Additionally you may:
$ ./configure --with-ssl
$ openssl req -nodes -days 1825 -subj "/CN=`hostname`" -newkey rsa:1024 -keyout sslkey.pem -out sslreq.pem
$ cat ssl.cert >> sslkey.pem
$ mkdir ca $ echo '01' > $1 ca/serial $ touch ca/index.txt $ mkdir ca/crl $ mkdir ca/newcerts $ mkdir ca/private $ chmod 700 ca/private
$ openssl req -x509 -nodes -days 1826 -subj "/CN=myCa" -newkey rsa:1024 -keyout ca/private/cakey.pem -out ca/cacert.pem
$ openssl ca -in sslreq.pem -out ssl.cert
-NHTTPS Enable https protocol in the nanoHTTP server
-NHTTPcert CERTfile A file containing a certificate chain from file. The
certificates must be in PEM format and must be sorted
starting with the subject's certificate (actual client
or server certificate), followed by intermediate CA
certificates if applicable, and ending at the highest
level (root) CA.
-NHTTPcertpass password The password to be used during decryption of the
certificate.
-NHTTPCA CAfile File pointing to a file of CA certificates in PEM
format. The file can contain several CA certificates
identified by
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
sequences. Before, between, and after the certificates
text is allowed which can be used e.g. for descriptions
of the certificates.
int my_user_verify(X509* cert) { ASN1_TIME *notAfter = X509_get_notAfter(cert); if (X509_cmp_current_time(notAfter) <= 0) { fprintf(stderr,"SSL Certificate has expired"); return 0; } if (!verify_sn(cert, CERT_ISSUER, NID_commonName, "My Common Name") ) { fprintf(stderr, "issuer commonName does not match"); return 0; } if (!verify_sn(cert, CERT_ISSUER, NID_organizationName, "My Organization") ) { fprintf(stderr, "issuer organizationName does not match"); return 0; } if (!verify_sn(cert, CERT_SUBJECT, NID_commonName, "My Web Service") ) { fprintf(stderr, "subject commonName does not match"); return 0; } if (!verify_sn(cert, CERT_SUBJECT, NID_organizationName, "My Organization") ) { fprintf(stderr, "subject organizationName does not match"); return 0; } fprintf(stderr, "Certificate checks out"); return 1; }
To register your verification function, simply:
hssl_set_verify_cert(my_user_verify);
You can use the following functions before calling httpd_init, httpc_init and accordingly soap_server_init, soap_client_init. The are roughly the same then the commandline versions.
hssl_enable(void) hssl_set_certificate(const char *CERTfile) hssl_set_certpass(const char *pass) hssl_set_ca_list(const char *CAfile)
NOTE: If you use this functions an specify the commandline arguments, then the commandline arguments take precedence.
hssl_enabled(void)