badssl.com is a chromium project that provide various configuration permutations of SSL to enable easier development and testing.
A useful configuration used throughout this repo is:
- Self-signed: https://self-signed.badssl.com
The certificate can be extracted via:
- Run the command:
echo | openssl s_client -servername self-signed.badssl.com -connect self-signed.badssl.com:443
- Extract content within and including the following tags:
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE----
$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
$ rm server.pass.key
$ openssl req -new -key server.key -out server.csr
Country Name (2 letter code) []:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) []:
Organization Name (eg, company) []:Buildpacks
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:secure.local
Email Address []:root@jromero.codes
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crtManually: https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/badssl.pemAlternatively,
mkdir -p ~/.docker/certs.d/
cp certs/badssl.pem ~/.docker/certs.d/badssl.crtscreen ~/Library/Containers/com.docker.docker/Data/vms/0/ttyStopped working in 2.3.0.4
OR
docker run -it --rm --privileged --pid=host justincormack/nsenter1NOTE: To work within the docker VM filesystem:
chroot /containers/services/docker/rootfs
On macOS, when a user installs a self-signed cert at the system level does this satisfy the following?
- Requests from
pack? ✅ - Requests from within a docker container?
- ... with network=
bridged? ❌ - ... with network=
host? ❌
- ... with network=
Running update-ca-certificates yields the following change:
└── etc
└── ssl
└── certs
├── badssl.pem → /usr/local/share/ca-certificates/badssl.crt # link with changed extension .pem`
├── c275f070.0 → badssl.pem # link as hashed by http://manpages.ubuntu.com/manpages/focal/en/man1/c_rehash.1ssl.html
└── ca-certificates.crt # cert concatenated into this file
Important:
c275f070.0is required for OpenSSL when configured with onlyCAPath.
- It is the same contents (typically a link to the original file) with a specific name based on a hashing algorithm.
- Explanation of hash algo
To test these solutions you should be able to run:
echo | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | grep VerifOR
wget -O - https://self-signed.badssl.comecho | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -servername google.com -connect google.com:443 | grep VerifExtending the builder allows for more specific (and preferred) forms installation of CA certs.
./extended-builder/extend.sh gcr.io/paketo-buildpacks/builder:base extended-builderTo verify:
docker run -it --rm extended-builder /bin/bash
echo | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | grep VerifOn a debian based image, users are able to mount a directory with preconfigured contents of /etc/ssl/certs.
The following command will overwrite the /etc/ssl/certs with the contents of certs.
docker run --volume="${PWD}/certs:/etc/ssl/certs:rw" -it --rm gcr.io/paketo-buildpacks/builder:base /bin/bashTo verify:
echo | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | grep VerifPrerequisite: cert is installed at the OS level.
- For macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/badssl.pem - For Windows: https://support.kaspersky.com/CyberTrace/1.0/en-US/174127.htm
The following command will overwrite the /etc/ssl/certs and /usr/share/ca-certificates/ with the contents of the docker VM. The docker VM inherits system certificates. Effectively this command inherits all system certs.
NOTE: This is only possible when the directories
/etc/and/usr/not being shared by the host.
docker run --volume="/etc/ssl/certs:/etc/ssl/certs:ro" --volume="/usr/share/ca-certificates/:/usr/share/ca-certificates/:ro" -it --rm gcr.io/paketo-buildpacks/builder:base /bin/bashTo verify:
echo | openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | grep Verif