HTTPS....almost there, but need a nit of help

Hello....

I am trying to switch over my web services to use HTTPS,

and I think I just about have it.

I gather the changes were actually pretty minimal,

but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates

(I did not spot anything in VA).  I used this to create a private key file,

in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate

(also in PEM format).

I can open the certificate successfully, using 

SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,

and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error

OpenSSLError

Error Code: 151404653

Error Object: ('problems getting password')

Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'

Error Hint: 'PEM_def_callback:problems getting password'

AuxiliaryData: nil

Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create

my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file

using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,

Julian

Thanks for the reply, Seth....

Actually, I got it working earlier today.

My approach was similar. I was able to specify the certificate file, as in the example,

but I manually loaded the private key using #fromFile:password:, and passed THAT in

as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?

Or is that really up to the partner company that will be consuming my

web services (this is not for a general browser...just direct communication from

a trusted partner).  I presume we must agree in the SSL version....

Regards,

Julian

On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:

Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>

If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new

          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)

          privateKeyFilename: '<your-dir>/key.pem';

          sslVersion: SciSslConstants::SSLv23;

          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:

Hello....

I am trying to switch over my web services to use HTTPS,

and I think I just about have it.

I gather the changes were actually pretty minimal,

but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates

(I did not spot anything in VA).  I used this to create a private key file,

in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate

(also in PEM format).

I can open the certificate successfully, using 

SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,

and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error

OpenSSLError

Error Code: 151404653

Error Object: ('problems getting password')

Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'

Error Hint: 'PEM_def_callback:problems getting password'

AuxiliaryData: nil

Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create

my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file

using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,

Julian

Seth, for purposes of specifying allowed TLS versions, would you recommend using #minProtocol: / #maxProtocol: instead of the older/cryptic #sslVersion: ?

Hi Julian,

Typically you want to just set the version as 'default' or 'tls'.  They currently resolve to the same thing.
This will try and use the highest tls protocol that both the client and server support.

i.e.

SciSslSocketConfiguration new

sslVersion: 'default';

yourself.

or

SciSslSocketConfiguration new

sslVersion: 'TLS';

yourself.

There are also some new setters for 9.2 that let you easily constrain the min/max protocols allowed:
The example below says the client is only willing to connect to servers that support TLS1.2 or TLS1.3

Everything else is rejected.

SciSslSocketConfiguration new

minProtocol: TLS1_2_VERSION;
        maxProtocol: TLS1_3_VERSION;

yourself.

- Seth

On Saturday, January 11, 2020 at 8:47:25 PM UTC-5, Julian Ford wrote:

Thanks for the reply, Seth....

Actually, I got it working earlier today.

My approach was similar. I was able to specify the certificate file, as in the example,

but I manually loaded the private key using #fromFile:password:, and passed THAT in

as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?

Or is that really up to the partner company that will be consuming my

web services (this is not for a general browser...just direct communication from

a trusted partner).  I presume we must agree in the SSL version....

Regards,

Julian

On Saturday, January 11, 2020 at 12:02:27 PM UTC-5, Seth Berman wrote:

Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>

If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new

          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)

          privateKeyFilename: '<your-dir>/key.pem';

          sslVersion: SciSslConstants::SSLv23;

          yourself.

-Seth

On Friday, January 10, 2020 at 11:15:45 AM UTC-5, Julian Ford wrote:

Hello....

I am trying to switch over my web services to use HTTPS,

and I think I just about have it.

I gather the changes were actually pretty minimal,

but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates

(I did not spot anything in VA).  I used this to create a private key file,

in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate

(also in PEM format).

I can open the certificate successfully, using 

SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,

and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error

OpenSSLError

Error Code: 151404653

Error Object: ('problems getting password')

Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'

Error Hint: 'PEM_def_callback:problems getting password'

AuxiliaryData: nil

Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create

my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file

using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,

Julian