summaryrefslogtreecommitdiffstats
path: root/README.ssl
blob: 3d462c7a7285fb1d8e2f233824d0d94764a0a68d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
$Id: README.ssl,v 1.3 2006/12/10 12:23:40 m0gg Exp $
===============================================================================

How to use SSL with nanoHTTP/cSOAP

  1. Simple key generation
  2. Generate a key with a certificate
  3. Generate a certification authority
  3.1 Create the directory structure
  3.2 Generate the CA key
  3.3 Sign a certification request
  4. Commandline arguments at startup
  5. Howto hide the password
  6. What else?

1. Simple key generation

  $ openssl req -nodes -days 1825 -subj "/CN=`hostname`" -newkey rsa:1024 -keyout sslkey.pem -out sslreq.pem

2. Generate a key with a certificate

2.1. Create a key and a certification request as in 1.
2.2. Post the sslreq.pem to your favorite CA
2.3. Join your key with the certificate from yout CA
     $ cat ssl.cert >> sslkey.pem

3. Generate a certification authority

3.1 Create the directory structure

  $ mkdir ca
  $ echo '01' > $1 ca/serial
  $ touch ca/index.txt
  $ mkdir ca/crl
  $ mkdir ca/newcerts
  $ mkdir ca/private
  $ chmod 700 ca/private

3.2 Generate the CA key

  $ openssl req -x509 -nodes -days 1826 -subj "/CN=myCa" -newkey rsa:1024 -keyout ca/private/cakey.pem -out ca/cacert.pem

3.3 Sign a certification request

  $ openssl ca -in sslreq.pem -out ssl.cert

4. Commandline arguments at startup

-NHTTPS                   Enable https protocol in the nanoHTTP server

-NHTTPcert CERTfile       A file containing a certificate chain from file. The
                          certificates must be in PEM format and must be sorted
                          starting with the subject's certificate (actual client
                          or server certificate), followed by intermediate CA
                          certificates if applicable, and ending at the highest
                          level (root) CA.

-NHTTPcertpass password   The password to be used during decryption of the
                          certificate.

-NHTTPCA CAfile		  File pointing to a file of CA certificates in PEM
                          format. The file can contain several CA certificates
                          identified by

                          -----BEGIN CERTIFICATE-----
                          ... (CA certificate in base64 encoding) ...
                          -----END CERTIFICATE-----

                          sequences. Before, between, and after the certificates
                          text is allowed which can be used e.g. for descriptions
                          of the certificates. 

5. Howto hide the password

You can use the following functions before calling httpd_init, httpc_init and
accordingly soap_server_init, soap_client_init. The are roughly the same then the
commandline versions.

  - hssl_enable(void)
  - hssl_set_certificate(const char *CERTfile)
  - hssl_set_certpass(const char *pass)
  - hssl_set_ca(const char *CAfile)

NOTE: If you use this functions an specify the commandline arguments, then the
commandline arguments take precedence.

6. What else?

 - int hssl_enabled(void)