Add script to create demo certificate for SSL

build/exe/doliwamp/.cvsignore

@@ -1 +1,2 @@
 *.db
+ca_dolibarr.key

build/exe/doliwamp/builddemosslfiles.bat

@@ -0,0 +1,23 @@
+@echo off
+REM Launch Dolibarr demo SSL key generation
+REM ---------------------------------------
+
+REM Build private key
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl genrsa -out myserver.key 512
+
+REM Set permissions on file
+REM chmod 400 myserver.key
+
+REM Create CSR file
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl req -config openssl.conf -new -key myserver.key -out myserver.csr
+
+REM  Create empty dir and files
+echo 01 > tmp\serial
+touch tmp\index.txt
+touch tmp\index.txt.attr
+
+REM Certify request
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl ca -config openssl.conf -out myserver.crt -infiles myserver.csr
+
+REM Check everything is OK
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl verify -CAfile ca_demo_dolibarr.crt myserver.crt

build/exe/doliwamp/ca_demo_dolibarr.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICozCCAk2gAwIBAgIJALGFnnUnBWt7MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
+BAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMREwDwYDVQQKEwhE
+b2xpYmFycjEUMBIGA1UECxMLRG9saWJhcnIgQ0ExFjAUBgNVBAMTDURvbGliYXJy
+IHRlYW0wHhcNMDkwODE5MjMzNzEwWhcNMzcwMTA0MjMzNzEwWjBsMQswCQYDVQQG
+EwJGUjEMMAoGA1UECBMDSURGMQ4wDAYDVQQHEwVQYXJpczERMA8GA1UEChMIRG9s
+aWJhcnIxFDASBgNVBAsTC0RvbGliYXJyIENBMRYwFAYDVQQDEw1Eb2xpYmFyciB0
+ZWFtMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANZnbCPyab6x4BRWZbKc8zssC1Lt
+5DfrnOiUWNyw71AfW5Kvyk0RJIvjHLWz8+2kEqCmohjD0qo1ATQLotrx3BcCAwEA
+AaOB0TCBzjAdBgNVHQ4EFgQUjMdLdKeYrp9gvezCv+PTUdtrZrwwgZ4GA1UdIwSB
+ljCBk4AUjMdLdKeYrp9gvezCv+PTUdtrZryhcKRuMGwxCzAJBgNVBAYTAkZSMQww
+CgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMREwDwYDVQQKEwhEb2xpYmFycjEU
+MBIGA1UECxMLRG9saWJhcnIgQ0ExFjAUBgNVBAMTDURvbGliYXJyIHRlYW2CCQCx
+hZ51JwVrezAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAX9IDUlhFvorE
+dNxiWODKGsZy+UirzLwVZnEZNcgfOggL9VJfhqJcks+8nNflGHsWP8ciPb2itYEb
+teSYLelgaA==
+-----END CERTIFICATE-----

build/exe/doliwamp/ca_demo_dolibarr.key

@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBANZnbCPyab6x4BRWZbKc8zssC1Lt5DfrnOiUWNyw71AfW5Kvyk0R
+JIvjHLWz8+2kEqCmohjD0qo1ATQLotrx3BcCAwEAAQJBAI9D7G7YvPA/y4vLb4k6
+dw1DEQ4JCEaVmfOPrRFK6Z6PHGbEMPwOO4tKyZO4dOJXJ2cwLpfo7zZ3egvun7t3
+7wECIQDvPIbwMJKhOU3jTcyv8hJ07V9JWva7znZsMB7iUSydiQIhAOVtciL43Nfq
+EcglY7UwKFWYk9KpRfxkW28dUKu2/uSfAiBrp24FWaYx/Kpq9dB9AE6D5Wkyhkdv
+PboWdxT+vI56GQIhANo0RLjETm7AfZcJEJLUMZhvXDCgtCJ/ZIMCs6YNjtHrAiEA
+2odSzx9oUC00Ir7l5JeiUH/InpuU7Hd1Y/74OvaUYKM=
+-----END RSA PRIVATE KEY-----

build/exe/doliwamp/httpd.conf.install

@@ -51,7 +51,7 @@ ServerRoot "WAMPROOT/bin/apache/apache2.2.6"
 #
 #Listen 12.34.56.78:80
 Listen WAMPAPACHEPORT
-Listen 444
+Listen WAMPAPACHEPORTSSL
 
 #
 # Dynamic Shared Object (DSO) Support
@@ -156,7 +156,17 @@ ServerAdmin webmaster@localhost
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-ServerName localhost:81
+ServerName localhost
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Prod
 
 #
 # DocumentRoot: The directory out of which you will serve your
@@ -505,4 +515,194 @@ SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
 
-Include "WAMPROOT/alias/*"
+
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+#SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+#SSLSessionCache         "dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache"
+#SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
+#SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+#SSLMutex  "file:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_mutex"
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:444>
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   General setup for the virtual host
+DocumentRoot "WAMPROOT/www/"
+ServerName localhost:444
+ServerAdmin admin@localhost
+ErrorLog "WAMPROOT/logs/apache_error_ssl.log"
+TransferLog "WAMPROOT/logs/apache_transfer_ssl.log"
+CustomLog "WAMPROOT/logs/apache_access_ssl.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+#   Server Certificate:
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+SSLCertificateFile "WAMPROOT/server.crt"
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile "WAMPROOT/server.key"
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convinience.
+#SSLCertificateChainFile "WAMPROOT/server-ca.crt"
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#   Note: Inside SSLCACertificatePath you need hash symlinks
+#         to point to the certificate files. Use the provided
+#         Makefile to update the hash symlinks after changes.
+#SSLCACertificatePath "WAMPROOT/ssl.crt"
+#SSLCACertificateFile "WAMPROOT/ca-bundle.crt"
+
+#   Certificate Revocation Lists (CRL):
+#   Set the CA revocation path where to find CA CRLs for client
+#   authentication or alternatively one huge file containing all
+#   of them (file must be PEM encoded)
+#   Note: Inside SSLCARevocationPath you need hash symlinks
+#         to point to the certificate files. Use the provided
+#         Makefile to update the hash symlinks after changes.
+#SSLCARevocationPath "WAMPROOT/ssl.crl"
+#SSLCARevocationFile "WAMPROOT/ca-bundle.crl"
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+#<FilesMatch "\.(cgi|shtml|phtml|php)$">
+#    SSLOptions +StdEnvVars
+#</FilesMatch>
+#<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
+#    SSLOptions +StdEnvVars
+#</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is send or allowed to received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch ".*MSIE.*" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+</VirtualHost>  
+
+
+Include "WAMPROOT/alias/*"

build/exe/doliwamp/index.php.install

@@ -19,7 +19,9 @@ $appDir = '../apps/';
 
 // we set version of applications
 $phpVersion = 'WAMPPHPVERSION';
+if ($phpVersion != phpversion()) $phpVersion .= ' ('.phpversion().')';
 $apacheVersion = 'WAMPAPACHEVERSION';
+if ($apacheVersion != $_SERVER["SERVER_SOFTWARE"]) $apacheVersion .= ' ('.$_SERVER["SERVER_SOFTWARE"].')';
 $mysqlVersion = 'WAMPMYSQLVERSION';
 $apachePort = 'WAMPAPACHEPORT';
 

build/exe/doliwamp/openssl.conf

@@ -0,0 +1,90 @@
+####################################################################
+#                 Sample OpenSSL configuration file                #
+####################################################################
+
+RANDFILE		= C:\\dolibarr\\tmp\\.rnd
+
+[ ca ]
+default_ca	  = CA_default		# The default ca section
+
+[ CA_default ]
+dir           = C:\\dolibarr
+certs         = $dir\\certs             # Where the issued certs are kept
+crl_dir       = $dir\\crl               # Where the issued crl are kept
+database      = $dir\\tmp\\index.txt         # database index file.
+new_certs_dir = $dir\\tmp               # default place for new certs.
+certificate	  = $dir\\ca_demo_dolibarr.crt       # The CA certificate
+serial        = $dir\\tmp\\serial            # The current serial number
+crl           = $dir\\crl.pem           # The current CRL
+private_key   = $dir\\ca_demo_dolibarr.key      # The CA private key
+RANDFILE      = $dir\\tmp\\.rand             # private random number file
+
+x509_extensions  = usr_cert   # The extentions to add to the cert
+default_days     = 7300       # how long to certify for
+default_crl_days = 30         # how long before next CRL
+default_md       = md5        # which md to use.
+preserve         = no         # keep passed DN ordering
+policy	         = policy_anything
+
+####################################################################
+
+[ policy_anything ]
+countryName              = optional
+stateOrProvinceName      = optional
+localityName             = optional
+organizationName         = optional
+organizationalUnitName   = optional
+commonName               = supplied
+emailAddress             = optional
+
+####################################################################
+[ req ]
+default_bits         = 1024
+default_keyfile      = myserver.key
+distinguished_name   = req_distinguished_name
+attributes           = req_attributes
+x509_extensions      = v3_ca	# The extentions to add to the self signed cert
+string_mask          = nombstr
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = 
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+localityName                    = Locality Name (eg, city)
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = MyCompany
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = Web administrators
+commonName                      = Common Name (eg, YOUR name)
+commonName_default              = Webmaster
+commonName_max                  = 64
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+[ req_attributes ]
+challengePassword      = A challenge password
+challengePassword_min  = 4
+challengePassword_max  = 20
+unstructuredName       = An optional company name
+
+[ usr_cert ]
+basicConstraints       = CA:FALSE
+nsComment              = "OpenSSL Generated Certificate"
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+[ v3_req ]
+basicConstraints       = CA:FALSE
+keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints       = CA:true
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always,issuer:always
+