httpswritten Oct 2004 being revised May 2006
(bin) 6 % package require starkit 1.2 (bin) 7 % starkit::startup sourced (bin) 8 % source ../lib/tls.kit (bin) 9 % package require tls 1.50This means the tls package is now loaded and ready to go. As a test example the following url is sent to a SSL server.
(bin) 10 % set url1 https://www.2day.com/securecard/scConnect.cfm?ACCOUNTID=nas1891c1&scAMOUNT=1.00 (bin) 11 % http::register https 443 ::tls::socket 443 ::tls::socket (bin) 12 % set token [http::geturl $url1 ] ::http::2 (bin) 13 % array get $tokenThis last command returns an array list of the data returned by the secure webserver. The next issue is how to set up your webserver as SSL. To do this you need the OpenSSL libraries which can be got from http://www.slproweb.com/products/Win32OpenSSL.html Download the latest win32_OpenSSLv?.?.?.exec . It installs in its own directory under C: drive. No useful documentation comes with this. The documentation is at http://www.openssl.org/docs/ Use openssl.exe to create a private key in RSA form double click on C:/OpenSSL/bin/opensll.exe this gives a Dos prompt console under openssl running in the C:/OpenSSL/bin directory though to seems to think it is in C:/OpenSSL by the look of the prompt.
>genrsa -des3 -out privkey.pem 2048
this then prompts for a password for the key (twice) due to the -des3 option being used. It puts a 2048 bit key in C:/OpenSSL/bin directory/privkey.pem
req -new -x509 -keyout /private/cakey.pem -out /cacert.pem -config openssl.cnf
req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -config openssl.cnf PEM pass phrase: passwrd?2 NZ Auckland Waiheke webscool.org webscool Common Name: webscool email@example.com openssl.cnf has cacert.pem in ./ rather than ./private like cakey.pem
>genrsa -out key.pem >req -x509 -nodes -new -key key.pem -out cert.pem -config openssl.cnf -days 1095this places a private key in the file C:/OpenSSL/bin/key.pem.
Country name - 2 letter code : NZ State or Province: Auckland Locality: Waiheke Organisation: webscool.org Organisational Unit: Web Development Common Name: 220.127.116.11 - this was the dynamic address at the time - needs to be the server domain name email address: firstname.lastname@example.org (challenge Password: passwrd?2 optional company name: webscool)this creates C:/OPenSSL/bin/cert.pem you can alternatively do a password version genrsa -des3, and no -nodes option.
>genrsa -des3 -rand Paul1001s.jpg -out server.key 1024where the file is a pic of me which I copied into the OpenSSL/bin directory. You can have a :-list of files. You can put a couple of obscure files someplace. These serve as encryption keys which it should be impossible for anyone else to find. Triple DES encryption is used requiring a password. This password must be entered everytime the server is restarted. To generate a certificate request to be sent to a certificate authority use:
req -new -key server.key -out server.csr -config openssl.cnfA sample CSR generation session is shown below, with sample responses shown in bold:
# openssl req -new -key server.key -out server.csr Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase:Enter pass phrase here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Hampshire Locality Name (eg, city) :Nashua Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain.com, Inc. Organizational Unit Name (eg, section) :. Common Name (eg, YOUR name) :www.domain.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :These files are moved to sambar50/config dir
> genrsa -out key.pem > req -x509 -nodes -out cert.pem -key key.pem -new -config C:/OpenSSL/bin/openssl.cnf -days 1095The common name must be the domain name for the server.