Project

General

Profile

Forums » Open discussion »

[Wt 3.3.3] WServer SSL configuration

Added by Thomas Saquet over 10 years ago

Hello,

I was trying to configure WtHTTPd to use officials certificates.

To help me understanding the server's options I used the help of my binary:

# my_bin --help

Here is the first command I tried:

# my_bin --docroot . --http-address 0.0.0.0 --http-port 80 \
--https-address 0.0.0.0 --https-port 443 --ssl-certificate /etc/ssl/foo.bar/cert-foo.bar.crt \
--ssl-private-key /etc/ssl/foo.bar/foo.bar.key --ssl-ca-certificates /etc/ssl/foo.bar/GandiStandardSSLCA.crt \
--ssl-tmp-dh /etc/ssl/dh1024.pem

My server starts without error.

But when I want to get a page with HTTPs protocole, my HTTP client rebukes me:

# wget https://foo.bar
--2014-07-31 18:21:04--  https://foo.bar/
Resolving foo.bar (foo.bar)... 172.16.3.214
Connecting to foo.bar (foo.bar)|172.16.3.214|:443... connected.
ERROR: The certificate of `foo.bar' is not trusted.
ERROR: The certificate of `foo.bar' hasn't got a known issuer.

Thanks to Peter K (http://redmine.webtoolkit.eu/users/984) I understood that I had to put the CA Cert into the cert file : http://redmine.webtoolkit.eu/issues/2916

It works perfectly doing that, thank you.

Nevertheless.

For me, the meaning of the ssl-certificate option is not obvious.

  --ssl-certificate arg                 SSL server certificate chain file
                                        e.g. "/etc/ssl/certs/vsign1.pem"

If we compare it with Apache Option SSLCertificateFile (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile), only the cert file should be needed.

After investigation, I realized that the option ---ssl-ca-certificates is not in the official documentation : http://www.webtoolkit.eu/wt/doc/reference/html/overview.html#config_wthttpd

  --ssl-ca-certificates arg             Path to a file containing the 
                                        concatenated trusted CA certificates, 
                                        which can be used to authenticate the 
                                        client. The file should contains a a 
                                        number of PEM-encoded certificates.

Is it a relicate of an older function ? It does not seem to have an effect.

IMHO, to adopt the same behaviour that Apache or Nginx, ssl-certificate and ssl-ca-certificates should work together OR ssl-certificate should be renamed as ssl-certificate-chain.

Thanks a lot.

Regards,

Thomas