Smalltalk Pharo Pharo Smalltalk Developers

Re: Help: Zodiac secure server.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Sven Van Caekenberghe
Reply | Threaded
Open this post in threaded view
|

Re: Help: Zodiac secure server.

Sven Van Caekenberghe
Hi Prasad,

On 08 Dec 2011, at 18:09, Prasad Khurd wrote:

> Hello Sven,
> I am trying to write a zodiac secure server. I was able to successfully make a server copying most of the server part from Zinc Http server. Then, I tried replacing the SocketStream with your ZnSecureSocketStream but that didn’t work… I haven’t read much on SSL yet so I assumed whatever was sent from the secure stream of the client would be decrypted on the server using ZnSecureSocketStream – like a toggle mostly but I guess I am wrong. I’d appreciate it if you could give me some pointers or if you had a sample of such a secure server implementation.
>
> Thank you,
> Prasad

Thanks a lot for your interest in Zn+Zdc, this is a good area to work on.

I haven't done this myself yet, for a couple of reasons:
 - lack of time
 - debugging Zdc was higher priority
 - client side was/is higher priority

That being said, it would be nice if you could do a proof of concept.

To make this work you have to do wrap a ZdcSecureSocketStream on: the socket that you get back from #waitForAcceptFor:

The place to do this is in ZnSingleThreadedServer>>#socketStreamOn:

It would be best to do this in a subclass from either ZnSingleThreadedServer or ZnMultiThreadedServer

Then you have to set the server certificate on the stream by getting the #sslSession from the ZdcSecureSocketStream that you just created and calling #certificateName: (this won't work on Mac OS X due to missing functionality in the plugin).

Finally you should do a #accept on the ZdcSecureSocketStream, if that works, the server should work transparently with the secure stream as if it is a regular one.

Apart from debugging, there is no reason this should not work ;-)

Good luck and please let me know how it goes!

Regards,

Sven





Sven Van Caekenberghe
Reply | Threaded
Open this post in threaded view
|

Re: Help: Zodiac secure server.

Sven Van Caekenberghe
Prasad,

Comments inline:

On 11 Dec 2011, at 19:06, Prasad Khurd wrote:

> socketStreamOn: socket
>     | stream sss |
>     stream := ZdcSecureSocketStream on: socket.
>     stream
>         binary;
>         shouldSignal: true;
>         autoFlush: false;
>         bufferSize: self class socketBufferSize;

The 4 messages above are not necessary (they are no-ops for ZdcSecureSocketStream, see their implementation).

>         timeout: self class socketStreamTimeout.
>     stream sslSession certificateName: '/home/khurd/pharo/cert.pem'.
>    
>    sss := stream sslSession.
>     Transcript cr; show: 'Is connected: ', sss isConnected printString,
>         'certVerifState: ', sss certificateVerificationState printString.
>     stream accept.        
>
> At the transcript output i get
> Is connected: false certVerifState: 0
> which leads me to believe the certificate (cert.pem) is valid but the
> sslSession has disconnected

The SSL session can only be OK *after* the #accept.

> and i get a walkback in accept stating the
> connection is closed. Are any of the stream settings wrong? Can u please share briefly how i could debug here…

What is the walkback ?

> Also do i need to set the certificateName on the client stream's sslSession?
>
> ss := ZdcSecureSocketStream
>      openConnectionToHostNamed: 'localhost' port: 443.
> ss sslSession certificateName: '/home/khurd/pharo/cacert.pem'.

Each secure stream has an SSLSession instance on which you should set the certificate once.
The argument should be the full path to the .pem file which must include both the certificate and the private key.
In the document that you used I think it should be key-cert.pem, the combined private key and certificate.

Good luck and be sure to let me know how it goes.

Sven

PS: BTW I guess you are on Linux ? Because on Mac OS X this won't work due to missing functionality in the plugin.


Sven Van Caekenberghe
Reply | Threaded
Open this post in threaded view
|

Re: Help: Zodiac secure server.

Sven Van Caekenberghe
In reply to this post by Sven Van Caekenberghe
Hi Prasad,

On 13 Dec 2011, at 04:35, Prasad Khurd wrote:

> Hello Sven,
>   using the key-cert.pem didn't help... I used firefox as client. Attached is the walkback and the key-cert.pem.
>
> I used ZdcSecureSocketStreamTests>>testPlain to conclude SqueakSSL.so was not loading in Fedora 14(test failed) but did in Ubuntu 10.10(test passed). Is that sufficient a test? I will try your suggestion too next time.
>
> thanks and regards,
> Prasad

I implemented my own version of an HTTPS server called ZnSecureServer (in the package 'Zinc-Zodiac' in http://www.squeaksource.com/ZincHTTPComponents) and I got it working (more or less) on the latest Ubuntu with both Firefox and curl as clients (Google Chrome did not work) and your certificate. You have to accept the security exception for the self signed certificate in FF or use the -k option for curl. Error handling is not good yet, you might have to restart the server.

There was indeed still an error in ZnSecureSocketStream>>#accept as I expected. So use the very latest versions.

(ZnSecureServer on: 1443)
        certificate: '/home/sven/ssl/key-cert.pem';
        logToTranscript;
        start;
        yourself.

https://localhost:1443

Disclaimer: this is an experimental proof of concept.

Let me know how it goes.

Regards,

Sven



Free forum by Nabble Edit this page