[Tclhttpd-users] Re: Generating Certs for TclHttpd.

[Angel S. <xt...@am...>]

Brent Welch wrote:

>I'll attach the readme that I put together the last time I created certs.
>I believe this is newer than what is on the book's CD.  I would appreciate
>it if you would try stepping through this and telling me specifically
>what steps don't work.  We should end up with working directions!
>
>  
>
>>>>Angel Sosa said:
>>>>        
>>>>
> >     Dear Mr Welch,
> > 
> >        I am sure you receive tons of email but if you permit me I would 
> > like to ask a question about TclHttpd. I have been using it for the last 
> > six months with a lot of success. I would like to move to the next level and
>      
> > enable the SSL portion of the web server. I have all of the modules 
> > needed in order for SSL to work and  the supporting TCL packages. I have 
> > SSL working in other scenarios. But I am having a lot of trouble 
> > applying the Keys, PEMS and the CERTS under the proper categories with in th
>     e 
> > tclhttpd.rc configuration file. Just for additional information, I have 
> > tested the same setup with Apache 2.x and SSL works fine. I 
> > also have a VPN working with SSL. The only Web server I am running is 
> > TclHttpd. The port 80 stuff works just fine. I have also taken traces 
> > with Ethereal. I have traced the traffic going to 443. The hello packet 
> > goes out but soon after that the TclHttpd resets the connection. 443 is 
> > only used by TclHttpd. And it has also been tried on other ports as well 
> > including 8016. And I still have not been successful with same results as 44
>     3.
> > 
> >     Would you be able to supply a complete sample of a literal 
> > openssl.cnf configuration file, literal instructions to generate the 
> > keys, self signed certs, requests and root CA? Please assume that I am signi
>     ng 
> > my own certs. And finally any changes that need to be made to match the 
> > openssl.cnf and the tclhttpd.rc configuration file.  I have tried 
> > various examples to no avail. I have also used the TLS tcl package piece 
> > to other sites and it works just fine. I have followed the example in 
> > your readme that is included with the CD of your latest book. But to no 
> > avail when it comes to SSL as it relates to TclHttpd.
> > 
> >     Thank you Mr. Welch for your time. If their is someone you can refer 
> > me to in case you do not have the time, that would  work too.
> > 
> >     Angel Sosa xt...@am...
> > 
>
>--
>Brent Welch
>Software Architect, Panasas Inc
>Delivering the premier storage system for scalable Linux clusters
>
>www.panasas.com
>we...@pa...
>
>  
>
>------------------------------------------------------------------------
>
>While TclHttpd can support SSL, you will need to add a number of
>software components to complete your SSL server.
>
>At the base is either RSAREF or OpenSSL.  Within the United States there are
>patent restrictions that limit you to using RSAREF from RSA Inc.  Actually,
>you can also build OpenSSL with a "no patents" option.  Both of these packages
>create a crypto library with the same interface.
>        http://www.rsa.com
>        http://www.openssl.org
>
>Next comes the "TLS" Tcl extension, which uses the crypto library.
>The development home page for TLS is
>        http://sourceforge.net/projects/tls/
>I have used the 1.4.1 version for a number of years, although
>there is a recent 1.5.0 version.  At SourceForge there are
>binary releases for Linux and Solaris that save you the chore
>of building OpenSSL.
>
>If you can run tclsh and
>        package require tls
>then you are almost ready to go.
>
>Finally you need keys and certificates for your server.  OpenSSL comes with
>a command-line utility called "openssl" that you can use to generate keys
>and certificates.  The RSFREF utility is "sslc", but provides essentially
>the same features.  The general process is that you generate a public-private
>key pair (using the "genrsa" command for sslc or openssl)
>    sslc genrsa -out skey.pem
>Next you create a certificate request
>    sslc req -config /path/to/ssl.cnf -new -nodex -out ./server.pem -key ./skey.pem
>and send this to a certificate authority for signing. 
>One example Certificate Authority is
>    http://www.verisign.com
>
>Once you get the signed certificate back, edit the tclhttpd.rc file so they
>accurately record the location of your keyfile and certificate.
>The server should then be able to listen for SSL connections on the https port.
>
>You can also bootstrap yourself into your own CA by following the steps
>outlined below.  This lets you sign your own certificate requests to
>make valid certificates, but browsers will prompt users to validate the
>key when they visit your site.
>
>You'll need the "openssl" command line utility that's
>built when you build openssl.  Here is what I did with
>openssl-0.9.7d
>
>0. Build and install openssl.  It installs into /usr/local/ssl
>   I left the openssl.cnf file unchanged, and created a sub-directory
>   to hold all the CA (certificate authority) stuff, as
>   /usr/local/ssl/demoCA.
>
>1. Use the "misc/CA.sh" script as a front-end for the "openssl ca"
>   command, which needs to be set up correctly.
>   First, we initialize the CA:
>   misc/CA.sh -newca
>
>  The -newca script does two things, approximately:
>  (If you ran misc/CA.sh -newca, then you don't need to do 1(a, b, c)
>  1(a). generate a private key for your test CA
>     cd /usr/local/ssl
>     bin/openssl genrsa -out demoCA/private/cakey.pem
>
>  1(b). build a certificate request
>     bin/openssl req -x509 -nodes -out demoCA/cacert.pem -key demoCA/private/cakey.pem -new
>
>  1(c). create a serial, index.txt, and other empty directories expected
>    by the ca subcommand of openssl
>
>
>  You've now got a CA certificate "cacert.pem".
>  It's "self-signed".
>  Its private key is "private/cakey.pem".
>
>We'll now make a server key, certificate request,
>and we'll use the CA cert we just made to sign it
>and generate our final certificate. (I couldn't get the
>CA.sh front-end to work for me in this case, so I did
>the following commands directly.)
>
>2. generate a server key
>   bin/openssl genrsa -out key1.pem
>
>3. generate a certificate request
>   bin/openssl req -nodes -out req.pem -key key1.pem -new
>
>4. generate the server certificate
>   bin/openssl ca -keyfile demoCA/private/cakey.pem \
>        -cert demoCA/cacert.pem -in req.pem
>
>Because I didn't use "-out", the cert was generated into
>demoCA/newcerts as 01.pem (or 02.pem, ...)
>You've now got a server certificate "demoCA/newcerts/01.pem".
>Its private key is key1.pem.
>It's signed by your own CA.
>
>You can make any number of certs by repeating steps
>two through four again with different file names.
>
>To set up tclhttpd, copy the key and the cert into the
>tclhttpd/certs subdirectory.  E.g., 
>cd /usr/local/tclhttpd-3.5.1/
>mkdir certs
>cp /usr/local/ssl/key1.pem certs/skey.pem
>cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem
>
>It appears that the default location for the certs directory
>is a "bin/certs", a subdirectory of the bin directory.  If
>you want to change that, edit bin/tclhttpd.rc and fix
>the SSL_CADIR setting.
>
>  
>
Thank You Mr. Welch for responding. I followed your advice and it 
worked.  The only change I would make to the newest set of instructions  
is  the following : I would change,

"cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem"

to

"cp /usr/local/ssl/demoCA/newcerts/01.pem certs/server.pem"

However, this was not my issue. My problems were more centered around trying to match openssl.cnf to tclhttpd.rc. Your revised set of instructions made it clear what needed to be corrected.

	Thanks again Mr. Welch

		Angel Sosa xt...@am...