HTTP over SSL

This page keeps general information about HTTP over SSL.

The current version of HefeWeizen uses the Webrick HTTP server.

Hostname must match x509 certificate "Common Name"

In our example ebXML Collaboration Protocol Agreement's (CPA's) we use the hostnames gnaraloo-ebXML-b2b-gateway as well as coronation-ebXML-b2b-gateway. These values, apparently, must match the Common Name of the x509 certificate.

How to get the server certificate of a remote server

If the remote SSL server requires a client authentication then it seems we must provide a "trusted" client certificate otherwise we do not get the remote SSL server certificate.

Either use a webbrowser and point to the URL:

https://localhost:7778

or use the openssl toolkit:

% openssl s_client -host localhost -port 7778

which returns:

CONNECTED(00000003)
depth=0 /C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
verify return:1
---
Certificate chain
 0 s:/C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
   i:/C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDbDCCAtWgAwIBAgIJAK0YKzJXl6IeMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
VQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFsemVyczETMBEG
A1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUwIwYDVQQDExxj
b3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5MB4XDTA3MDIxNDEyMjUxMVoXDTEw
MDIxMzEyMjUxMVowgYExCzAJBgNVBAYTAkxJMRAwDgYDVQQIEwdCYWx6ZXJzMRAw
DgYDVQQHEwdCYWx6ZXJzMRMwEQYDVQQKEwpDb3JvbmF0aW9uMRIwEAYDVQQLEwlT
U0xTZXJ2ZXIxJTAjBgNVBAMTHGNvcm9uYXRpb24tZWJYTUwtYjJiLWdhdGV3YXkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALFf5I3rx+3INkzi1E0x8/NRP7ek
ffqNg3zn2rFPUeEzEJpfx/VTPOHyL6UU0VbF2HZyi+iBaSVP/NWVL7poQx+j89TZ
3hpa64Zhaq5e+ZmFZks/b6A3dWUzQCIXOzT/V1RPo31jjQAnZydVVdKnBvaHvu4i
7FnCnKcJ9sT8YWZ9AgMBAAGjgekwgeYwHQYDVR0OBBYEFMmp/YoOfRFGa0LnE9L3
g0lhe1YGMIG2BgNVHSMEga4wgauAFMmp/YoOfRFGa0LnE9L3g0lhe1YGoYGHpIGE
MIGBMQswCQYDVQQGEwJMSTEQMA4GA1UECBMHQmFsemVyczEQMA4GA1UEBxMHQmFs
emVyczETMBEGA1UEChMKQ29yb25hdGlvbjESMBAGA1UECxMJU1NMU2VydmVyMSUw
IwYDVQQDExxjb3JvbmF0aW9uLWViWE1MLWIyYi1nYXRld2F5ggkArRgrMleXoh4w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCv/4KF2Q+QaZvrIAE2SmqZ
OIy5gsZITetzKyj3eJiQQbeXLejyF6BtBaSfbDAg6tCF6jh7IvKUeNS+xeW7vjNz
MNDrx0v/IF/2i7wR1nPqaFUhJdbiERBHdPrpIBSv5beJhgFLKr0IgZc5la277xYg
MrHlcciZwU1aQq2Uchu0YQ==
-----END CERTIFICATE-----
subject=/C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
issuer=/C=LI/ST=Balzers/L=Balzers/O=Coronation/OU=SSLServer/CN=coronation-ebXML-b2b-gateway
---
No client certificate CA names sent
---
SSL handshake has read 1444 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 717B05DDD6C3CB40301B0CA5029F67AFA635A0AC60340436AA0A2B6280E3BEDB
    Session-ID-ctx:
    Master-Key: 1E1C2705EC91BEB6B3A75C7DB7AA69DF31583B6DFB56374AE1AEA07C641A40B88950EF55DA1A4BF152BA01C134F13C76
    Key-Arg   : None
    Start Time: 1171469596
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

HTTP/1.1 400 Bad Request
Connection: close
Date: Wed, 14 Feb 2007 16:13:18 GMT
Content-Type: text/html
Server: WEBrick/1.3.1 (Ruby/1.8.5/2006-08-25) OpenSSL/0.9.8c
Content-Length: 295

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Bad Request</TITLE></HEAD>
  <BODY>
    <H1>Bad Request</H1>
    bad Request-Line `'.
    <HR>
    <ADDRESS>
     WEBrick/1.3.1 (Ruby/1.8.5/2006-08-25) OpenSSL/0.9.8c at
     localhost:7778
    </ADDRESS>
  </BODY>
</HTML>
closed

Webrick HTTPS support

Webrick itself does not support SSL. Webrick uses the ruby openssl library binding to support SSL.

Webrick has the following OpenSSL options when creating the HTTP server:

• :SSLEnable => true,
  • Main switch to use SSL or not.
• :SSLCertificate => nil,
  • The server certificate. cert_file is the path to the .pem file
  • OpenSSL::X509::Certificate.new(File::read(cert_file))
• :SSLPrivateKey => nil,
  • The server private key. The passphrase will be asked when the server starts. I have not found a way yet to pass in the passphrase.
  • the key_file is the path to the .pem file
  • OpenSSL::PKey::RSA.new(File::read(key_file))
• :SSLClientCA => nil,
  • ?
• :SSLExtraChainCert => nil,
  • ?
• :SSLCACertificateFile => nil,
  • ?
• :SSLCACertificatePath => nil,
  • A path to trusted CA certificates. A client certificate will be checked against these certificates. The check returns OK if the client certificate is signed by one of the certifiates listed in the directory. If the client uses a self-signed certificate then the clients certificate MUST be in this directory.
• :SSLCertificateStore => nil,
  • ?
• :SSLVerifyClient => ::OpenSSL::SSL::VERIFY_NONE,
  • more options:
    • OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
• :SSLVerifyDepth => nil,
  • ?
• :SSLVerifyCallback => nil, # custom verification
  • ?
• :SSLTimeout => nil,
  • ?
• :SSLOptions => nil,
  • ?
• :SSLStartImmediately => true,
  • ?
• :SSLCertName => nil,
  • Must specify if you use auto generated certificate.
• :SSLCertComment => "Generated by Ruby/OpenSSL"
  • ?

wget SSL support

The wget command line HTTP client is an excellent tool which has SSL support.

The passphrase problem

The page SecurityInformation provides a way to remove the passphrase from a private key.

Resources

• http://www.eclectica.ca/howto/ssl-cert-howto.php
• http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/237262