this code is referenced from https://github.com/alexzorin/poc-cve-2018-16875
args:
- -inters 10 intermidiates certificates count
- -noserver only generate certificate, not start tls server
- -notgencert use current cert dir, not regenerate
- -domain DNS in certificate
- -port port for tls server to listen on
- ./tlsserver -inters 10 -noserver
- will just generate cert chain in current cert dir and the generate result is in cert dir
- cert/chains.pem is the certificate chain
- cert/key.pem is the entity key
- cert/key-ec.pem is the entity key with encode
- cert/root.pem is the root CA
- the bin file tlsserver is build on ubuntu 18.04
- just do
./tlsserver -inters 10 -domain localhost -port 4432
to start one tls server - then start one rustls client that use webpki to verify, to connect to this server
- when client not load cert/root.pem, the client will loop verify for long time as the intermidiates count incresase in webpki 0.22.0 and 0.22.1
- when client load cert/root.pem, then it will end with encount signatures limit in webpki 0.22.1 quickly
- root, rootKey, err = generateCert("mid", true, root, rootKey)
- when set every itermidiate cerificate's cn to the same name, will emit the bug
- At normal, set every intermidiate certificate's cn to different name, will not emit the bug
- but, openssl will always return verified failed inmedetely
- after generate cert, then exe update_os.sh to update root.pem to system cert store
- then exe command
- openssl s_client -showcerts -servername localhost -connect localhost:8423