SSL: configure keys per site #433

Closed
mworrell opened this Issue Oct 1, 2012 · 15 comments

4 participants

@mworrell
Zotonic member

Make it possible to add SSL keys per site. For this we need to start a SSL listener for each site separately. We also need to add a ssl port number to the ssl config. Keys could be placed in the ssl directory, using default names.

  • sitename.CA.crt (contains the certificate chain)
  • sitename.crt
  • sitename.pem

where sitename is the name of the site.

@mworrell mworrell was assigned Oct 1, 2012
@mworrell
Zotonic member

On a side note.

openssl nowadays creates PKCS#8 private keys (starting with -----BEGIN PRIVATE KEY-----).
Erlang new_ssl wants PKCS#1 private keys (starting with -----BEGIN RSA PRIVATE KEY-----).
When new_ssl receives a PKCS#8 key then it decodes to [], resulting in strange errors.

I think we should do a quick check on any private key if:

  • it exists
  • is readable
  • is a PKCS#1 key

When not then we could suggest the command: openssl rsa -in sitename.key -out sitename.pem

@kaos
Zotonic member

+1.

Sounds good, although I've not yet used SSL with zotonic...

@mmzeeman
Zotonic member

Is that possible to run virtual hosts with ssl with different certificates on port 443. In the past (read way back) I had to arrange a separate ip-address per virtual host.

@kaos
Zotonic member

@mmzeeman did you miss the ssl port config option? I guess that either different IP's /or/ different ports would work?

@arjan
Zotonic member

I think it would be wise, as part of these SSL tickets, to make a documentation page on how SSL with zotonic works, and to configure it and what the different options are.

@mmzeeman
Zotonic member

+1 There are so many ways to do this. With a reverse proxy in front, port mapping, etc etc.

@mworrell
Zotonic member

Port configuration in general need to be covered.

And SSL makes it even more hairy. @kaos was right that I propose to add a separate listener on a separate port for every site. With port mapping you can then select which one is the "happy one" on 443. Though you need to configure that the outside port is 443 (just like with 80) so that we don't add the port to URLs.

@mmzeeman
Zotonic member

So it is still that way, just one virtual server per ip will be the happy one running on port 443. (sounds like a protocol design flaw).

Btw, wouldn't it be easier to place the keys and certs directly inside the config file? Keys and certs are all printable text. Relying on separate directory with separate files can cause configuration problems.

@mworrell
Zotonic member

I was thinking to put them in files because:

  • (new_)ssl wants them to be files
  • they are delivered as files from external parties.
@arjan
Zotonic member

I agree with @mworrell ; all web servers I know of do it this way, so ppl are used to setting up the configuration like this.

@kaos
Zotonic member

It also makes it easier to manage the keys when you don't need to touch the config file.
And can work with them directly using other tools (e.g. openssl).

However, perhaps it could be useful to have the option to put keys in the site config file, and then zotonic could export them from the config file if it can't find the key files.

@mmzeeman
Zotonic member

@mworrell Forgot about new_ssl, openssl wraps the whole hoop jumping part.

@mworrell
Zotonic member

For now I keep it simple and put the keys in file in the ssl directory.

@mmzeeman Mochiweb uses the Erlang ssl library, which is new_ssl, isn't it?

@mmzeeman
Zotonic member

Personal side note: For end users ssl solves the trust problem in the worst possible way. The protocol was designed with the certificate business in mind as it was supposed to be Netscape's moneymaker. Unfortunately it is still "best practice" and we have to deal with it.

@mmzeeman
Zotonic member

@mworrell From what I read: new_ssl is now the default ssl implementation from R14 and up.

@mworrell mworrell added a commit that closed this issue Oct 2, 2012
@mworrell mworrell mod_ssl: Added mod_ssl, enables ssl certs per site. Removed ssl from …
…the core. Tuned dispatch rules for more secure usage. Fixes #434. Fixes #433.
54e60f6
@mworrell mworrell closed this in 54e60f6 Oct 2, 2012
@rpip rpip pushed a commit to rpip/zotonic that referenced this issue Aug 12, 2013
@mworrell mworrell mod_ssl: Added mod_ssl, enables ssl certs per site. Removed ssl from …
…the core. Tuned dispatch rules for more secure usage. Fixes #434. Fixes #433.
6d3d719
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment