How about SSL support

Anonymous · **on:** April 03, 2006, 10:52:59 PM

Great little program..just wondering if you could make it a little more secure by adding an option for HTTPS?

Thanks!

blueeagle69 · **Reply #1 on:** April 18, 2006, 11:46:50 AM

Hi.

You can use STunnel.

It works great.

Just Google for "STunnel"

Hope this helps.

Azag · **Reply #2 on:** April 21, 2006, 10:13:58 AM

Quote from: "blueeagle69"

Hi.

You can use STunnel.

It works great.

Just Google for "STunnel"

Hope this helps.

blueeagle69 could you show me some proof that you got this to work (HFS using STunnel.) It would save me time in setting it up and finding out that it isn't working if I try again.

:roll: A screen shot or link of a site running with this would be nice. Maybe you could write a little tutorial on how to do it successful, that is if you have tried this. Still though without some proof I have a hard time believing this would work no offense.

Even if it could to me it seems hardly worth the trouble unless maybe you run an e-commerce type site or want more privacy or added security. I have tried experimenting with this in the past with HFS, STunnel, OpenSSL and made a working certificate (.pem file) and had no success even with STunnel tutorials I found. :?

Peace,

Azag

blueeagle69 · **Reply #3 on:** April 21, 2006, 02:43:11 PM

Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Anonymous · **Reply #4 on:** April 21, 2006, 04:33:54 PM

At your login page it is shown as http://blueeagle.webhop.org not https://blueeagle.webhop.org

blueeagle69 · **Reply #5 on:** April 21, 2006, 05:03:12 PM

Yes, thats correct.

The first URL re-directs you to the secure URL.
Your attempt was picked up both by STunnel and HFS!

blueeagle69 · **Reply #6 on:** April 21, 2006, 05:05:01 PM

Quote from: "blueeagle69"

Yes, thats correct.

The first URL re-directs you to the secure URL.
Your attempt was picked up both by STunnel and HFS!

It re-directs you to https://blueeagle69.dyndns.org, which is the secure one.

Look on the bottom left of the browser window, in Explorer's case, and you will see the address you are re-directed to.

~GeeS~ · **Reply #7 on:** April 21, 2006, 07:23:02 PM

:^^:
Blueeagle69!!! You made my day!!! :happy:

Stunnel works perfectly on my machine now. edit: And no admin rights reqired & no messing around with the registry :twisted:

2006.04.21 20:31:19 LOG7[3432:556]: https connecting 127.0.0.1:80
2006.04.21 20:31:19 LOG7[3432:556]: connect_wait: waiting 10 seconds
2006.04.21 20:31:19 LOG7[3432:556]: connect_wait: connected
2006.04.21 20:31:19 LOG7[3432:556]: Remote FD=280 initialized
2006.04.21 20:31:19 LOG7[3432:556]: TCP_NODELAY option set on remote socket
2006.04.21 20:31:59 LOG7[3432:2696]: https accepted FD=304 from 10.0.0.150:1207
2006.04.21 20:31:59 LOG7[3432:2696]: Creating a new thread
2006.04.21 20:31:59 LOG7[3432:2696]: New thread created
2006.04.21 20:31:59 LOG7[3432:2276]: https started
2006.04.21 20:31:59 LOG7[3432:2276]: FD 304 in non-blocking mode
2006.04.21 20:31:59 LOG7[3432:2276]: TCP_NODELAY option set on local socket
2006.04.21 20:31:59 LOG5[3432:2276]: https connected from 10.0.0.150:1207
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): before/accept initialization
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 read client hello A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write server hello A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write change cipher spec A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write finished A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 flush data
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 read finished A
2006.04.21 20:31:59 LOG7[3432:2276]: 1 items in the session cache
2006.04.21 20:31:59 LOG7[3432:2276]: 0 client connects (SSL_connect())
2006.04.21 20:31:59 LOG7[3432:2276]: 0 client connects that finished
2006.04.21 20:31:59 LOG7[3432:2276]: 0 client renegotiations requested
2006.04.21 20:31:59 LOG7[3432:2276]: 7 server connects (SSL_accept())
2006.04.21 20:31:59 LOG7[3432:2276]: 7 server connects that finished

Thank you for pointing me to stunnel (had tried it years ago, but never thought about to use it for extending HFS with https/ssl.

This combination now makes HFS a real killer!
As soon i've tested it completely, i will provide a non-tech manual in the wiki.
Edit: If you are behind a router, don't forget to forward port 443!

Rejetto: Does it make sense to lower the priority for SSL-support for HFS in your To-Do list? BTW stunnel is open source & GNU

rejetto · **Reply #8 on:** April 21, 2006, 07:24:23 PM

i never meant to work on it soon, so...

blueeagle69 · **Reply #9 on:** April 21, 2006, 07:35:30 PM

You are very welcome.

Glad I could help!

deisler · **Reply #10 on:** April 25, 2006, 12:57:39 PM

Hi, i've got mine working too. except i can't seem to login successfully. main page works and public folders work under https and it'll always auto direct to https, but if to login it'll go back to http! how do i direct this to https? sorry if i'm not clear on my question really don't know how to put it into words.

maverick · **Reply #11 on:** April 25, 2006, 04:43:00 PM

deisler

Does your login IP address start with http or https? (it should start with https).

You could also create a normal DynDNS account and have that account re-direct to another DynDNS account which would be setup as the secure one.

~GeeS~ · **Reply #12 on:** April 25, 2006, 05:45:59 PM

Quote

main page works and public folders work under https and it'll always auto direct to https, but if to login it'll go back to http

Same problem here! Didn't had the time to do some testing on stunnel in combination with HFS.
Did already as Maverick suggested and more ... still the same result:
https://10.0.0.150/~login either from browser command line or template either href="/~login" or href="https://10.0.0.150/~login" didn't work:
The authorization dialog appears and you are kicked back to http://...
But, then enter https://10.0.0.150/doesnotexist/ the error page appears, press "home" and you are. Or enter https://exist/ idem.
Maybe a caching problem?
Maverick, deisler which versions of stunnel and openssl dll's are you using.
I tried & errored the last few days to create my own private key/certificate pem-file and used different compilations instead of the default one's, succesfully

Thought that all problems were solved and just started to write a short manual.
Oh, btw testing on intel, xp SP2, IE, no admin :roll:
precompiled stunnel 4.15, openssl probably 0.9.7i (0.9.8a crashes stunnel 4.15 .exe)

Strange logs in HFS

Code: [Select]

[size=9]2006-04-25 19:53:16 Guest@127.0.0.1:1798 Sent 2038 bytes
2006-04-25 19:53:16 Guest@127.0.0.1:1798 Served 1.79 KB
2006-04-25 19:53:16 127.0.0.1:1797 Got 509 bytes
2006-04-25 19:53:16 127.0.0.1:1797 Requested GET /~img10
2006-04-25 19:53:16 127.0.0.1:1797 Request dump
> GET /~img10 HTTP/1.1
> Accept: */*
> Referer: https://10.0.0.150/Project%20SSL/teststunnel/
> Accept-Language: nl
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
> Host: 10.0.0.150
> Connection: Keep-Alive[/size]

Guest@ dropped?!

In the next hours i'm online edit:[removed] port 80(http) and 443(https)

btw the files you find are just for testing you may download on your own risk pem's and privatekeys are just defaults

~GeeS~ · **Reply #13 on:** April 25, 2006, 08:21:06 PM

After testing HFS with stunnel i come to the following conclusion:

1. HFS with stunnel works perfectly

as long as the ~login command is not used. In order to enter a protected resource, the user:password dialog pops up and after entering the right credentials, (https) access is granted. This is the expected behaviour, nothing wrong!

2. Use of https://site/~login after entering the user:password replies with http://site without recognising the user. I guess this login command is implemented differently than the "normal" user:pass dialog.

3. If yes, and if it can't be fixed, it would not be a disaster, because working according to 1. would do the job perfectly.

4. But ... i tried to adapt my filesystem to 1. and found that after being looged in as user A for resource A a protected folder for B was not visible anymore. Unfortunately, the option in the menu "Visible only for anonymous users" wouldn't do the job. Shouldn't it has to be "visible for all user". Now i understand the many question of users asking for logout.
If it was visible for all users you could just log in with the other account.

Maybe i missed something... did to much testing on stunnel last days.

maverick · **Reply #14 on:** April 25, 2006, 10:10:44 PM

deisler and ~GeeS~

Don't know why you are having login problems. I'm not doing anything different now than I did with just HFS running and everything appears to be working just fine. I don't, however, and never did, use http://site/~login or https://site/~login for logging in. Just http://site with just HFS running and https://site with HFS and STunnel running.

I don't have any problems moving from folder to folder, uploading or downloading - https is always active as it should be.

I'm running STunnel v4.15 and openSSL v0.9.7i with HFS v2.0 Final. Operating System XP SP2.

The machine I'm running HFS and STunnel on isn't behind a router.

Check your template. Maybe you have something in there calling a http://server-related-link which would likely cause a switch from https to http because they would both be valid addresses from your server. But in this situation you would probably have to login again to access the http IP address.

Here are a few examples confirming that HFS & STunnel work together in all major browsers.....

Opera...

Netscape...

FireFox...

Internet Explorer...