https
written Oct 2004 being revised May 2006
|
|
1 Secure http
https protocol is a special kind of http protocol in which the information being transferred is encrypted from (and to ?) the client. This is done by using an encryption algorithm.
http://www.pseudonym.org/ssl/ssl_intro.html provides a thorough overview.
2 tls
The tls package is used to send information over https. It is an extension if you like of http which does the encryption aspects. It is not currently bundled in ActiveState distribution as it is too new. Download the starkit vesrion from http://mini.net/sdarchive/#Packages . Put the starkit in the C:/Tcl/lib directory where other packages are kept. To load a starkit package it is necessary to invoke starkit itself first. starkit is able to unpack starkit packages and make their libraries available.
(bin) 6 % package require starkit
1.2
(bin) 7 % starkit::startup
sourced
(bin) 8 % source ../lib/tls.kit
(bin) 9 % package require tls
1.50
This means the tls package is now loaded and ready to go. As a test example the following url is sent to a SSL server.
(bin) 10 % set url1 https://www.2day.com/securecard/scConnect.cfm?ACCOUNTID=nas1891c1&scAMOUNT=1.00
(bin) 11 % http::register https 443 ::tls::socket
443 ::tls::socket
(bin) 12 % set token [http::geturl $url1 ]
::http::2
(bin) 13 % array get $token
This last command returns an array list of the data returned by the secure webserver.
The next issue is how to set up your webserver as SSL. To do this you need the OpenSSL libraries which can be got from http://www.slproweb.com/products/Win32OpenSSL.html
Download the latest win32_OpenSSLv?.?.?.exec . It installs in its own directory under C: drive. No useful documentation comes with this. The documentation is at http://www.openssl.org/docs/
Use openssl.exe to create a private key in RSA form
double click on C:/OpenSSL/bin/opensll.exe
this gives a Dos prompt console under openssl running in the C:/OpenSSL/bin directory though to seems to think it is in C:/OpenSSL by the look of the prompt.
>genrsa -des3 -out privkey.pem 2048
this then prompts for a password for the key (twice) due to the -des3 option being used. It puts a 2048 bit key in C:/OpenSSL/bin directory/privkey.pem
req -new -x509 -keyout /private/cakey.pem -out /cacert.pem -config openssl.cnf
3 Create self-signed certificate authorioty certificate
This replaces the private/cakey.pem which comes with the installation and is for some bods in AU.
req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -config openssl.cnf
PEM pass phrase: passwrd?2
NZ
Auckland
Waiheke
webscool.org
webscool
Common Name: webscool
webscool@ihug.co.nz
the openssl.cnf has cacert.pem in ./ rather than ./private like cakey.pem
4 Sambar Server on Windows
For the sambar server operation a simple approach is to create a self-signed certificate authority certificate.
>genrsa -out key.pem
>req -x509 -nodes -new -key key.pem -out cert.pem -config openssl.cnf -days 1095
this places a private key in the file C:/OpenSSL/bin/key.pem.
openssl has trouble finding the config file openssl.cnf under windows and needs help
You are then prompted for a series of fields:
Country name - 2 letter code : NZ
State or Province: Auckland
Locality: Waiheke
Organisation: webscool.org
Organisational Unit: Web Development
Common Name: 203.173.198.26 - this was the dynamic address at the time - needs to be the server domain name
email address: webscool@ihug.co.nz
(challenge Password: passwrd?2
optional company name: webscool)
this creates C:/OPenSSL/bin/cert.pem
you can alternatively do a password version genrsa -des3, and no -nodes option.
5 Apache Server on Linux
The reference for this is http://slacksite.com/apache/certificate.html
This is similar to sambar, so second time round we take the opportunity to use a more secure key and certificate.
>genrsa -des3 -rand Paul1001s.jpg -out server.key 1024
where the file is a pic of me which I copied into the OpenSSL/bin directory. You can have a :-list of files. You can put a couple of obscure files someplace. These serve as encryption keys which it should be impossible for anyone else to find. Triple DES encryption is used requiring a password. This password must be entered everytime the server is restarted.
To generate a certificate request to be sent to a certificate authority use:
req -new -key server.key -out server.csr -config openssl.cnf
A sample CSR generation session is shown below, with sample responses shown in bold:
# openssl req -new -key server.key -out server.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:Enter pass phrase here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Hampshire
Locality Name (eg, city) []:Nashua
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain.com, Inc.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:webmaster@domain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
These files are moved to sambar50/config dir
The "Run https server" option needs to be set in the config system.
That was a kind of dry run.
We can create a test certificate authority with the following:
> genrsa -out key.pem
> req -x509 -nodes -out cert.pem -key key.pem -new -config C:/OpenSSL/bin/openssl.cnf -days 1095
The common name must be the domain name for the server.
6 Full certified key
©2000 - 2006 WEBSCOOL This page last updated 19 May 2006. All rights reserved - including copying or distribution of any portion of this document in any form or on any medium without authorisation. For more regarding the copyright. 