From e4c2e3a011191c232521a2d4e6e5f71f983208fa Mon Sep 17 00:00:00 2001 From: m0gg Date: Wed, 29 Nov 2006 12:47:44 +0000 Subject: documentation enhancement --- README.ssl | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 84 insertions(+), 4 deletions(-) (limited to 'README.ssl') diff --git a/README.ssl b/README.ssl index 5bea839..1c9b138 100644 --- a/README.ssl +++ b/README.ssl @@ -1,10 +1,90 @@ -$Id: README.ssl,v 1.1 2006/11/29 11:31:36 m0gg Exp $ +$Id: README.ssl,v 1.2 2006/11/29 12:47:44 m0gg Exp $ =============================================================================== -How to use SSL with nanohttp/csoap +How to use SSL with nanoHTTP/cSOAP 1. Simple key generation 2. Generate a key with a certificate - 3. Commandline arguments for startup - 4. Howto hide the password + 3. Generate a certification authority + 3.1 Create the directory structure + 3.2 Generate the CA key + 3.3 Sign a certification request + 4. Commandline arguments at startup + 5. Howto hide the password + 6. What else? + +1. Simple key generation + + $ openssl req -nodes -days 1825 -subj "/CN=`hostname`" -newkey rsa:1024 -keyout sslkey.pem -out sslreq.pem + +2. Generate a key with a certificate + +2.1. Create a key and a certification request as in 1. +2.2. Post the sslreq.pem to your favorite CA +2.3. Join your key with the certificate from yout CA + $ cat ssl.cert >> sslkey.pem + +3. Generate a certification authority + +3.1 Create the directory structure + + $ mkdir ca + $ echo '01' > $1 ca/serial + $ touch ca/index.txt + $ mkdir ca/crl + $ mkdir ca/newcerts + $ mkdir ca/private + $ chmod 700 ca/private + +3.2 Generate the CA key + + $ openssl req -x509 -nodes -days 1826 -subj "/CN=myCa" -newkey rsa:1024 -keyout ca/private/cakey.pem -out ca/cacert.pem + +3.3 Sign a certification request + + $ openssl ca -in sslreq.pem -out ssl.cert + +4. Commandline arguments at startup + +-NHTTPS Enable https protocol in the nanoHTTP server + +-NHTTPcert CERTfile A file containing a certificate chain from file. The + certificates must be in PEM format and must be sorted + starting with the subject's certificate (actual client + or server certificate), followed by intermediate CA + certificates if applicable, and ending at the highest + level (root) CA. + +-NHTTPcertpass password The password to be used during decryption of the + certificate. + +-NHTTPCA CAfile File pointing to a file of CA certificates in PEM + format. The file can contain several CA certificates + identified by + + -----BEGIN CERTIFICATE----- + ... (CA certificate in base64 encoding) ... + -----END CERTIFICATE----- + + sequences. Before, between, and after the certificates + text is allowed which can be used e.g. for descriptions + of the certificates. + +5. Howto hide the password + +You can use the following functions before calling httpd_init, httpc_init and +accordingly soap_server_init, soap_client_init. The are roughly the same then the +commandline versions. + + - hssl_enable(void) + - hssl_set_certificate(const char *CERTfile) + - hssl_set_certpass(const char *pass) + - hssl_set_ca(const char *CAfile) + +NOTE: If you use this functions an specify the commandline arguments, thenn the +commandline arguments take precedence. + +6. What else? + + - int hssl_enabled(void) -- cgit v1.1-32-gdbae