How to use SSL with nanoHTTP

Table of contents

How to create an SSL enabled HTTP service

There are two basic steps involved in using nanoHTTP to create a SSL enabled HTTP services:

  1. Compilation with SSL support
  2. Create an SSL key/certificate

Additionally you may:

  1. Commandline arguments at startup
  2. Write a certificate verification routine

Compilation with SSL support

nanoHTTP uses OpenSSL for its SSL support, therefore OpenSSL must be installed first. To compile in SSL support, simply provide the --with-ssl argument to configure.

 $ ./configure --with-ssl

Create an SSL key/certificate

Simple key generation

 $ openssl req -nodes -days 1825 -subj "/CN=`hostname`" -newkey rsa:1024 -keyout sslkey.pem -out sslreq.pem

Generate a key with a certificate

Create a key and a certification request

Post the sslreq.pem to your favorite CA

Join your key with the certificate from yout CA

 $ cat ssl.cert >> sslkey.pem

Generate a certification authority

Create the directory structure

 $ mkdir ca
 $ echo '01' > $1 ca/serial
 $ touch ca/index.txt
 $ mkdir ca/crl
 $ mkdir ca/newcerts
 $ mkdir ca/private
 $ chmod 700 ca/private

Generate the CA key

 $ openssl req -x509 -nodes -days 1826 -subj "/CN=myCa" -newkey rsa:1024 -keyout ca/private/cakey.pem -out ca/cacert.pem

Sign a certification request

 $ openssl ca -in sslreq.pem -out ssl.cert

Commandline arguments at startup

 -NHTTPS                 Enable https protocol in the nanoHTTP server
 
 -NHTTPcert CERTfile     A file containing a certificate chain from file. The
                         certificates must be in PEM format and must be sorted
                         starting with the subject's certificate (actual client
                         or server certificate), followed by intermediate CA
                         certificates if applicable, and ending at the highest
                         level (root) CA.
 
 -NHTTPcertpass password The password to be used during decryption of the
                         certificate.
 
 -NHTTPCA CAfile         File pointing to a file of CA certificates in PEM
                         format. The file can contain several CA certificates
                         identified by
 
                          -----BEGIN CERTIFICATE-----
                          ... (CA certificate in base64 encoding) ...
                          -----END CERTIFICATE-----
 
                         sequences. Before, between, and after the certificates
                         text is allowed which can be used e.g. for descriptions
                         of the certificates. 

Write a certificate verification routine

Your verification script must take an X509 * as its only argument and it should return an int. The CSOAP library provides a helper function verify_sn() to assist in writing certificate verification routines. You by no means need to use it! verify_sn() takes the following arguments:

 int my_user_verify(X509* cert)
 {
   ASN1_TIME *notAfter = X509_get_notAfter(cert);
         
   if (X509_cmp_current_time(notAfter) <= 0)
   {
     fprintf(stderr,"SSL Certificate has expired");
     return 0;
   }   
                                     
   if (!verify_sn(cert, CERT_ISSUER, NID_commonName, "My Common Name") )
   {
     fprintf(stderr, "issuer commonName does not match");
     return 0;
   }
 
   if (!verify_sn(cert, CERT_ISSUER, NID_organizationName, "My Organization") )
   {
     fprintf(stderr, "issuer organizationName does not match");
     return 0;
   }   
 
   if (!verify_sn(cert, CERT_SUBJECT, NID_commonName, "My Web Service") )
   {
     fprintf(stderr, "subject commonName does not match");
     return 0;
   }

   if (!verify_sn(cert, CERT_SUBJECT, NID_organizationName, "My Organization") )
   {
     fprintf(stderr, "subject organizationName does not match");
     return 0;
   }

   fprintf(stderr, "Certificate checks out");
   return 1;
 }

To register your verification function, simply:

 hssl_set_verify_cert(my_user_verify);

Frequently asked questions

You can use the following functions before calling httpd_init, httpc_init and accordingly soap_server_init, soap_client_init. The are roughly the same then the commandline versions.

   hssl_enable(void)
   hssl_set_certificate(const char *CERTfile)
   hssl_set_certpass(const char *pass)
   hssl_set_ca_list(const char *CAfile)

NOTE: If you use this functions an specify the commandline arguments, then the commandline arguments take precedence.

   hssl_enabled(void)

Generated on Thu Jan 25 23:36:04 2007 for csoap by  doxygen 1.4.6