Author Topic: How about SSL support  (Read 106037 times)

0 Members and 1 Guest are viewing this topic.

deisler

  • Guest
How about SSL support
« Reply #15 on: April 26, 2006, 12:39:35 AM »
Hi maverick & GeeS, thank you so much for your very detailed explanation appreciate it. i'll be looking into my template & router forwarding which possibly is causing this when i get back home. by the way i'm using the same  setup as you : WinXP SP2 | STunnel v4.15 | openSSL v0.9.7i | HFS v2.0 Final | Linksys WRT*** Router. will put up screenies after testing! :)

Also, mind me asking another question. is there really any difference or safer to use ports other then 80 / 8080? not regarding SSL.

Code: [Select]
Time to register my username! heh!

Offline deisler

  • Occasional poster
  • *
  • Posts: 2
    • View Profile
How about SSL support
« Reply #16 on: April 26, 2006, 12:53:54 AM »
GeeS you notice this? apologies for the double post. funny thing is that when i refresh / reload after the failed login it works and is logged in under https! hmmpt :|
WinXP SP2 | STunnel v4.15 | openSSL v0.9.7i | HFS v2.0 Final | Linksys WRT54G v5 Router

gees

  • Guest
How about SSL support
« Reply #17 on: April 26, 2006, 01:23:59 PM »
I tried to locate the problem with new started browser (IE), STunnel 4.15 with openSSL 0.9.7i and HFS 2.0:

Opened https://127.0.0.1 -> https://127.0.0.1 (not loggedin) is served OK!

Entered https://127.0.0.1/~login -> login screen poped up, entered user and pass: browser(IE) warned that you will leave a secure connection:

on "NO" https://127.0.0.1 (not-loggedin) reappeared (from STunnel cache ?,  on "REFRESH" https://127.0.0.1 (loggedin) was displayed. So HFS had received and recognized the posted login. But STunnel finally delivered the cached version of 127.0.0.1.  

on "YES" http://127.0.0.1 (not loggedin) appeared, on "REFRESH" http://127.0.0.1 (not-loggedin) reappered (i requested http not https with the refresh!, so it's OK!)

Entering a protected resource like https://127.0.0.1/protected/ from https://127.0.0.1 (not-loggedin) gave the correct page https://127.0.0.1/protected (loggedin) instantly after correct login, because the page didn't reside in cache already.

Conclusion:
It's most probably a caching problem in the chain:
 
Client(IE,FF,O):443(https) <--> (https):443 Proxy (STunnel):80(http) <--> (http):80 Server (HFS)

I assume, that the described responses are the normal behaviour in this configurations.

Questions:

Could you confirm the results evtl. also with big O and/or FF (weren't "available" on my testing box)? Any expert explanations?

i Will adapt my pages/template to avoid the ~login command and will enter protected resources as usual. Or any other ideas?

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
How about SSL support
« Reply #18 on: April 26, 2006, 08:16:10 PM »
Just tested with FF and Opera: same behaviour as IE.

deisler wrote:
Quote
is there really any difference or safer to use ports other then 80 / 8080?

Technically no, 80 is the htttp default, saves entering :80 at the end of the ip-address, some people think they can hide their servers ... hmm :roll:
~GeeS~

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
How about SSL support
« Reply #19 on: April 26, 2006, 09:35:13 PM »
Quote from: "~GeeS~"
Just tested with FF and Opera: same behaviour as IE.
If you have HFS restrict access on the root ( / ) set to NONE - set it to ALL.  Give that a try and see if that works better for you.
maverick

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
How about SSL support
« Reply #20 on: April 27, 2006, 08:00:11 PM »
maverick, deisler, Rejetto and anybody who is interested:

Protecting root is not an option for me. I did some search in the forum for the history of the ~login command.
Quote
Guest wrote on Sun Dec 07, 2003 9:24 am    Post subject: root login
... I like the added function of only allowing users to see the folders they have access to but to have that work, you have to protect the root.
If the root is not protected, they get only the list of unprotected folders.
Is there a way to have this work without protecting the root ex. adding a login to the roots page? ...

Mr. Anon Posted: Wed Jan 14, 2004 11:00 pm    Post subject:   
... @Rafi, the login button is for "Users Login". When you setup a user account in HFS, you could protect items so that those items are shown/accessed only when those users are logged in.

rejetto Posted: Thu Jan 15, 2004 2:26 pm    Post subject:   
... "login" button is to authenticate the user without need to click on a protected resource. purpose can be any, Anon just described one ...

This, and some more related discussions in the old threads, and the Stunnel logs make perfectly clear what's going on:
STunnel serves the cached version of root to the browser. Strange enough, all tested browsers (IE, FF, O) try to fall back to the non-secure page (Opera even without complaining).
How to fix the problem without loosing the feature to use the login button, without protecting root and so keeping at least one public welcome page?
My suggestion is to call a protected welcomepage (accessible for all possible users) from the unprotected root with the login button. This welcome page has some instructions (like "click here to go back and press refresh if correct page is not displayed" ... and more if you like) and a link back to root. Similar to the login to this messageboard! Implementation would be easy: in the template replace href="/~login" by href="protected_welcome.html" or accordingly.
(Would href="https://%host%/...." do the job to switch from http to https, at least with default port 80?
%host% delivers url or 0.0.0.0 with port 80, but url:xxx or 0.0.0.0:xxx with any other port. Still needs a try yet.)


Any other suggestions/comments/critics are welcome!
BTW. i tried to tune the stunnel.conf wrt. caching (session= , options= ), but without success on my precompiled version.

Finally, here's a brief description how to setup STunnel for HFS and for creating your own privatekey/certificate:
EDIT:
Some information given in this description is obsolete. For an update see further down in this thread!


1. Go to http://stunnel.mirt.net (the official STunnel homepage) and download from a mirror of your choice:
...stunnel-4.15-installer.exe.
(This is precompiled binary for windows with a default (non-secure) privatkey/certificate pem-file).

2. In order to produce an unique (secure) private key/certificate pem-file, download
.../openssl/binary-0.9.7i-zdll/openssl.exe from the same location.
Read also the licences and disclaimers at www.stunnel.org and www.openssl.org!
 
3. Run stunnel-4.15-installer.exe (a selfextracting archive, no registry changes & no admin rights required as long as you don't use stunnel as windows service):
Read and accept the license agreement, select all components, choose a destination folder or accept the default (recommended). After the installation is completed you may want to see the installation details. Exit Stunnel.

4. Choose START ->PROGRAMS -> stunnel -> Edit stunnel.conf and change only the following entries in stunnel.conf to:
Code: [Select]
; Some debugging stuff useful for troubleshooting (optional)
debug = 7
output = stunnel.log

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

and save the stunnel.conf .

5. Choose START ->PROGRAMS -> stunnel -> Run stunnel
Right click the stunnel icon in your taskbar and activate the log window:
Quote
2006.04.24 21:40:23 LOG7[4076:2632]: RAND_status claims sufficient entropy for the PRNG
2006.04.24 21:40:23 LOG6[4076:2632]: PRNG seeded successfully
2006.04.24 21:40:23 LOG7[4076:2632]: Certificate: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: Key file: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: SSL context initialized for service https
2006.04.24 21:40:23 LOG5[4076:2632]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14
Oct 2005
2006.04.24 21:40:23 LOG5[4076:2632]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2006.04.24 21:40:23 LOG5[4076:3988]: No limit detected for the number of clients
2006.04.24 21:40:23 LOG7[4076:3988]: FD 204 in non-blocking mode
2006.04.24 21:40:23 LOG7[4076:3988]: SO_REUSEADDR option set on accept socket
2006.04.24 21:40:23 LOG7[4076:3988]: https bound to 0.0.0.0:443
6. Start hfs listening on port 80 and browse https://127.0.0.1  and a warning from your browser will pop-up:
   - certificate is not recognized
   - the certificate has expired
   - the website doesn't fit the certificate

because we are still using the default stunnel.pem certificate this is the expected behavior.
Press "YES" to proceed and check again your stunnel logs.

It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing.
 
7. In order to build your very own secure privatekey/certificate pem-file, delete the default stunnel.pem in the stunnel folder (C:\stunnel\ by default).

8. Create an ASCII textfile in the stunnelfolder and copy/paste the following entries:
Code: [Select]
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = XX
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
0.commonName                    = Common Name (FQDN of your server)

[ cert_type ]
nsCertType = server

9. Save this textfile as stunnel.cnf (not stunnel.conf! ) in the stunnelfolder
(With WIN the cnf-extension might not be displayed and a shortcut icon is displayed instead: Don't panic!)

10. Copy the downloaded openssl.exe to your stunnel folder, run openssl.exe and enter after the commandprompt:
Quote
openssl> req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

You might want to increase the -days value from 365 to 3650 or more.

This command will ask you the following questions, enter whatever you like:
Quote
Question:      Example Answers
Country name:     PL, UK, US, CA
State or Province name:  Illinois, Ontario
Locality:        Chicago, Toronto
Organization Name:     Bill's Meats, Acme Anvils
Organizational Unit Name:  Ecommerce Division
Common Name (FQDN):  www.example.com
Note: The Common Name (FQDN) should be the hostname of the machine running stunnel. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.
A new, unique random privatekey/certificate file stunnel.pem will be created.

It is extremely important, to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic!

Congratulations, you're done! Run Stunnel, start HFS, have fun and enjoy your reowned privacy with care!

Disclaimer: This brief  :roll: instructions are based on my todays best knowledge and reflect only a small part of the plenty more options of openssl.exe. Feel free to consult www.stunnel.org and www.openssl.org for more detailed information. No guarantees or whatsoever.

~GeeS~

The web was made for sharing ... the more you give, the more you get!
« Last Edit: April 03, 2007, 08:55:49 PM by ~GeeS~ »
~GeeS~

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
How about SSL support
« Reply #21 on: April 27, 2006, 11:08:50 PM »
~GeeS~

After reading the first part of your response above I'm not to sure if you have solved your login problem or not but I think you now know what is causing it.   You do mention using a public welcome page which suggests to me that you are running a public server.  (or at least some parts of your site are in the public domain otherwise why a public welcome page).   Mine, on the other hand, is a totally private site from which I can also include a custom welcome page if I choose to do so.  As my site is totally private, our server setups will probably differ.  I know with the way I have mine setup I don't have any login problems.
maverick

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12953
    • View Profile
How about SSL support
« Reply #22 on: April 28, 2006, 12:36:31 AM »
i'm not sure i got what you need, but: what's wrong in putting all the thing you have to protect in a protected folder, and leave the root public for your welcome page?

gees

  • Guest
How about SSL support
« Reply #23 on: April 28, 2006, 09:13:56 AM »
maverick wrote:
Quote
After reading the first part of your response above I'm not to sure if you have solved your login problem or not but I think you now know what is causing it.
You do mention using a public welcome page which suggests to me that you are running a public server.
rejetto wrote:
Quote
i'm not sure i got what you need, but: what's wrong in putting all the thing you have to protect in a protected folder, and leave the root public for your welcome page?
Maybe i should try to clarify to avoid confusion:

I'm running (still under construction) a private server from my home.

When a visitor/searchbot/everybody and there grandmas comes to my site, the first thing (s)he should see is a welcome/home page, not a login dialog or the filesystem.
This is what I call the public part, like public domain, because it contains public information (like credits for HFS, disclaimers, legal, instructions, privacy policy, contact etc).

From this initial welcome/home page, the visitor can then link to other webpages or to the filesystem. All or some parts of these webpages or folders of the filesystem are password-protected for different users.
This is what I refer to as the private sections of my site. Private as in private home or private property. Access to these private sections is granted with my permission only and was managed with ~login (http://www.rejetto.com/forum/viewtopic.php?t=2690 see sections [login] and [logged-in]), which unfortunately isn't compatible with STunnel due to caching.

Indeed, i've already decided to do as rejetto suggested, there is absolutely nothing wrong with it, it does what i need and besides, it's compatibel with Stunnel for enhanced privacy. I do not need the ~login command to achieve this.

Hope i could clarify things, consider the "problem" solved and focus on HFS 2.1beta . Thx rejetto!

~GeeS~

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12953
    • View Profile
How about SSL support
« Reply #24 on: April 29, 2006, 01:36:28 AM »
happy to know your problem is solved.
that's why i often ask you to think twice on your feature requests, folks.
a program with many features is a program hard to use.
when a thing is easily solvable with available features, we should not add a new one.

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
How about SSL support
« Reply #25 on: April 29, 2006, 07:25:11 PM »
rejetto wrote:
Quote
that's why i often ask you to think twice on your feature requests, folks.
a program with many features is a program hard to use.
when a thing is easily solvable with available features, we should not add a new one.
:^^: This is exactly my concern for some time. HFS should be an easy to use and secure file- and webserver, not an HTML editor.

 :?: Do you agree to refer to STunnel/OpenSSL for "SSL extended HFS"  in the WIKI?
I think both programs add value to HFS and because they are non-commercial, opensource and licensed under GPL, they deserve to be "advertised" and described briefly in the HFS WIKI.
___
~GeeS~
~GeeS~

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12953
    • View Profile
How about SSL support
« Reply #26 on: April 29, 2006, 07:39:27 PM »
yes an SSL tutorial would be great :)

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
Turn-OFF HTTP access and only allow HTTPS
« Reply #27 on: April 29, 2006, 08:54:44 PM »
I have been experimenting with different configurations.

My question is this...

If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
maverick

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12953
    • View Profile
Re: Turn-OFF HTTP access and only allow HTTPS
« Reply #28 on: April 30, 2006, 03:13:48 AM »
Quote from: "maverick"
If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
i'm unsure on how Stunnel works, but if i guess correctly, you can deny access for HFS to the internet, but gran acccess to STunnel. This way people are forced to https.

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
How about SSL support
« Reply #29 on: April 30, 2006, 09:07:29 AM »
maverick wrote:
Quote
If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
My solution would be:
Use a router and only forward port 443 (https) and not port 80 (http).
You could also have port 80 forwarded and run two instances of HFS:
one on http (80) to redirect to https (443) and the other instance on port 443 with your full content.
Without router its more complicated , because HFS always listens to http. You could obfuscate the http port from 80 to somewhere else or force HFS  to accept connections only from 127.0.0.1 (STunnel).
Didn't test it, but should work.
____
~GeeS~
~GeeS~