[WIP] Local HTTPS Support #77
Conversation
samgiles
force-pushed
the
https-support
branch
2 times, most recently
from
aac981b
to
2639f1e
Compare
|
@fabricedesre can I get an initial review? Or suggest someone else. I'm still trying to figure out how best to plumb in the hostname and certs from the controller as we'll need them before the server is started with this PR - we can change that, but maybe in a later PR. Also, following this we'll want to use LetsEncrypt, and pre-generate, or generate the certs on demand. |
|
I took avery quick look, but could you have a CertificateManager that you pass to the HttpServer instead of your current code? @ferjm do you mind taking a look? |
| fn get_local_tls_key(&self) -> PathBuf; | ||
| fn get_local_tls_crt(&self) -> PathBuf; | ||
| fn get_remote_tls_key(&self) -> PathBuf; | ||
| fn get_remote_tls_crt(&self) -> PathBuf; |
There was a problem hiding this comment.
As Fabrice mentioned, it'd be nice to move all this to a CertificateManager.
|
Great work Sam! I think @michielbdejong has a more solid understanding of what's needed here. Michiel, Could you take a look, please? Thanks! |
|
side note: I got https with self-signed certs, including QR, mDNS, and HSS, working with a nodejs proxy in #129 - may be useful as a reference. |
|
Latest scripts for DNS/TLS are in #163. The way it works:
{
"self-signed": "https://ba25ea553e3ff05620224368284e4ae3.self-signed/a6450c08893/",
"local": "https://dcaa0a22b76e30da2cfe0d10e94603ae.box.knilxof.org/",
"mirrors": [
"https://a.dcaa0a22b76e30da2cfe0d10e94603ae.box.knilxof.org/",
"https://b.dcaa0a22b76e30da2cfe0d10e94603ae.box.knilxof.org/"
],
"remote": "https://dcaa0a22b76e30da2cfe0d10e94603ae.box.knilxof.org/"
} |
|
This requires the API compatible fork of Iron to allow custom SslContext support, see: iron/iron#433 A few of our sub-dependencies also rely on Iron, it is not enough to simply replace iron with a fork because of Cargo's dependency resolution, see: rust-lang/cargo#2385 |
|
@samgiles I guess the alternative is to fork all the sub-dependencies that depend on Iron? |
|
I just thought: I'm doing this locally by setting a My I could add the iron into the repository and commit a config. @fabricedesre Does that sound reasonable as a work around? |
|
Yes, but can we override with a http or git url? |
|
No, it needs to be a local path. |
|
So, something like: |
samgiles
force-pushed
the
https-support
branch
5 times, most recently
from
a8be92b
to
24c8fa9
Compare
| @@ -33,4 +33,4 @@ script: | |||
| - $TRAVIS_BUILD_DIR/tools/execute-unit-tests-with-coverage | |||
| - jshint static/main/js/*.js static/setup/js/*.js test/selenium/*.js test/integration/lib/*.js test/integration/test/*.js | |||
| - npm run test-integration # starts foxbox and kills it within the test script | |||
| - (cargo run -- -l $BOX_LOCAL_NAME -p $BOX_PORT &> /dev/null &) ; npm run test-selenium | |||
| - (cargo run -- -l $BOX_LOCAL_NAME -p $BOX_PORT --disable-tls &> /dev/null &) ; npm run test-selenium | |||
There was a problem hiding this comment.
Why test with --disable-tls?
There was a problem hiding this comment.
We don't have a solution for testing with self signed certs or real certs yet. We don't lose anything by disabling TLS for the tests for the time being.
In the future we need to figure out how to test properly (and cross platform) with certs. Maybe @JohanLorenzo or @npark-mozilla have some thoughts.
There was a problem hiding this comment.
@samgiles Just run selenium with a Firefox profile that has the security exception for the certificate you're using in the tests, see e.g. https://blog.codecentric.de/en/2010/02/selenium-and-ssl-certificates/.
I don't agree we don't lose anything - currently, we have a http API with a test. Once we merge this, we will have a https API without a test. :(
If some upstream change in Iron causes our API server to break on https but not on http, we will not be able to see that in our tests. Right?
Can you create a follow-up ticket to repair the selenium test?
There was a problem hiding this comment.
I created this issue (#221) to create https test. Would like to find out how can I store / use certificates, will check the link you provided first on above comment.
Looks like for nodejs test, I need the .pem format of the cert/key/ca of the generated certificate somehow
| if self.context_provider.is_none() { | ||
| self.context_provider = Some(context_provider); | ||
| self.notify_provider(); | ||
| } |
There was a problem hiding this comment.
Should we throw (or log an error) if the context provider is set more than once?
|
This is an excellent job Sam! I only added a few minor comments. Please, rebase and r=me with the comments addressed. |
Local and remote HTTPS with SNI support
Configuring TLS:
Create a
certs/directory containing your cert's private key and certificate:The private_key and cert must be X509 files named
crt.pemandprivate_key.pemFor example:
The directory that
certsare found in can be configured in the configuration file under:foxbox.certficate_directory, by default the software will look for thecertsdirectory in your current working directory.You can disable TLS entirely using the
--disable-tlscommand line argument.