queue Connect proto if we solicited the connection. if didSolicit { r.url = rURL c.Debugf("Route connect msg sent") - c.sendConnect() + c.sendConnect(tlsRequired) } // Send our info to the other side. s.sendInfo(c, info) // Check for Auth required state for incoming connections. - if s.routeInfo.AuthRequired && !didSolicit { + if authRequired && !didSolicit { ttl := secondsToDuration(s.opts.ClusterAuthTimeout) c.setAuthTimer(ttl) } @@ -295,14 +352,18 @@ func (s *Server) routeAcceptLoop(ch chan struct{}) { // StartRouting will start the accept loop on the cluster host:port // and will actively try to connect to listed routes. func (s *Server) StartRouting() { + // Check for TLSConfig + tlsReq := s.opts.ClusterTLSConfig != nil info := Info{ ID: s.info.ID, Version: s.info.Version, Host: s.opts.ClusterHost, Port: s.opts.ClusterPort, AuthRequired: false, - TLSRequired: false, - MaxPayload: MAX_PAYLOAD_SIZE, + TLSRequired: tlsReq, + SSLRequired: tlsReq, + TLSVerify: tlsReq, + MaxPayload: s.info.MaxPayload, } // Check for Auth items if s.opts.ClusterUsername != "" { diff --git a/test/cluster_tls_test.go b/test/cluster_tls_test.go new file mode 100644 index 00000000..4617dc4c --- /dev/null +++ b/test/cluster_tls_test.go @@ -0,0 +1,59 @@ +// Copyright 2013-2015 Apcera Inc. All rights reserved. + +package test + +import ( + "testing" + "time" + + "github.com/nats-io/gnatsd/server" +) + +func runTLSServers(t *testing.T) (srvA, srvB *server.Server, optsA, optsB *server.Options) { + srvA, optsA = RunServerWithConfig("./configs/srv_a_tls.conf") + srvB, optsB = RunServerWithConfig("./configs/srv_b_tls.conf") + return +} + +func TestTLSClusterConfig(t *testing.T) { + srvA, srvB, _, _ := runTLSServers(t) + defer srvA.Shutdown() + defer srvB.Shutdown() + + // Wait for the setup + time.Sleep(1 * time.Second) + + if numRoutesA := srvA.NumRoutes(); numRoutesA != 1 { + t.Fatalf("Expected one route for srvA, got %d\n", numRoutesA) + } + if numRoutesB := srvB.NumRoutes(); numRoutesB != 1 { + t.Fatalf("Expected one route for srvB, got %d\n", numRoutesB) + } +} + +func TestBasicTLSClusterPubSub(t *testing.T) { + srvA, srvB, optsA, optsB := runTLSServers(t) + defer srvA.Shutdown() + defer srvB.Shutdown() + + clientA := createClientConn(t, optsA.Host, optsA.Port) + defer clientA.Close() + + clientB := createClientConn(t, optsB.Host, optsB.Port) + defer clientB.Close() + + sendA, expectA := setupConn(t, clientA) + sendA("SUB foo 22\r\n") + sendA("PING\r\n") + expectA(pongRe) + + sendB, expectB := setupConn(t, clientB) + sendB("PUB foo 2\r\nok\r\n") + sendB("PING\r\n") + expectB(pongRe) + + expectMsgs := expectMsgsCommand(t, expectA) + + matches := expectMsgs(1) + checkMsg(t, matches[0], "foo", "22", "", "2", "ok") +} diff --git a/test/configs/certs/srva-cert.pem b/test/configs/certs/srva-cert.pem new file mode 100644 index 00000000..5204be52 --- /dev/null +++ b/test/configs/certs/srva-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYzCCA0ugAwIBAgIJAO+k4G7bNTyuMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDgy +MjA4MzBaFw0xOTExMDcyMjA4MzBaMBcxFTATBgNVBAMTDG5hdHMtY2x1c3RlcjCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM3qpumhhgGCKwQhy02XOueK +cDs6s79TyGt1Q9mFmO3ZZgowO0lo+qOlHgBfHBrMtZU4tQ4ImrYzLSw1YDd/6DAX +iyUmbzymRYCShF8gzr4v8OGt/M8zuha9L7TAGT+hE+remG6WVT1eYdo3VpwRCxhr +9ysgO23wkU9VggTBzSEhsxzkosppkKMe8llOwOXuZeweh17VsCDDGJqarZd3PRan +RbshQ7Dk4QTmXr8kpinVvwI7TpiEtaGPi8eeMYuJ3MBrSS5465p5ELYZo8GUD/lT +U/li9eUbSduHDlHjzmnRjcwxnJW8jksJs0OJimAjg0kjyd3Bwla5xtT9c3ooDyg0 +LRVV7KWAcVcLqLNvjNDJ3ROHDwzpg7wgwCMkZvp6KRiljonsHg36GMVhfh6JPxpD +5LmREK/dNBEzU6iYAEsBl4LihbREAUwdpkDNFOmox70VURHlMf0q3gBqBlooE9Ob +JadKjms+2yBEDuJQhO9hbbYJMifgdsE6DPQq57uLSZm8rKZHhIbQitVj/3Cw/U/7 +uYF2Z0biZz24nnOUATxeksnli5mbAZJRfcbVvILlcUorBwEerKGRnGrhE1rmaxJ2 +DsPbG1gtv9nyabYjSi2r8Qt3ghu+7KQujx6Wq8J4ext8QCjxz8VuQefv67kGsnTk ++/Yv8NI3AOb0tqxEk5wlAgMBAAGjPTA7MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcE +fwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEL +BQADggIBAITQlXY4Sf3HvU9wnuKhrlTCqBBLkIQd5Vp9JKGZdtKLuK25KG0FkPEx +CWNQyBsKU6CXnP8L+n+7fcGN+Oz1hPtaczS+NExqWBpDELg5Fqi6TWgnhGBt34op +kI5/HjmyfrlA9Uy+uRh+ydoESi7B/svoaTroITbPN+WF3u7/unJkdqV9cTp4ndTr +iJCJXuXTQIqVAACfXmSpBi8oSJuE/MVCUdr7DPBB8jPDox1kpOZdEllyzp+4Bx3u +nGYxsRNyyIAH4fL9yyU9xJxN0fmNm8Xtc5EV89F4NM/qcVUQwcfNT/SyKnIIfovm +rs3It3mL+Pb8e+3SnDDfyXTOVIN94jMKaBXATB3vY/Ek1T+DkUZI0x/7llme580J +tTGK9O3yuRjyJsiG3echCwS5PkdPRf9+iqn/nHBF+f/GivB8MlQAxRNWajsKoOXF +nmLFcc0NpdPPKa4tH7dnLV9SbPDljuJn88W5I62DkJQwx/MnIL/xxn3CGVU/q7qt +k9DQVxAQaPoEPuQHLyHMkPibTV6tGCghAz+l4zerAbz1SklJ8nzqrkW1pf2hfZC6 +jJZAGs0vXIJ4tWCnHNnPZzqaIopXeB97wusWAByHkhDGtQAGBdOmWTm8Ev1QLTDP +8ZGSPsotfQArQc/Usd6pWo8m40cG0GZyP24zvXRf1/x2003owN2e +-----END CERTIFICATE----- diff --git a/test/configs/certs/srva-key.pem b/test/configs/certs/srva-key.pem new file mode 100644 index 00000000..c530256d --- /dev/null +++ b/test/configs/certs/srva-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAzeqm6aGGAYIrBCHLTZc654pwOzqzv1PIa3VD2YWY7dlmCjA7 +SWj6o6UeAF8cGsy1lTi1DgiatjMtLDVgN3/oMBeLJSZvPKZFgJKEXyDOvi/w4a38 +zzO6Fr0vtMAZP6ET6t6YbpZVPV5h2jdWnBELGGv3KyA7bfCRT1WCBMHNISGzHOSi +ymmQox7yWU7A5e5l7B6HXtWwIMMYmpqtl3c9FqdFuyFDsOThBOZevySmKdW/AjtO +mIS1oY+Lx54xi4ncwGtJLnjrmnkQthmjwZQP+VNT+WL15RtJ24cOUePOadGNzDGc +lbyOSwmzQ4mKYCODSSPJ3cHCVrnG1P1zeigPKDQtFVXspYBxVwuos2+M0MndE4cP +DOmDvCDAIyRm+nopGKWOieweDfoYxWF+Hok/GkPkuZEQr900ETNTqJgASwGXguKF +tEQBTB2mQM0U6ajHvRVREeUx/SreAGoGWigT05slp0qOaz7bIEQO4lCE72Fttgky +J+B2wToM9Crnu4tJmbyspkeEhtCK1WP/cLD9T/u5gXZnRuJnPbiec5QBPF6SyeWL +mZsBklF9xtW8guVxSisHAR6soZGcauETWuZrEnYOw9sbWC2/2fJptiNKLavxC3eC +G77spC6PHparwnh7G3xAKPHPxW5B5+/ruQaydOT79i/w0jcA5vS2rESTnCUCAwEA +AQKCAgA2EHEIkG81wC55JEJTuewuVMvI0U3WYzIQ/LX2y7vuXxEKhcVbLeP4yWaK +JG6lnq/iYQQwjhPI2MD4hX8gs0WMMvJGq8OzAdjnvBBjRaLijoXJSzxATs2CIOQA +qhs2+JzZIt6U0oXI2hoJCFSGH3dxTw+TVCAmam5MjR/ZDeVE2KtFX8ZaLMNcAMkS +p7m/5Qr/prhWLvbSc0bneMsxJI52fy6wxjgWntFxzuZ7eyzheQxwko+9PcLOi3jg +zWkmwOij4MdTG06IvVak6TB0p+JVzQoURWZYZATNTbV1zMEqSWnYfgIl0l7t1rsp +dVhOi6RxtKLQxYm36YkJ7Q2/ufrYU6FQhzxzv2LuYMIhXmX+KTzzFNQvi+JuDIGP +PghDflyepdGCgwyN8hZjiAm1ZHzEOHiHRlZHOTmctNlTF0XgQoGMV5HHixgUA8ZA +s8Q2FtBkvC8klVNoQpkZ2TLN3XaKAIGVru5Rb5vpxuylD/0EeFsoG5c/mIUIIC2v +fRpX2yZbkboepF0ivWiLTJ8jq0sjlTu6xnMITCxZH5fJ7MrP50V/VnpEQjj0AYZ6 +RwsrLTuy720HmHCYZXmiivDG91dRhduVq03dVN92QrJpFoyw1GByZn42YSVvlYVL +Ezmnc1PK6V3BkehydIN5AyC9TUPBwKRDTuAczGktkUFiPRmf9QKCAQEA9PVjomt4 +KGTVO73IgmEDi1CAvxb3egExIre6O0bN0JZO/PxXI0f4liD8DRo1XqKGlJGhNNQ5 +wF6RWihAr8jIggDIn2rRnuXL64/Bf+1lWFB+O2MWbsyodR5bdFkx+vySmWT3INz7 +89/N+RscxOV2/KQt52Ut8NoDeLHp9pV/+80GyDe1bcN0ORTgvGCUs4BdzRgJEE8d +wxDW9AhNNzHjXC0y9ncxjT9ond5xJF1LNQzVE58Z9Ya92Lfv7ARZ1B2DCaDdxcom +9ipooTEdETqIfPOkIiK8S+2EijSttil6lfw0Nhb99J1iYqWsqQJTU1jt7ST4CPwp +fJ3CUZWvES2yRwKCAQEA1zLAnYQE3T0OcMR0/4olxyOqi0dzU9Z71TqvaDfSdvU3 +3Z9cNeN5OZdihMTVF/PiJWmQcKAPG2h95Hni777UPtgSkv8MK589qjiW/ID6eO0G +GWoYYLB/wD8y5y0DwGsY+Gpo5CPWqfw89euLZOFbTWPlQU5ow18jWgxEf4uSYRR6 +rF1ABbiTcGNGEBmQ5Ws6gwbvlMS6/q+xWbyGynol2ATvaWjmkO6Cg6J94nJcn9IP +A49BC2tqUcZh7KmwTIPZ0vq837Cq65tJnw0RrzPK1oIdoWNoFnmhXGvtnlZK2H6K +9K5Hg7ht5EoolOtD9T31afslcSjD+eZ/k/RRp3IoMwKCAQEA27ENF8kc7dVpLHhM +USpi/FpJ7ZfSgjh5cfKncqxQwEdeNiS2nezZdQPGKpYb0XEgFDT8CJ5h4TavU9WQ +FleUBIxhYiByOflMx0qZt3sZDni6jdaTcvHYD5oXWaT5X2mQrURRI8ctrI5Hc6eu +SKSn73Pru4ESD9XnkSK3e7CfJRy/fWgBLp1CKkOgPzK7irWQ6vUog9kBD0aWEi0z +21HB4JSlBUjnRw/cauHqRTvqzHxiyYNCy+J5d9mXsuxACC4jrMn6vH5OLS7hwdeD +g0UkzjPRO9A9Yjd2TGFsflh7GfMkfHJody+D4odF8Bom0zSJxssGLUDCkIIImhUN ++vEp1wKCAQAj8vKCXb+CReTXqbnxxl4xOiAPTExTwQzGvhr3Sfv6q1Q9zZVV2z4x +BL0MeOUwLymkHlJmvhZH+diuBj6G1lYWeXoA3GJoFx3yBaoTXGh7Mv1F2Zdg75sn +vmb+f2KVDk8JkJ0dH2+Izf5RBpwuqgbaksmFc1fE62u4azw2Ila9qPIlQR6k1gSr +TaoynlK6QINxyALV01d5nFgAKaJKyMTxpUFpVoDNzUo4OzjUT05x1GF1ssSm57bH +GmDZbC9rWMtWl1Rd+eFToolV7JT7s6c61lmk0DpfJspx6gWz4a53JAyKe2Ku+mxB +KrJEzlh363XH0pCaqriyUnMVgEbztfpJAoIBAHgRnDGD7uFBJ1NQMAIXt4IyWHhY +NJP0B/jqLlSz6r7Z7diKcVdn85gvzKHNDGIGl8Ry7hLLKQY2IpV8DEUNAP5ZTafM +A5xRCa2M8h8Q/zg82SBsx7gepZxN6tdwp9p5jVrP5MXUliyL7QM0+STzhzd7Ao0N +gJMhxb7iS2BuU4YnT3tsm+ZkFeUTT6pbNHKVhlQ6OxxbzjKoQYlMhYRfdSEqGU2w +3XLRSv+gPtS+J0sJw40AvEw0E2tE67qqzglrJUh0kRSiVRhrnDpU+HHPR50jCPet +qlQC5+h0b3YZLd8Jql65m9pZA/Kbz3/dn+Ox56r0KnjWBDVwgKDWzOCgROw= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/srvb-cert.pem b/test/configs/certs/srvb-cert.pem new file mode 100644 index 00000000..9976bc05 --- /dev/null +++ b/test/configs/certs/srvb-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFYzCCA0ugAwIBAgIJAO+k4G7bNTyvMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoTCkFwY2VyYSBJbmMxEDAOBgNVBAsTB25hdHMuaW8xEjAQBgNVBAMTCWxv +Y2FsaG9zdDEcMBoGCSqGSIb3DQEJARYNZGVyZWtAbmF0cy5pbzAeFw0xNTExMDgy +MjA4MzdaFw0xOTExMDcyMjA4MzdaMBcxFTATBgNVBAMTDG5hdHMtY2x1c3RlcjCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMtmkDRmDs4DssN1lxzUNa8r +hXoddfOnaiUpZD54vu0gJqJ4qu9US5TPsAfVPsnKUvDCtZFrxKGpBbmFwnhuOJaM +UcQuq1n1VqhbVXI+v9Dm6qqj439kn79hq77F7jZHSM8Sdem3Qu7qZR5zosGgKgf3 +IvFEclk+WddSKB8udtTmrWlBgAUxdLmLZ5C5iSO2DLtWTo1rfzlDZP6ZYkeNgyUt +cHDolS6Mhi7NHiZedRovB13xHs6YA5zDx6i7s7wfypBmCIywLwU5dlewW2Bpueq5 +pbmqFk4TT8f0Ui6CEH+lqlMRpDuUtJmZjwx2kmxzsOpU/kTp76HF7gpiLpWZWfme +rjA9EiKJhrJYfp6tj2IrZ+4tsKBn4uWGG4Osx4quEfRR3fVBmOKlx9Lw6WPa9rvu +GzF61obs3D2gCeOK0qjocdvOWZ5jGBh7HVHOF4c+9H7CrVIMpgkkBgdz1KnkW6Oo +JXK8ZczHhwbLb+lAphe60vY0prXe2x6MSl0M+uVXtaewIlVjJZ9fVO7CGpZvviWl +9qzOlMUGmMayekpyYNv7zBvGJ/tlx76XG1N8KeGEq++lIPcNDVOXIp6ny93g6nRO +JNbBMOPaU/mfdo9Flz+1PibPinTKY5iT+w7c57ox9iOxtTrVI9SQrTlf0cRQGhzo +LddoXVD2i8mGCp/Kc0z1AgMBAAGjPTA7MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcE +fwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEL +BQADggIBAB7avQgjetyggPL/DvyrdyygLnWm3Hg90vg5fecbV6W6TXDd122xyZdk +hZIXNts17u5yKreXYdzaeg4lKGTM/NFLVwsnmEjHAmqmwTSVfmh711NJGaKe8Lz7 +2Io5R/HzPQC2cvJ41lMxLowdAkFfdYQUFlzB2IJzq+QWzsFvTypYXb19T8JgpQvh +NYZjUkYmV1UxuHLiIeuLSm6osBADeVI5bjtD61oFAoS3W/UOYDWK+CgDkyFunDhb +fmwO6ibFmOzx3F+zS3mnlJPuFzlCtB9LrOHhoXnVR5o1e/eQD5LNPvydd0RznVbH +duQ8YGI8JC4/hOxg85X5MCWkMSZ41S4sT8rGpp0gF+jOCFwMwCHDe/zkm9y1F51j +wPfKfwxlD44V4KuPRl7Kf2NtTVjMf4iJ1Hm2OYqgFvjD5TybM7vMeuR4e1swOXMn +7GNjiJTNcEMUEIaB5zYjw/NI7DAvOsFQuxH2+X61N2AUe9YhC/PVG35lsuVFPOFy +zYBsonVb0CoSgrhc+NXGrIAcgEDZcgK8wii8/eVggOCfRl+gwbTJB10cS0AXVuj1 +RUwsIwK4xqynU/imLp/DG5TuEED9pHuxUSTwaZ8JG9ybYmZGyjdMNno4WJtNjnka +1zK861lEtsunus1Dm4zREdGBSZDKaRYSmjkfH+2kj8XnZrhpGn1v +-----END CERTIFICATE----- diff --git a/test/configs/certs/srvb-key.pem b/test/configs/certs/srvb-key.pem new file mode 100644 index 00000000..1f6355ad --- /dev/null +++ b/test/configs/certs/srvb-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAy2aQNGYOzgOyw3WXHNQ1ryuFeh1186dqJSlkPni+7SAmoniq +71RLlM+wB9U+ycpS8MK1kWvEoakFuYXCeG44loxRxC6rWfVWqFtVcj6/0ObqqqPj +f2Sfv2GrvsXuNkdIzxJ16bdC7uplHnOiwaAqB/ci8URyWT5Z11IoHy521OataUGA +BTF0uYtnkLmJI7YMu1ZOjWt/OUNk/pliR42DJS1wcOiVLoyGLs0eJl51Gi8HXfEe +zpgDnMPHqLuzvB/KkGYIjLAvBTl2V7BbYGm56rmluaoWThNPx/RSLoIQf6WqUxGk +O5S0mZmPDHaSbHOw6lT+ROnvocXuCmIulZlZ+Z6uMD0SIomGslh+nq2PYitn7i2w +oGfi5YYbg6zHiq4R9FHd9UGY4qXH0vDpY9r2u+4bMXrWhuzcPaAJ44rSqOhx285Z +nmMYGHsdUc4Xhz70fsKtUgymCSQGB3PUqeRbo6glcrxlzMeHBstv6UCmF7rS9jSm +td7bHoxKXQz65Ve1p7AiVWMln19U7sIalm++JaX2rM6UxQaYxrJ6SnJg2/vMG8Yn ++2XHvpcbU3wp4YSr76Ug9w0NU5cinqfL3eDqdE4k1sEw49pT+Z92j0WXP7U+Js+K +dMpjmJP7DtznujH2I7G1OtUj1JCtOV/RxFAaHOgt12hdUPaLyYYKn8pzTPUCAwEA +AQKCAgBJl7JVQxfYMj5buhASvjUuS/DfXglvPwOIrpE2iTmLUjaoUkCGl1lBXmOy +cdVl7W5U7h4Dn5plY2JO3bafHEIdNmffM4OL6NiR0Xn4+/sq+mGtm96UGTQzaoNZ +YwPtX51YTrWa+lOdXfF4Mx6QMAMFHsXlxX4aDBU1cuRRY95a6ZuUmb5YIqy49Vdj +Zb3YzeWNYozJXjuJ3HiOJbEJcoogyXAFaiGP1gg2psBh4Ys9Dgb8VmFvHlEwRyXW +RxOg3V/NHx24yYY5vbCzyXtGRvqdks4DfybS2OnkzuFtMmIFzUrzA08Iv6UYbhbz +y3LvCmzYXCgjhwDM53BZEW0Jc5K5uS980b2U7ETu8XLWz7DMHGyQq2YvnkH4hFEw +ZPCvQjTnqgVt3bzukyXFF6fHjhkK+BkifdEDBgKb00R8tGxy6+vDz+oa7mrgZBwC +RkzFLIca77JI/qdENlJplOFG0NnpHPhRobzy42/S9Bp5nSI4IgfAryeqn7SEDIOy +G1RkRn5pceCMGcV+YUTlAIMvJthEeNMXEcGHeFl5odXh808tMtyJ4eNlN2IqnPDs +R9z7YBEGVbVpO+UCVlqCWjlnU2D81122h6qJb40NjNGw7zbgVoc8N9XFDCaS31eX +nlN6B3nImgaos6O6JiFv7AGVm2Rq/kdKR3gnZ3g2dYLvXgFgAQKCAQEA5TLsBGPJ +BoBP+zNLD9K3EoTGvIGGI9Qo8ZMVfGTteiZ2+/t/6aeINql6oN6tWhXqFRtwWnyh +YO+88kcgecSkDP2RG6kSZHC6tckAEQCpHd8Rj/YeTKTvRBWF0lU5bmVCxLnY/tr3 +9H+lU3N5ggBbJk5Srk8WlR6YqxizfgwBj8RQ4PYf2XrNKYAT/2e0M9kQeM+Kq4IC +WxHB5vwOxUUcHEUHzp8yOsuiycLMnsPTMAaR2DcAh3WnHQp2hc7O5g3O0wvEjXtc +0qc1cP6Gi8fk/B5pkw4mrJ3vyQ0wChRfWJ1L/ieYY5sxTh5yj44AOo7jdEhLj2MO +WW9FtOluYxnZNQKCAQEA4y9edu2AGV/qPdYeuwVDp/6mqklprZWStZgZTsaVvml7 +nqOrND3qq7QFbOxRu5pqtbdDH8uM2vpNT8l/xlUbvcHazzbSNS1AlrqDHgGraonF +vXSahRjof056TAwYg22iSEjlHnbqldmJKAkSNeH3RAXRklgI7M/UStO0+DvvlSDX +17OopMUpiyEjQLXS7LM2KGhB3mchZbr975nUn8uXxoxLmyXm73uRnsEbf6x/rf29 +bOqqVGFz3lE9VCD4uzQ5FT2Kt1M6DU4i6LC3h0kj/iNWSyWfoO2+1uhwuXxgbmFO +VRKdUqbkGoehAtxzRlImxIqXx61nPRKEtIa2DrncwQKCAQEAzkDk445oeNE/KG8g +PT0CQkf6D+j/LX7e2YXi7+5jRmkW6euJUFrS2V3qXJoGperSm+v1T3iYQQN8pQoc +z3eFqasFyj57rqdDXhNjW+mcRqVWyJZS7eX+6uXzZzQKWq4FR8N24uFqATxdKpvf +3H01iWMyRGoniEngWRgBboyfWyDvJ4JVZwB7X71CQbSxFXdgu1cJEw4L0KhKNfLd +1+g5Q7dbLzVTnlViSO5j9PuEMNO4qznT4BKgMCIaRo+04JHMbV9JoYhCH88Y6HYj +3eYkyj0UBKHXa7806VhUwr1SkAv9Ntmq6Pffhs0fis/epNOxHBNy67XYU+Mud38Z +N1UrgQKCAQBrvF/42CJCZkjoMC18lT+DYHDbGltiNSdQtKNzxxrmJJG6JnWfHam2 +6XUVNXCBHfZy3EiZwGa4xbB6IN1WSbARKehBEgdXrnENyb86MKKAsHs0oCJS8f/3 +t1ipzaamVQx7aQ42h0Ax9epkMQEQymr/OB8tXlBFNT3AimssuQeh2eRh51IXaWSN +FRbprhArrcUGHoL2HEQrQSUBRhsd+GeugYOtPKkqcpgZCAypXD1kXotBJnvF7j0L +dc02ozgxVs+nMfshevdxrddCL+Oo5VeLQmi+1EXCBFzW/33NiJ0WW1DRaTVwJ7LO +nfkOKUsFUxoNZIgb6jCmNqz2C1g03ZFBAoIBAQC6Ct0yGkdI+aw6Ipu/4BLmb7jQ +QtYrAkb9CX/j+lEr2CZr0cFFELBU37YiD+suFh6lxl6rjJaYBQk33iUlnFPe7aad +Mf7BGZqJoDRTOhUvshHhkl4t+/Cw/RdAGBhYmCf8183bR8+rpIOfiRYRwsW4Sxv7 +7x9SjiCfJ8sZaBebXkCYUiQzrPr3WEBxKPfWlelBJFq/RMsiwvibYSlCcgNiyDik +b/xAPHeIBO4XgEnFP+5EDYV7nYTnDUlNUPEdzZiDTofyAJGEAdhh1SkOkULbFFeX +ECyNGJ4DRSTLXVx4YoFLks/W2IqOgv3mFea9kYu6dOV8BT+e0N46yc/GCGTu +-----END RSA PRIVATE KEY----- diff --git a/test/configs/srv_a_tls.conf b/test/configs/srv_a_tls.conf new file mode 100644 index 00000000..f56aa956 --- /dev/null +++ b/test/configs/srv_a_tls.conf @@ -0,0 +1,29 @@ +# Copyright 2012-2015 Apcera Inc. All rights reserved. + +# Cluster Server A + +port: 4222 + +cluster { + host: '127.0.0.1' + port: 4244 + + tls { + # Route cert + cert_file: "./configs/certs/srva-cert.pem" + # Private key + key_file: "./configs/certs/srva-key.pem" + + # Optional certificate authority verifying connected routes + # Required when we have self-signed CA, etc. + ca_file: "./configs/certs/ca.pem" + } + + # Routes are actively solicited and connected to from this server. + # Other servers can connect to us if they supply the correct credentials + # in their routes definitions from above. + + routes = [ + nats-route://127.0.0.1:4246 + ] +} diff --git a/test/configs/srv_b_tls.conf b/test/configs/srv_b_tls.conf new file mode 100644 index 00000000..6dc268fc --- /dev/null +++ b/test/configs/srv_b_tls.conf @@ -0,0 +1,29 @@ +# Copyright 2012-2015 Apcera Inc. All rights reserved. + +# Cluster Server B + +port: 4224 + +cluster { + host: '127.0.0.1' + port: 4246 + + tls { + # Route cert + cert_file: "./configs/certs/srvb-cert.pem" + # Private key + key_file: "./configs/certs/srvb-key.pem" + + # Optional certificate authority verifying connected routes + # Required when we have self-signed CA, etc. + ca_file: "./configs/certs/ca.pem" + } + + # Routes are actively solicited and connected to from this server. + # Other servers can connect to us if they supply the correct credentials + # in their routes definitions from above. + + routes = [ + nats-route://127.0.0.1:4244 + ] +} From 688f2a9f64740fe0a8e3e0373594bedada0d8c35 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Sun, 8 Nov 2015 14:27:03 -0800 Subject: [PATCH 13/13] Give some time for TLS setup --- test/cluster_tls_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/cluster_tls_test.go b/test/cluster_tls_test.go index 4617dc4c..3182f771 100644 --- a/test/cluster_tls_test.go +++ b/test/cluster_tls_test.go @@ -36,6 +36,9 @@ func TestBasicTLSClusterPubSub(t *testing.T) { defer srvA.Shutdown() defer srvB.Shutdown() + // Wait for the setup + time.Sleep(500 * time.Millisecond) + clientA := createClientConn(t, optsA.Host, optsA.Port) defer clientA.Close()