HTTPS....almost there, but need a nit of help

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS....almost there, but need a nit of help

Julian Ford-2
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/5953bcc7-ea7c-4098-b359-697c6680ef91%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Seth Berman
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/34580c11-1469-4f32-9ece-0e986ba30210%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Julian Ford-2
Thanks for the reply, Seth....

Actually, I got it working earlier today.
My approach was similar. I was able to specify the certificate file, as in the example,
but I manually loaded the private key using #fromFile:password:, and passed THAT in
as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?
Or is that really up to the partner company that will be consuming my
web services (this is not for a general browser...just direct communication from
a trusted partner).  I presume we must agree in the SSL version....

Regards,
Julian


On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/6955d051-6f5b-470a-b4b9-46daa3acbe91%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Seth Berman
Hi Julian,

Typically you want to just set the version as 'default' or 'tls'.  They currently resolve to the same thing.
This will try and use the highest tls protocol that both the client and server support.

i.e.
SciSslSocketConfiguration new
sslVersion: 'default';
yourself.

or

SciSslSocketConfiguration new
sslVersion: 'TLS';
yourself.


There are also some new setters for 9.2 that let you easily constrain the min/max protocols allowed:
The example below says the client is only willing to connect to servers that support TLS1.2 or TLS1.3
Everything else is rejected.

SciSslSocketConfiguration new
minProtocol: TLS1_2_VERSION;
        maxProtocol: TLS1_3_VERSION;
yourself.

- Seth

On Saturday, January 11, 2020 at 8:47:25 PM UTC-5, Julian Ford wrote:
Thanks for the reply, Seth....

Actually, I got it working earlier today.
My approach was similar. I was able to specify the certificate file, as in the example,
but I manually loaded the private key using #fromFile:password:, and passed THAT in
as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?
Or is that really up to the partner company that will be consuming my
web services (this is not for a general browser...just direct communication from
a trusted partner).  I presume we must agree in the SSL version....

Regards,
Julian


On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/b28b251d-df9e-466c-8b88-96b7da52db77%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Wayne Johnston
Seth, for purposes of specifying allowed TLS versions, would you recommend using #minProtocol: / #maxProtocol: instead of the older/cryptic #sslVersion: ?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/fca3b5ab-1f47-4e45-a111-e2a00cdc8a50%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Seth Berman
Hi Wayne,

Yes, I would use #minProtocol:/#maxProtocol:.  The requirement is that you are running versions of OpenSSL >= 1.1.0.
The 1.0.x branch is now out of support, but if you are using it, then you have to use sslVersion:

- Seth

On Monday, January 13, 2020 at 10:03:59 AM UTC-5, Wayne Johnston wrote:
Seth, for purposes of specifying allowed TLS versions, would you recommend using #minProtocol: / #maxProtocol: instead of the older/cryptic #sslVersion: ?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/5fc398c5-c866-472f-90ea-44bc41895085%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Julian Ford-2
In reply to this post by Seth Berman
Thanks for the additional info, Seth!!
It is very helpful!

Julian

On Saturday, January 11, 2020 at 8:58:45 PM UTC-5, Seth Berman wrote:
Hi Julian,

Typically you want to just set the version as 'default' or 'tls'.  They currently resolve to the same thing.
This will try and use the highest tls protocol that both the client and server support.

i.e.
SciSslSocketConfiguration new
sslVersion: 'default';
yourself.

or

SciSslSocketConfiguration new
sslVersion: 'TLS';
yourself.


There are also some new setters for 9.2 that let you easily constrain the min/max protocols allowed:
The example below says the client is only willing to connect to servers that support TLS1.2 or TLS1.3
Everything else is rejected.

SciSslSocketConfiguration new
minProtocol: TLS1_2_VERSION;
        maxProtocol: TLS1_3_VERSION;
yourself.

- Seth

On Saturday, January 11, 2020 at 8:47:25 PM UTC-5, Julian Ford wrote:
Thanks for the reply, Seth....

Actually, I got it working earlier today.
My approach was similar. I was able to specify the certificate file, as in the example,
but I manually loaded the private key using #fromFile:password:, and passed THAT in
as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?
Or is that really up to the partner company that will be consuming my
web services (this is not for a general browser...just direct communication from
a trusted partner).  I presume we must agree in the SSL version....

Regards,
Julian


On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/7bcbfe93-7303-4147-9b53-df194fbfde22%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS....almost there, but need a nit of help

Seth Berman
My pleasure to help!

On Wednesday, January 15, 2020 at 12:09:07 AM UTC-5, Julian Ford wrote:
Thanks for the additional info, Seth!!
It is very helpful!

Julian

On Saturday, January 11, 2020 at 8:58:45 PM UTC-5, Seth Berman wrote:
Hi Julian,

Typically you want to just set the version as 'default' or 'tls'.  They currently resolve to the same thing.
This will try and use the highest tls protocol that both the client and server support.

i.e.
SciSslSocketConfiguration new
sslVersion: 'default';
yourself.

or

SciSslSocketConfiguration new
sslVersion: 'TLS';
yourself.


There are also some new setters for 9.2 that let you easily constrain the min/max protocols allowed:
The example below says the client is only willing to connect to servers that support TLS1.2 or TLS1.3
Everything else is rejected.

SciSslSocketConfiguration new
minProtocol: TLS1_2_VERSION;
        maxProtocol: TLS1_3_VERSION;
yourself.

- Seth

On Saturday, January 11, 2020 at 8:47:25 PM UTC-5, Julian Ford wrote:
Thanks for the reply, Seth....

Actually, I got it working earlier today.
My approach was similar. I was able to specify the certificate file, as in the example,
but I manually loaded the private key using #fromFile:password:, and passed THAT in
as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?
Or is that really up to the partner company that will be consuming my
web services (this is not for a general browser...just direct communication from
a trusted partner).  I presume we must agree in the SSL version....

Regards,
Julian


On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/va-smalltalk/e9520119-74cd-4cf8-972f-805dbf0389cd%40googlegroups.com.