|
@@ -1,7 +1,7 @@
|
|
|
Adding OpenSSL Support
|
|
Adding OpenSSL Support
|
|
|
=====
|
|
=====
|
|
|
|
|
|
|
|
-Civetweb supports *HTTPS* connections using the OpenSSL transport layer
|
|
|
|
|
|
|
+Civetweb supports *HTTPS* connections using the OpenSSL transport layer
|
|
|
security (TLS) library. OpenSSL is a free, open source library (see
|
|
security (TLS) library. OpenSSL is a free, open source library (see
|
|
|
http://www.openssl.org/).
|
|
http://www.openssl.org/).
|
|
|
|
|
|
|
@@ -13,46 +13,57 @@ Getting Started
|
|
|
major Linux distributions as well as a setup for Windows.
|
|
major Linux distributions as well as a setup for Windows.
|
|
|
- The default build configuration of the civetweb web server will load the
|
|
- The default build configuration of the civetweb web server will load the
|
|
|
required OpenSSL libraries, if a HTTPS certificate has been configured.
|
|
required OpenSSL libraries, if a HTTPS certificate has been configured.
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
|
|
|
|
|
Civetweb Configuration
|
|
Civetweb Configuration
|
|
|
----
|
|
----
|
|
|
-
|
|
|
|
|
-The configuration file should contain an https port, e.g.
|
|
|
|
|
|
|
+
|
|
|
|
|
+The configuration file must contain an https port, identified by a letter 's'
|
|
|
|
|
+attached to the port number.
|
|
|
|
|
+To serve http and https from their standard ports use the following line in
|
|
|
|
|
+the configuration file 'civetweb.conf':
|
|
|
|
|
+<pre>
|
|
|
listening_ports 80, 443s
|
|
listening_ports 80, 443s
|
|
|
-to server http and https from their standard ports, or
|
|
|
|
|
|
|
+</pre>
|
|
|
|
|
+To serve only https use:
|
|
|
|
|
+<pre>
|
|
|
listening_ports 443s
|
|
listening_ports 443s
|
|
|
-to serve only https.
|
|
|
|
|
|
|
+</pre>
|
|
|
|
|
|
|
|
-Furthermore the SSL certificate file must be set, e.g.
|
|
|
|
|
|
|
+Furthermore the SSL certificate file must be set:
|
|
|
|
|
+<pre>
|
|
|
ssl_certificate d:\civetweb\certificate\server.pem
|
|
ssl_certificate d:\civetweb\certificate\server.pem
|
|
|
|
|
+</pre>
|
|
|
|
|
+
|
|
|
|
|
|
|
|
-
|
|
|
|
|
Creating a self signed certificate
|
|
Creating a self signed certificate
|
|
|
----
|
|
----
|
|
|
|
|
|
|
|
-OpenSSL provides a command line interface, that can be used to create the
|
|
|
|
|
-certificate file required by civetweb (server.pem).
|
|
|
|
|
|
|
+OpenSSL provides a command line interface, that can be used to create the
|
|
|
|
|
+certificate file required by civetweb (server.pem).
|
|
|
|
|
|
|
|
One can use the following steps in Windows (in Linux replace "copy" by "cp"
|
|
One can use the following steps in Windows (in Linux replace "copy" by "cp"
|
|
|
and "type" by "cat"):
|
|
and "type" by "cat"):
|
|
|
|
|
|
|
|
|
|
+<pre>
|
|
|
openssl genrsa -des3 -out server.key 1024
|
|
openssl genrsa -des3 -out server.key 1024
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
openssl req -new -key server.key -out server.csr
|
|
openssl req -new -key server.key -out server.csr
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
copy server.key server.key.orig
|
|
copy server.key server.key.orig
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
openssl rsa -in server.key.orig -out server.key
|
|
openssl rsa -in server.key.orig -out server.key
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
|
|
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
copy server.crt server.pem
|
|
copy server.crt server.pem
|
|
|
-
|
|
|
|
|
- type server.key >> server.pem
|
|
|
|
|
|
|
|
|
|
|
|
+ type server.key >> server.pem
|
|
|
|
|
+</pre>
|
|
|
|
|
|
|
|
-The server.pem should look like this (x represents BASE64 encoded data):
|
|
|
|
|
|
|
+The server.pem file created must contain a 'certificate' section as well as a
|
|
|
|
|
+'rsa private key' section. It should look like this (x represents BASE64
|
|
|
|
|
+encoded data):
|
|
|
|
|
|
|
|
<pre>
|
|
<pre>
|
|
|
-----BEGIN CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
@@ -86,3 +97,36 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
|
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
|
-----END RSA PRIVATE KEY-----
|
|
-----END RSA PRIVATE KEY-----
|
|
|
</pre>
|
|
</pre>
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+Common Problems
|
|
|
|
|
+----
|
|
|
|
|
+
|
|
|
|
|
+In case the OpenSSL configuration is not set up correctly, the server will not
|
|
|
|
|
+start. Configure an error log file in 'civetweb.conf' to get more information:
|
|
|
|
|
+<pre>
|
|
|
|
|
+ error_log_file error.log
|
|
|
|
|
+</pre>
|
|
|
|
|
+
|
|
|
|
|
+Check the content of 'error.log':
|
|
|
|
|
+
|
|
|
|
|
+<pre>
|
|
|
|
|
+load_dll: cannot load libeay32.*/libcrypto.*/ssleay32.*/libssl.*
|
|
|
|
|
+</pre>
|
|
|
|
|
+This error message means, the SSL library has not been installed (correctly).
|
|
|
|
|
+For Windows you might use the pre-built binaries. A link is available at the
|
|
|
|
|
+OpenSSL project home page (http://www.openssl.org/related/binaries.html).
|
|
|
|
|
+Choose the windows system folder as installation directory - this is the
|
|
|
|
|
+default location.
|
|
|
|
|
+
|
|
|
|
|
+<pre>
|
|
|
|
|
+set_ssl_option: cannot open server.pem: error:PEM routines:*:PEM_read_bio:no start line
|
|
|
|
|
+set_ssl_option: cannot open server.pem: error:PEM routines:*:PEM_read_bio:bad end line
|
|
|
|
|
+</pre>
|
|
|
|
|
+These error messages indicate, that the format of the ssl_certificate file does
|
|
|
|
|
+not match the expectations of the SSL library. The PEM file must contain both,
|
|
|
|
|
+a 'CERTIFICATE' and a 'RSA PRIVATE KEY' section. It should be a strict ASCII
|
|
|
|
|
+file without byte-order marks.
|
|
|
|
|
+The instructions above may be used to create a valid ssl_certificate file.
|
|
|
|
|
+
|
|
|
|
|
+
|
bel