Add expired-ocsp.badssl.com subdomain

This subdomain sends an expired stapled OCSP response, which triggers
an SSL error in Firefox (and soon in Chrome as well).

The OCSP response, certs/wildcard.expired-ocsp.der, was generated by running:

	openssl ocsp -issuer certs/wildcard.issuer.pem -cert certs/wildcard.normal.pem -url http://ocsp.comodoca.com -noverify -respout certs/wildcard.expired-ocsp.der

where certs/wildcard.issuer.pem contains the certificate that issued
certs/wildcard.normal.pem (i.e. the first intermediate certificate in
the chain).  http://ocsp.comodoca.com was taken from the OCSP field as
output by `openssl x509 -in certs/wildcard.normal.pem -noout -text`.

certs/wildcard.expired-ocsp.der will need to be regenerated whenever
wildcard.normal.pem is reissued.

Note that, at the time of this commit, certs/wildcard.expired-ocsp.der
is not yet expired, but will expire on Jun 8, 2015 at 09:38:45 UTC.

Author: AGWA

certs/cert-generator/cert-generator.sh

@@ -53,12 +53,30 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 01 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
 cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/wildcard.normal.pem
 echo
 
+echo "Generating expired OCSP response for BadSSL Default Certificate"
+printf "V\t\t\t01\t\t\n" > index.txt # 01 must match serial # of cert, as passed to -set_serial above
+echo "unique_subject = no" > index.txt.attr
+openssl ocsp \
+  -index index.txt \
+  -rsigner ../self-signed/badssl-intermediate.pem \
+  -rkey ../self-signed/badssl-intermediate.key \
+  -CA ../self-signed/badssl-intermediate.pem \
+  -issuer ../self-signed/badssl-intermediate.pem \
+  -CAfile ../self-signed/badssl-root.pem \
+  -serial 01 \
+  -nmin 1 \
+  -nrequest 1 \
+  -respout ../self-signed/wildcard.expired-ocsp.der
+rm index.txt index.txt.attr
+echo
+
 echo "Generating incomplete certificate chain"
 cp out.pem ../self-signed/wildcard.incomplete-chain.pem
 rm out.pem
@@ -69,6 +87,7 @@ openssl x509 -req -days $du2016 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 02 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -81,6 +100,7 @@ openssl x509 -req -days $du2017 -sha1 -CAcreateserial \
   -in badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 03 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -96,6 +116,7 @@ if [ ! -f ../self-signed/wildcard.expired.pem ]
       -in badssl-wildcard.csr \
       -CA ../self-signed/badssl-intermediate.pem \
       -CAkey ../self-signed/badssl-intermediate.key \
+      -set_serial 04 \
       -extfile badssl-wildcard.conf \
       -extensions req_v3_usr \
       -out out.pem
@@ -110,6 +131,7 @@ echo "Self-signing BadSSL SHA-256 Certificate"
 openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in badssl-wildcard.csr \
   -signkey ../self-signed/badssl.com.key \
+  -set_serial 05 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -136,6 +158,7 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in rsa512.badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 06 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem
@@ -160,6 +183,7 @@ openssl x509 -req -days 730 -sha256 -CAcreateserial \
   -in rsa1024.badssl-wildcard.csr \
   -CA ../self-signed/badssl-intermediate.pem \
   -CAkey ../self-signed/badssl-intermediate.key \
+  -set_serial 07 \
   -extfile badssl-wildcard.conf \
   -extensions req_v3_usr \
   -out out.pem

certs/wildcard.expired-ocsp.der

@@ -164,6 +164,7 @@
     <a href="https://dh-small-subgroup.badssl.com/" class="more bad">dh-small-subgroup</a>
     <a href="https://dh-composite.badssl.com/" class="more bad">dh-composite</a>
     <a href="https://incomplete-chain.badssl.com/" class="more orange">incomplete-chain</a>
+    <a href="https://expired-ocsp.badssl.com/" class="more orange">expired-ocsp</a>
     <a href="https://very.badssl.com/" class="more dubious">very</a>
     <a href="https://rc4-md5.badssl.com/" class="more neutral">rc4-md5</a>
     <a href="http://http.badssl.com/" class="more neutral">http</a>

domains/misc/badssl.com/index.html

@@ -0,0 +1,20 @@
+server {
+  listen 80;
+  server_name expired-ocsp.badssl.com;
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name expired-ocsp.badssl.com;
+
+  include /var/www/badssl/nginx-includes/wildcard.normal.conf;
+  include /var/www/badssl/nginx-includes/tls-defaults.conf;
+  include /var/www/badssl/common/common.conf;
+
+  ssl_stapling on;
+  ssl_stapling_file /var/www/badssl/certs/wildcard.expired-ocsp.der;
+
+  root /var/www/badssl/domains/misc/expired-ocsp.badssl.com;
+}

domains/misc/expired-ocsp.badssl.com.conf

@@ -0,0 +1,40 @@
+<!doctype html>
+<html>
+<head>
+  <title>expired-ocsp.badssl.com</title>
+  <link rel="shortcut icon" href="/icons/favicon-orange.ico"/>
+  <link rel="apple-touch-icon" href="/icon-orange.png"/>
+  <style>
+    html, body {
+      background: rgb(243, 121, 46);
+
+      margin: 0;
+      padding: 0;
+
+      height: 100%;
+      display: -webkit-flexbox;
+      display: -ms-flexbox;
+      display: -webkit-flex;
+      display: flex;
+      -webkit-align-items: center;
+      align-items: center;
+      -webkit-justify-content: center;
+      justify-content: center;
+    }
+    h1 {
+      color: white;
+      text-align: center;
+      font-family: "Source Code Pro", Monaco, Consolas, "Courier New", monospace, Impact;
+      font-size: 5em;
+      font-size: 8vw;
+      text-shadow:
+        0 0 20px rgba(255, 255, 255, 0.5),
+        0 0 40px rgba(255, 255, 255, 0.5),
+        0 0 60px rgba(255, 255, 255, 0.5);
+    }
+  </style>
+</head>
+<body>
+    <h1>expired-ocsp.<br>badssl.com</h1>
+</body>
+</html>