#
# a test server for testing IO::Socket::SSL-class's behavior
use strict;
use warnings;
use IO::Socket::SSL;
use Getopt::Long qw(:config posix_default bundling);
use Digest::MD5 'md5_hex';
my ($cert_file,$key_file,$key_pass,$ca,$http);
GetOptions(
'd|debug:i' => \$IO::Socket::SSL::DEBUG,
'h|help' => sub { usage() },
'C|cert=s' => \$cert_file,
'K|key=s' => \$key_file,
'P|pass=s' => \$key_pass,
'ca=s' => \$ca,
'http' => \$http,
) or usage("bad option");
sub usage {
print STDERR "Error: @_\n" if @_;
print STDERR <<USAGE;
Usage: $0 [options] ip:port
ip:port - where to listen
Options:
-d|--debug [level] enable debugging with optional debug level
-h|--help this help
-C|--cert cert-file file containing certificate
-K|--key key-file file containing private key, default cert-file
-P|--pass passphrase passphrase for private key, default none
--ca dir|file request a client certificate and use given dir/file as
trusted CA store to verify it
--http work as tiny HTTP server
USAGE
exit(2);
}
my $addr = shift(@ARGV) or usage("no listen address given");
@ARGV and usage("too much arguments");
$cert_file or usage("no certificate given");
$key_file ||= $cert_file;
my $server = IO::Socket::IP->new(
Listen => 5,
LocalAddr => $addr,
ReuseAddr => 1,
) or die "failed to create SSL server at $addr: $!";
my $ctx = IO::Socket::SSL::SSL_Context->new(
SSL_server => 1,
SSL_cert_file => $cert_file,
SSL_key_file => $key_file,
defined($key_pass) ? ( SSL_passwd_cb => sub { $key_pass } ):(),
$ca ? (
SSL_verify_mode => SSL_VERIFY_PEER,
-d $ca ? ( SSL_ca_path => $ca ):( SSL_ca_file => $ca, SSL_client_ca_file => $ca )
):(),
) or die "cannot create context: $SSL_ERROR";
while (1) {
warn "waiting for next connection.\n";
my $cl = $server->accept or do {
warn "failed to accept: $!\n";
next;
};
IO::Socket::SSL->start_SSL($cl,
SSL_server => 1,
SSL_reuse_ctx => $ctx,
SSL_startHandshake => 0
) or do {
warn "ssl handshake failed: $SSL_ERROR\n";
next;
};
my $ja3;
$cl->set_msg_callback(\&msgcb, \$ja3);
$cl->accept_SSL() or do {
warn "failed SSL handshake: $SSL_ERROR\n";
next;
};
my $info = "cipher=".$cl->get_cipher
. " version=".$cl->get_sslversion
. " ja3=".md5_hex($ja3)." $ja3";
if ( $cl->peer_certificate ) {
warn "new SSL connection with client certificate\n".
"\tsubject=".$cl->peer_certificate('subject')."\n".
"\tissuer=".$cl->peer_certificate('issuer')."\n".
$info."\n";
} else {
warn "new SSL connection without client certificate\n".
$info."\n";
}
if ($http) {
sysread($cl, my $buf, 8192);
$buf =~s{\n\r?\n.*}{\n}s;
$info =~s{\b\w+=}{\n$&}mg;
$info .= "\n\n-------\n\n$buf";
print $cl "HTTP/1.0 200 ok\r\n".
"Content-type: text/plain\r\n".
"Content-length: ".length($info)."\r\n".
"\r\n".
$info;
} else {
print $cl "connect with $info\n";
}
}
sub msgcb {
my ($self, $direction, $ssl_ver, $content_type, $buf, $len, $ssl, $ja3_r) = @_;
$content_type == 22 or return; # TLS handshake
# 1 byte: msg type
# 3 byte: length
(my $msg_type, $buf) = unpack('c x3 a*', $buf);
if ($msg_type == 1) { # Client Hello
$self->set_msg_callback(undef); # no need to look further
my %grease = map { $_ =>1 } (
0x0a0a, 0x1a1a, 0x2a2a, 0x3a3a, 0x4a4a, 0x5a5a, 0x6a6a, 0x7a7a,
0x8a8a, 0x9a9a, 0xaaaa, 0xbaba, 0xcaca, 0xdada, 0xeaea, 0xfafa,
);
# 2 byte: protocol version
# 32 byte: random
# 1/.. : session id
# 2/... : cipher suites
# 1/... : compression methods
# 2/... : extensions
my ($ver, $ciphers, $ext) = unpack("n x32 c/x n/a c/x n/a", $buf);
my @ciphers = grep { !$grease{$_} } unpack("n*", $ciphers);
my (@ext, @elliptic_curve, @elliptic_curve_point_format);
while (length($ext)>2) {
# 2 byte: extension value
# 2|... : extension data
(my $ext_val, my $ext_data, $ext) = unpack("n n/a a*", $ext);
next if $grease{$ext_val};
push @ext, $ext_val;
if ($ext_val == 0x0a) {
# Elliptic curve points
@elliptic_curve = unpack("x2 n*", $ext_data);
} elsif ($ext_val == 0x0b) {
# Elliptic curve point formats
@elliptic_curve_point_format = unpack("x c*", $ext_data);
}
}
$$ja3_r = join(",",
$ver,
join("-", @ciphers),
join("-", @ext),
join("-", @elliptic_curve),
join("-", @elliptic_curve_point_format),
);
}
}
|