Merge branch 'master' of https://github.com/chromium/badssl.com

* 'master' of https://github.com/chromium/badssl.com: (175 commits)
  Add (known|blocked)-interception.badssl.com tests (chromium#423)
  Update `10000-sans`. (chromium#420)
  Rename subdomain-no-sct.crt to subdomain-no-sct.pem
  Add missing common in sets.js
  Mark DHE as bad or dubious (chromium#398)
  Add `no-sct.badssl.com`. Addresses chromium#275. (chromium#409)
  Update chain for `subdomain-1000-sans.pem`. Closes chromium#383. (chromium#408)
  Update `subdomain-revoked.pem`. Addresses chromium#404. (chromium#410)
  Add page with 🔒 in title (chromium#388)
  Explicitly send the self-signed root for untrusted-root (chromium#397)
  [web-payment] Print API return values and exceptions in the footer. (chromium#392)
  Tweak formatting for client cert passwords (chromium#385)
  Add descriptions to the dashboard sections. (chromium#371)
  Remove hyphens from dh domain pages. Fixes chromium#379 (chromium#380)
  Add incomplete chain description in footer. (chromium#366)
  Fix redirect port for `tls-v1-2`. (chromium#362)
  Export environment variables in the Makefile (chromium#355)
  Flip cert chain order for wildcard-rsa4096.pem (chromium#353)
  Add EV certificate (chromium#352)
  Update subdomain-extended-validation.conf
  ...

Dockerfile

@@ -1,10 +1,11 @@
-# Start with Ubuntu 14.04 (LTS), and build badssl.com up from there
+# Start with Ubuntu 16.04 (LTS), and build badssl.com up from there
 FROM ubuntu:16.04
-MAINTAINER April King <april@twoevils.org>
+MAINTAINER April King <april@pokeinthe.io>
 EXPOSE 80 443
 RUN apt-get update && apt-get install -y \
     build-essential \
     git \
+    libffi-dev \
     make \
     nginx \
     ruby \

Makefile

@@ -1,10 +1,19 @@
+################ Definitions ################
+
+export TEST_DOMAIN = badssl.test
+export PROD_DOMAIN = badssl.com
+
 ################ Main ################
 
 # This should bring up a full test server in docker from a bare repo.
 # Certs are generated outside the docker container, for persistence.
 .PHONY: test
 test: certs-test docker-build docker-run
 
+# Convenience alias.
+.PHONY: serve
+serve: test
+
 # This should properly deploy from any state of the repo.
 .PHONY: deploy
 deploy: certs-prod jekyll-prod upload nginx
@@ -13,11 +22,11 @@ deploy: certs-prod jekyll-prod upload nginx
 
 .PHONY: jekyll-test
 jekyll-test:
-	DOMAIN="badssl.test" jekyll build
+	DOMAIN=${TEST_DOMAIN} jekyll build
 
 .PHONY: jekyll-prod
 jekyll-prod:
-	DOMAIN="badssl.com" jekyll build
+	DOMAIN=${PROD_DOMAIN} jekyll build
 
 ################ Certs ################
 
@@ -29,6 +38,8 @@ certs-test:
 	rm -rf common/certs/*.crt
 	cp certs/sets/current/gen/crt/ca-root.crt common/certs
 	cp certs/sets/current/gen/crt/ca-untrusted-root.crt common/certs
+	cp certs/sets/current/gen/crt/client.p12 common/certs/${TEST_DOMAIN}-client.p12
+	cp certs/sets/current/gen/crt/client.pem common/certs/${TEST_DOMAIN}-client.pem
 
 .PHONY: certs-prod
 certs-prod:
@@ -37,6 +48,8 @@ certs-prod:
 
 	rm -rf common/certs/*.crt
 	cp certs/sets/current/gen/crt/ca-untrusted-root.crt common/certs
+	cp certs/sets/current/gen/crt/client.p12 common/certs/${PROD_DOMAIN}-client.p12
+	cp certs/sets/current/gen/crt/client.pem common/certs/${PROD_DOMAIN}-client.pem
 
 .PHONY: clean-certs
 clean-certs:
@@ -57,7 +70,15 @@ install-keys:
 link:
 	if [ ! -d /var/www ]; then mkdir -p /var/www; fi
 	if [ ! -d /var/www/badssl ]; then ln -sf "`pwd`" /var/www/badssl; fi
-	if [ -f /etc/nginx/nginx.conf ] ; then sed -i '/Virtual Host Configs/a include /var/www/badssl/_site/nginx.conf;' /etc/nginx/nginx.conf; else @echo "Please add `pwd`/_site/nginx.conf to your nginx.conf configuration."; fi
+	# Add the badssl.conf include to /etc/nginx/nginx.conf only if it is not already in the config.
+	# If /etc/nginx/nginx.conf does not exist, instead warn the user that it must be manually added.
+	if [ -f /etc/nginx/nginx.conf ]; then \
+		if ! grep -q "include /var/www/badssl/_site/nginx.conf" /etc/nginx/nginx.conf; then \
+			sed -i '/# Virtual Host Configs/a\\tinclude /var/www/badssl/_site/nginx.conf;' /etc/nginx/nginx.conf; \
+		fi \
+	else \
+		@echo "Please add `pwd`/_site/nginx.conf to your nginx.conf configuration."; \
+	fi
 
 .PHONY: install
 install: install-keys link
@@ -85,7 +106,6 @@ docker-run:
 .PHONY: upload
 upload:
 	rsync -avz \
-		-e "ssh -i ${HOME}/.ssh/google_compute_engine" \
 		--exclude .DS_Store \
 		--exclude .git \
 		--exclude _site/domains-local-only \

README.md

@@ -1,14 +1,11 @@
-<center>
-  <a href="https://badssl.com/">
-    <img src="./badssl.png" width="472" />
-  </a>
-</center>
+<a href="https://badssl.com/">
+  <img src="./badssl.png" alt="" width="472" height="68">
+</a>
 
 Visit [`badssl.com`](https://badssl.com/) for a list of test subdomains, including:
 
 - [`self-signed.badssl.com`](https://self-signed.badssl.com)
 - [`expired.badssl.com`](https://expired.badssl.com)
-- [`sha1.badssl.com`](https://sha1.badssl.com)
 - [`mixed.badssl.com`](https://mixed.badssl.com)
 - [`rc4.badssl.com`](https://rc4.badssl.com)
 - [`hsts.badssl.com`](https://hsts.badssl.com)
@@ -19,21 +16,51 @@ Stock Ubuntu VM, DNS A records for `badssl.com.` and `*.badssl.com.` pointing to
 
 ### Testing and development
 
-Your user should be part of the `docker` group or otherwise permitted to access Docker.
+1. Follow the instructions to [install Docker.](https://www.docker.com/get-docker)
+2. Clone into the badssl repo by running `git clone https://github.com/chromium/badssl.com && cd badssl.com`.
+3. In order to access the various badssl subdomains locally you will need to add them to your [system hosts file](https://bencane.com/2013/10/29/managing-dns-locally-with-etchosts/). Run `make list-hosts` and copy and paste the output into `/etc/hosts`.
+4. Start Docker by running `make serve`.
+5. You can now navigate to `badssl.test` in your browser, and you should see a certificate error.
+6. The badssl root certificate is at `certs/sets/test/gen/crt/ca-root.crt`. In order to get the rest of the badssl subdomains working, you will need to add this to your machine's list of trusted certificates.
+    - On `macOS`, drag `certs/sets/test/gen/crt/ca-root.crt` into the login section of the program Keychain Access. A BadSSL Root Certificate Authority entry should appear in the list. Double-click on this entry and select "Always Trust" from the drop-down menu next to "Secure Sockets Layer (SSL)." Close the window to save your changes.
 
-    sudo apt-get update ; sudo apt-get install docker.io
-    git clone https://github.com/lgarron/badssl.com && cd badssl.com
+      If you are already familiar with this process, you can instead run this command:
 
-    make list-hosts # list of domains to copy into /etc/hosts
-    make test
+      ```sh
+      security add-trusted-cert -r trustRoot -p ssl \
+        -k "$HOME/Library/Keychains/login.keychain" certs/sets/test/gen/crt/ca-root.crt
+      ```
 
-Now you can visit `badssl.test` in your browser.
-The root CA is at `certs/sets/test/gen/crt/ca-root.crt`. If you'd like to preserve it even when you run `make clean`, run:
+7. In order to preserve the client and root certificates even after running `make clean`, run:
 
-    cd certs/sets/test
-    mkdir -p pregen/crt pregen/key
-    cp gen/crt/ca-root.crt pregen/crt/ca-root.crt
-    cp gen/key/ca-root.key pregen/key/ca-root.key
+```sh
+cd certs/sets/test
+mkdir -p pregen/crt pregen/key
+cp gen/crt/ca-root.crt pregen/crt/ca-root.crt
+cp gen/crt/client.crt pregen/crt/client.crt
+cp gen/crt/client-ca-root.crt pregen/crt/client-ca-root.crt
+cp gen/key/ca-root.key pregen/key/ca-root.key
+cp gen/key/client.key pregen/key/client.key
+cp gen/key/client-ca-root.key pregen/key/client-ca-root.key
+```
+
+## Acknowledgments
+
+badssl.com is hosted on Google Cloud infrastructure and co-maintained by:
+
+- [April King](https://github.com/april), Mozilla Firefox
+- [Lucas Garron](https://github.com/lgarron), formerly Google Chrome
+- [Chris Thompson](https://github.com/christhompson), Google Chrome
+
+Several public badssl.com certificates required special issuance processes. Most certificates were graciously issued for free, thanks to help from:
+
+- [Vincent Lynch](https://twitter.com/vtlynch), [The SSL Store](https://www.thesslstore.com/) (`sha1-2016`, `sha1-2017`)
+- [Richard Barnes](https://twitter.com/rlbarnes), Mozilla (`1000-sans`, `10000-sans`)
+- [Clint Wilson](https://twitter.com/clintw_), [DigiCert](https://www.digicert.com/) (most wildcards)
+- [Andrew Ayer](https://github.com/agwa), [SSLMate](https://sslmate.com/) (`invalid-expected-sct`)
+- [Rob Stradling](https://github.com/robstradling), [Comodo](https://www.comodo.com/) (`1000-sans`, `10000-sans`, `no-subject`, `no-common-name`, `sha1-intermediate`, `ѕрооғ`)
+
+Various subdomains and test pages are also implemented by [external contributors](https://github.com/chromium/badssl.com/graphs/contributors).
 
 ## Disclaimer
 

_layouts/page.html

@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
+  <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   {% if page.no-favicon %}<!-- No favicon -->{% else %}<link rel="shortcut icon" href="/icons/favicon-{{ page.favicon }}.ico"/>
   <link rel="apple-touch-icon" href="/icons/icon-{{ page.favicon }}.png"/>{% endif %}

_plugins/environment_variable.rb

@@ -6,6 +6,7 @@ class EnvironmentVariablesGenerator < Generator
 
     def generate(site)
       site.config['domain'] = ENV['DOMAIN'] || 'badssl.com'
+      site.config['prod'] = ENV['DOMAIN'] == ENV['PROD_DOMAIN']
       site.config['http-domain'] = ENV['HTTP_DOMAIN'] || 'http.badssl.com'
       site.config['serving-path'] = ENV['SERVING_PATH'] || '/var/www/badssl/_site'
 

certs/.gitignore

@@ -1,2 +1,6 @@
-/gen
-/src/crt/*.srl
+/src/crt/*.srl
+*.key
+sets/current
+sets/*/gen
+sets/*/pregen/crt
+sets/*/pregen/key