From 2249e611f8cc5461238b270aedc161c07f76f6e1 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Wed, 19 Oct 2022 13:31:14 -0400
Subject: [PATCH 1/2] Add MD5 and SHA-1 server signatures

These correspond to the configurations deprecated by RFC 9155. I've
marked MD5 as "bad" because it really should have been out of clients by
now. I've marked SHA-1 as "dubious" for now because it's analogous to
TLS 1.0/1.1, and clients still support it for now (but hopefully not for
much longer).
---
 domains/misc/badssl.com/dashboard/sets.js |  2 ++
 domains/misc/badssl.com/index.html        |  5 +++++
 domains/server-signature/md5.conf         | 19 +++++++++++++++++++
 domains/server-signature/md5/index.html   | 12 ++++++++++++
 domains/server-signature/sha1.conf        | 19 +++++++++++++++++++
 domains/server-signature/sha1/index.html  | 12 ++++++++++++
 nginx-includes/tls-md5-signature.conf     | 10 ++++++++++
 nginx-includes/tls-sha1-signature.conf    | 10 ++++++++++
 8 files changed, 89 insertions(+)
 create mode 100644 domains/server-signature/md5.conf
 create mode 100644 domains/server-signature/md5/index.html
 create mode 100644 domains/server-signature/sha1.conf
 create mode 100644 domains/server-signature/sha1/index.html
 create mode 100644 nginx-includes/tls-md5-signature.conf
 create mode 100644 nginx-includes/tls-sha1-signature.conf

diff --git a/domains/misc/badssl.com/dashboard/sets.js b/domains/misc/badssl.com/dashboard/sets.js
index 1830574..d942319 100644
--- a/domains/misc/badssl.com/dashboard/sets.js
+++ b/domains/misc/badssl.com/dashboard/sets.js
@@ -37,6 +37,7 @@ var sets = [
       {subdomain: "dh512"},
       {subdomain: "dh1024"},
       {subdomain: "null"}
+      {subdomain: "md5-server-signature"},
     ]
   },
   {
@@ -50,6 +51,7 @@ var sets = [
       {subdomain: "cbc"},
       {subdomain: "3des"},
       {subdomain: "dh2048"}
+      {subdomain: "sha1-server-signature"},
     ]
   },
   {
diff --git a/domains/misc/badssl.com/index.html b/domains/misc/badssl.com/index.html
index c59403d..4fee6e1 100644
--- a/domains/misc/badssl.com/index.html
+++ b/domains/misc/badssl.com/index.html
@@ -110,6 +110,11 @@ <h2 id="key-exchange"><span class="emoji">🔑</span>Key Exchange</h2>
     <hr>
     <a href="https://static-rsa.{{ site.domain }}/" class="dubious"><span class="icon"></span>static-rsa</a>
   </div>
+  <div class="group">
+    <h2 id="server-signature"><span class="emoji">✒️</span>Server Signature</h2>
+    <a href="https://md5-server-signature.{{ site.domain }}/" class="bad"><span class="icon"></span>md5-server-signature</a>
+    <a href="https://sha1-server-signature.{{ site.domain }}/" class="dubious"><span class="icon"></span>sha1-server-signature</a>
+  </div>
   <div class="group">
     <h2 id="protocol"><span class="emoji">↔️</span>Protocol</h2>
     <a href="https://tls-v1-0.{{ site.domain }}:1010/" class="dubious"><span class="icon"></span>tls-v1-0</a>
diff --git a/domains/server-signature/md5.conf b/domains/server-signature/md5.conf
new file mode 100644
index 0000000..c55011a
--- /dev/null
+++ b/domains/server-signature/md5.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name md5-server-signature.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name md5-server-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard-normal.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-md5-signature.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/server-signature/md5;
+}
diff --git a/domains/server-signature/md5/index.html b/domains/server-signature/md5/index.html
new file mode 100644
index 0000000..8f99dee
--- /dev/null
+++ b/domains/server-signature/md5/index.html
@@ -0,0 +1,12 @@
+---
+subdomain: md5-server-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.{{ site.domain }}
+  </h1>
+</div>
diff --git a/domains/server-signature/sha1.conf b/domains/server-signature/sha1.conf
new file mode 100644
index 0000000..87afdef
--- /dev/null
+++ b/domains/server-signature/sha1.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name sha1-server-signature.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name sha1-server-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard-normal.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-sha1-signature.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/server-signature/sha1;
+}
diff --git a/domains/server-signature/sha1/index.html b/domains/server-signature/sha1/index.html
new file mode 100644
index 0000000..5ed22bf
--- /dev/null
+++ b/domains/server-signature/sha1/index.html
@@ -0,0 +1,12 @@
+---
+subdomain: sha1-server-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.{{ site.domain }}
+  </h1>
+</div>
diff --git a/nginx-includes/tls-md5-signature.conf b/nginx-includes/tls-md5-signature.conf
new file mode 100644
index 0000000..c1c741b
--- /dev/null
+++ b/nginx-includes/tls-md5-signature.conf
@@ -0,0 +1,10 @@
+---
+---
+
+ssl_session_timeout 5m;
+
+# Limit to TLS 1.2 and ECDHE-based cipher suites, where MD5 server signatures may apply.
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
+ssl_prefer_server_ciphers on;
+ssl_conf_command SignatureAlgorithms RSA+MD5
diff --git a/nginx-includes/tls-sha1-signature.conf b/nginx-includes/tls-sha1-signature.conf
new file mode 100644
index 0000000..52bb112
--- /dev/null
+++ b/nginx-includes/tls-sha1-signature.conf
@@ -0,0 +1,10 @@
+---
+---
+
+ssl_session_timeout 5m;
+
+# Limit to TLS 1.2 and ECDHE-based cipher suites, where SHA-1 server signatures may apply.
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
+ssl_prefer_server_ciphers on;
+ssl_conf_command SignatureAlgorithms RSA+SHA1

From 744d66fd0f156f57864bfb17dcf178bbfc77a564 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Mon, 24 Oct 2022 18:12:19 -0400
Subject: [PATCH 2/2] Add missing semicolons

---
 nginx-includes/tls-md5-signature.conf  | 2 +-
 nginx-includes/tls-sha1-signature.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nginx-includes/tls-md5-signature.conf b/nginx-includes/tls-md5-signature.conf
index c1c741b..068c584 100644
--- a/nginx-includes/tls-md5-signature.conf
+++ b/nginx-includes/tls-md5-signature.conf
@@ -7,4 +7,4 @@ ssl_session_timeout 5m;
 ssl_protocols TLSv1.2;
 ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
 ssl_prefer_server_ciphers on;
-ssl_conf_command SignatureAlgorithms RSA+MD5
+ssl_conf_command SignatureAlgorithms RSA+MD5;
diff --git a/nginx-includes/tls-sha1-signature.conf b/nginx-includes/tls-sha1-signature.conf
index 52bb112..2b11572 100644
--- a/nginx-includes/tls-sha1-signature.conf
+++ b/nginx-includes/tls-sha1-signature.conf
@@ -7,4 +7,4 @@ ssl_session_timeout 5m;
 ssl_protocols TLSv1.2;
 ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
 ssl_prefer_server_ciphers on;
-ssl_conf_command SignatureAlgorithms RSA+SHA1
+ssl_conf_command SignatureAlgorithms RSA+SHA1;