Enabling https support
Added by Isaac Lascasas over 9 years ago
Hello I am trying to enable https within Wt server, however it seems way too much complicated for a person without web server management and security experience like me. I have a commercial certificate from PositiveSSL/Comodor who comes with four files. All four are .crt files:
my_website_name_com.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
My app uses custom auth code via a temporal request code bound to the user ip, the code is stored on a cookie to keep the session between tabs until the user logs out. However the app requires high security so I simply decided to enable https on it to prevent any data to be sniffed or any kind of hijacks.
I wonder what steps should I take now that I have those files, I have been trying to setup a self signed cert before for testing with openssl commands but I was unsuccessfull. I don't have a minimal idea on what to do and what wt server command line options to use at all. I supose that I would first need to generate some kind of private key from this certificates to pass to wt.
Also, would I be able to test it on my computer in local or just on the production machine with the appropiate dns?
Kind Regards.
Isaac.
Replies (4)
RE: Enabling https support - Added by Koen Deforche over 9 years ago
Isaac,
Having done this a few times, I have a collection of notes I could draft into the WIKI.
It is indeed confusing and tricky to get right (and OpenSSL's error messages or as cryptic as it's security).
Regards,
koen
RE: Enabling https support - Added by Isaac Lascasas over 9 years ago
Kohen as allways I am owerwhelmed by your continuous support. Adding that info to the wiki would be awesome. I have the added difficulty of building for windows however yesteday I managed to build Wt with openssl support correctly. I would like to point out too that the openssl windows prebuilt libs are no longer provided by the official openssl site and the current source package has build problems with the visual studio toolchain. I got a prebuilt openssl from a 3rd party and configured the paths manually in CMake, took me a while but worked fine. My concern now is what to do whith the certificate and if I got the correct one (apache+openssl type).
Thanks.
Isaac.
RE: Enabling https support - Added by Isaac Lascasas over 9 years ago
My website ssl is working right now. However I'm still confused about certificate file concatenation in a particular order and the differente between ---ssl-ca-certificates and ---ssl-certificate.
I would like to ask too if there is some kind of control on the cipher openssl does, in particular I'm interested into enabling PFS without RC4 as stated here [[[https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm]]].
Thanks.
Isaac.
RE: Enabling https support - Added by Wim Dumon about 9 years ago
Hello Isaac,
yes you can set the ciphers. Run your application with the ---help option, and you should see the specific configuration switch: ---ssl-cipherlist arg
BR,
Wim.