Security/DNSSEC-TLS-nginx

From MozillaWiki
< Security
Revision as of 18:07, 22 July 2011 by Dkeeler (talk | contribs)
Jump to navigation Jump to search

This page details how to set up a virtual machine running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions.

  1. Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
  2. In that VM, do the following:
  3. Install and set up bind9:
    1. 'apt-get install bind' or bind9 or something
    2. Set up keys and zone files (see here, except using dnssec-keygen and dnssec-signzone instead of zonesigner) (NB: for testing purposes, you'll probably want to create an entire fake hierarchy, including root keys. Whatever your root key is, it'll have to be trusted by your client program. For firefox, this means modifying root_keys in security/dnssec/rootkeys.h (the plural there is unintentional and should probably be changed)).
    3. Make a self-signed certificate
    4. Make a TLSA record using cert2tlsa.sh (and put this in your zone file)
    5. Sign the zones
    6. Start the server
  4. Get sources:
    1. ldns-1.6.10.tar.gz
    2. nginx-1.0.4.tar.gz (not the most recent version - I'll update the patch against it when I get a chance)
    3. openssl-1.0.0d.tar.gz
  5. Get patches:
    1. nginx-1.0.4-dnssectls.patch
    2. openssl-1.0.0d-dnssectls.patch
  6. Install a local copy of ldns:
    1. Untar the archive and cd to the directory
    2. Run './configure --disable-gost --prefix=$HOME/local'
    3. Run 'make', 'make install'
  7. Use generate.c to make a dnssec chain
  8. Install a local copy of openssl:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. Run './config', 'make'
  9. Build nginx:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. Run './configure --with-openssl=$HOME/openssl-1.0.0d --with-http_ssl_module --without-http_rewrite_module --prefix=`pwd`', 'make'
  10. Make sure you don't have other webservers running on the machine (Ubuntu seems to have one by default)
  11. Put the paths to the appropriate certificate files in conf/nginx.conf (i.e. the certificate indicated by the TLSA record)
  12. Put the path to the appropriate dnssec chain file in conf/nginx.conf (created using generate.c, above)
  13. Start nginx: 'sudo ./obj/nginx'
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/DNSSEC-TLS-nginx&oldid=332475"