mirrors/dragonfly
1
0
Fork 0
mirror of https://github.com/dragonflydb/dragonfly.git synced 2025-05-10 18:05:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
dragonfly/tools/local/gen-test-certs.sh
Roman Gershman 95cd9dfb4c
chore: update helio and improve our stack overflow resiliency (#4349) 
1. Run CI/Regression tests with HELIO_STACK_CHECK=4096.
   This will crash if a fiber stack usage goes below this limit.
2. Increase shard queue stack size to 64KB
3. Increase fiber stack size to 40KB on Debug builds.
4. Updated helio has some changes around the TLS socket code.
   In addition we add a helper script to generate self-signed certificates helpful for local development work.

Signed-off-by: Roman Gershman <roman@dragonflydb.io>
2024-12-23 08:13:45 +00:00

87 lines
2.8 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
set -e
SCRIPT_DIR=$(dirname "$0")
ROOT_DIR=$(readlink -f "$SCRIPT_DIR/../..")
GEN_DIR=$ROOT_DIR/genfiles/tls
# genfiles/tls/ca.{crt,key} Self signed CA certificate.
# genfiles/tls/dragonfly.{crt,key} A certificate with no key usage/policy restrictions.
# genfiles/tls/client.{crt,key} A certificate restricted for SSL client usage.
# genfiles/tls/server.{crt,key} A certificate restricted for SSL server usage.
: '
To run dragonfly use:
dragonfly --tls --tls_key_file ../genfiles/tls/server.key --tls_cert_file ../genfiles/tls/server.crt -requirepass pass
Or with CA (does not require password):
dragonfly --tls --tls_key_file ../genfiles/tls/server.key --tls_cert_file ../genfiles/tls/server.crt \
--tls_ca_cert_file ../genfiles/tls/ca.crt
To connect with client (without ca):
openssl s_client -state -crlf -connect 127.0.0.1:6379
With CA:
openssl s_client -state -crlf -CAfile ../genfiles/tls/ca.crt -cert ../genfiles/tls/client.crt -key ../genfiles/tls/client.key -connect 127.0.0.1:6379
Similarly, to connect with redis-cli (no CA):
redis-cli --tls --insecure -a pass
With CA:
redis-cli --tls --cacert ../genfiles/tls/ca.crt --cert ../genfiles/tls/client.crt --key ../genfiles/tls/client.key
memtier (without CA):
memtier_benchmark --tls --key ../genfiles/tls/client.key --cert ../genfiles/tls/client.crt -a pass
memtier (with CA):
memtier_benchmark --tls --key ../genfiles/tls/client.key --cert ../genfiles/tls/client.crt --cacert ../genfiles/tls/ca.crt
'
generate_cert() {
local name=$1
local cn="$2"
local opts="$3"
local keyfile=$GEN_DIR/${name}.key
local certfile=$GEN_DIR/${name}.crt
[ -f $keyfile ] || openssl genpkey -algorithm ED25519 -out $keyfile
openssl req -new -sha256 \
-subj "/O=Dragonfly Test/CN=$cn" \
-key $keyfile | \
openssl x509 \
-req -sha256 \
-CA $GEN_DIR/ca.crt \
-CAkey $GEN_DIR/ca.key \
-CAserial $GEN_DIR/ca.txt \
-CAcreateserial \
-days 365 \
$opts \
-out $certfile
}
mkdir -p $GEN_DIR
[ -f $GEN_DIR/ca.key ] || openssl genpkey -algorithm ED25519 -out $GEN_DIR/ca.key
# -x509: self-signed certificate, -nodes: no password
openssl req \
-x509 -new -nodes -sha256 \
-key $GEN_DIR/ca.key \
-days 3650 \
-subj '/O=Dragonfly Test/CN=Certificate Authority' \
-out $GEN_DIR/ca.crt
cat > $GEN_DIR/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_
generate_cert server "Server-only" "-extfile $GEN_DIR/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile $GEN_DIR/openssl.cnf -extensions client_cert"
generate_cert dragonfly "Generic-cert"
Reference in a new issue View git blame Copy permalink