Author Topic: How about SSL support  (Read 104502 times)

0 Members and 1 Guest are viewing this topic.

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
How about SSL support
« Reply #30 on: April 30, 2006, 09:20:45 AM »
maverick wrote:
Quote
Tested in Opera, Firefox, Netscape and Internet Explorer -> results are the same. -> Damn ...
All your descibed issues can be expected. Takes too long to explain in detail now. But remenber: Stunnel behaves like a proxy server, HFS exepts connections fom clients (browser) and STunnel (client), Stunnel caches and your browsers caches, too. Do the same tests, but let  HFS listen on a port differnt than 80 (and configure STunnel accordingly). Then the browsers can't fall back to their default port 80. Your test results will be different! The issue is, that with STunnel you have a second second server on your IP besides HFS. In one situation (https)HFS behaves like an application which is feeding STunnel, in the other (http) HFS is behaving as server.
Wrt. the logs: If you are serving thru STunnel, HFS has only one client. Didn't test fully the transparency of the Stunnel proxying, but on first sight everything seemed to be Ok.
Try to run two different servers: http(80)-HFS1 and https(443)-STunnel ->HFS2(bound to local host on port f.e. 80xx).

Browser caching can be inhibited with this command:
Code: [Select]
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</HEAD>
____
GeeS
~GeeS~

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
How about SSL support
« Reply #31 on: April 30, 2006, 12:08:38 PM »
Quote from: "rejetto"
i'm unsure on how Stunnel works, but if i guess correctly, you can deny access for HFS to the internet, but gran acccess to STunnel. This way people are forced to https.
Thanks for the suggestion rejetto.  Didn't think of doing that.  I'll try it and see how it works.
maverick

Offline deisler

  • Occasional poster
  • *
  • Posts: 2
    • View Profile
How about SSL support
« Reply #32 on: April 30, 2006, 10:29:34 PM »
Thank you Gees, maverick and rejetto for answering all questions i had in mind. apologies for not contributing in this cause :) maverick, you've simplified all scenario fixes for me. really appreciate it! please do update us on your latest venture with rejetto's suggestion, looks promising ;)
WinXP SP2 | STunnel v4.15 | openSSL v0.9.7i | HFS v2.0 Final | Linksys WRT54G v5 Router

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile

Azag

  • Guest
Re: SSL
« Reply #34 on: May 09, 2006, 05:20:06 AM »
Quote from: "blueeagle69"
Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Nice Job thanks for showing me the way.  And proving me wrong. AS I was a bit skeptical at first. I don't truly need this as a "feature" right now but glad to know it works when/if I need in future. ;) Besides at this point I dare say that HFS v2.0 Final is finally working flawlessly for me now that I switched to Win Server 2003 Enterprise.  :D  Thanks for your explaination and work and all others who tested and showed this to work as well.

Off-Topic:
Any past problems I had that I may have posted before had nothing to do with HFS and sorry for stressing you out. :lol: Using Wiki was a great idea to rejetto and all those whom contributing to documenting this. Very helpful!

Possible Bug:
Only bug I have (for me anyhow) noticed, though not a problem for me since I store backups. If I click cancel while HFS is starting up it wipes out the loading current .vfs file and the tree is empty and file is lost (actually overwritten in HFS root folder...weird. All the other .vfs files that were from differnt older sessions with different names remain untouched.
But I always make backups and store elsewhere just in case. Hey things can go wrong sometimes even the remote possiblity of VFS file corrupt, which I haven't had, but maybe it could during power outage or brown out. So always backup your files. ;)

Sorry for cramming off-topic things on this post I am in a big rush but thought I might share that info too. Thanks again rejetto and all testers. :happy2:  Peace......

ANTS

  • Guest
How about SSL support
« Reply #35 on: May 09, 2006, 08:05:11 AM »
Now that SSL can (sort of) be used with HFS, will there be any future additions of SSL inbuilt into HFS?

heffae

  • Guest
Login problem
« Reply #36 on: May 09, 2006, 06:44:52 PM »
It looks like when you have the root of HFS public and protected folders under this that when you click the login button HFS redirects you to a HTTP:// not HTTPS://  this dosn't look like a problem if the first page is HTTPS://

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
Re: Login problem
« Reply #37 on: May 09, 2006, 10:26:37 PM »
Quote from: "heffae"
It looks like when you have the root of HFS public and protected folders under this that when you click the login button HFS redirects you to a HTTP:// not HTTPS://  this dosn't look like a problem if the first page is HTTPS://
Already discussed in this thread.
maverick

Daoloth

  • Guest
How about SSL support
« Reply #38 on: May 11, 2006, 07:08:49 AM »
Quote from: "ANTS"
Now that SSL can (sort of) be used with HFS, will there be any future additions of SSL inbuilt into HFS?

Personally I think if it works I see no need for this feature to be added to make HFS more complex since I doubt the average user is really going to use or need such a feature. But the addition is in the end up to the majority and really in the end up to rejetto. ;) Besides I would have to guess even though it is in "To Do" list, it would be a complex job to code. And debugging and perfecting this add-on could be a headache imho.  Also most ppl with understanding of SSL would be familiar with using or at least knowledgeable enough to figure out STunnel or OpenSSL and similar apps. Don't get me wrong I am not against against the addition but why give rejetto more work. :lol: He has certainly given us a lot a his time and patience than one could ever ask for and for free at that. ;)

Unrelated Side note:
I haven't even tried the newest beta yet but I will.  But 2.0 final is working flawlessly for me as I had mentioned. Right now I am testing my overall stability after my OS change and trying to see how much uptime I can get. ;) So far server 12.5GB (4391 downloads and 4 uploads) in 5 days with up to 8 downloads at once and about 165 visitors a day according to one counter. Still early into test yet but so far so good.
Even added a google sitemap in XML. It does need updating again and removal of scattered dupe links but it works perfectly for me and it's W3C compliant for google sitemaps specifically as far as online tests have shown me. :D No link on main page yet but gonna add it after minor link fixes/changes. Google sees it and visits a lot, with no errors so far. :D Not trying to brag about this, just very happy things are working so well.  Feel free to check out my sitemap if you wish but be warned its 533KB.  
http://vxchaos.cjb.net/sitemap.xml

Has anyone else tried this yet on HFS just wondering.  Since I found nothing in forum search I figured it was worth mentioning. Criticism is welcome. Thanks in advance. ;) Peace all.

Https help configuration

  • Guest
stunnel configuration
« Reply #39 on: August 22, 2006, 05:28:37 AM »
http://10.10.14.2:443  conect
https://10.10.14.2:443 erro

Help

OpenSSLComando

2006.08.22 02:15:00 LOG5[464:3504]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005
2006.08.22 02:15:00 LOG5[464:3504]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2006.08.22 02:15:00 LOG5[464:3492]: No limit detected for the number of clients
2006.08.22 02:21:20 LOG5[464:2988]: https connected from 10.10.14.1:54032
2006.08.22 02:21:20 LOG5[464:3264]: https connected from 10.10.14.1:34300
2006.08.22 02:21:20 LOG3[464:2988]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:2988]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG3[464:3264]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3264]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:2984]: https connected from 10.10.14.1:55070
2006.08.22 02:21:20 LOG3[464:2984]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:2984]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:1992]: https connected from 10.10.14.1:55480
2006.08.22 02:21:20 LOG3[464:1992]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:1992]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:3200]: https connected from 10.10.14.1:41328
2006.08.22 02:21:20 LOG3[464:3200]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3200]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:3408]: https connected from 10.10.14.1:60292
2006.08.22 02:21:20 LOG3[464:3408]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3408]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:2088]: https connected from 10.10.14.1:42477
2006.08.22 02:21:22 LOG3[464:2088]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:2088]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:3036]: https connected from 10.10.14.1:55688
2006.08.22 02:21:22 LOG3[464:3036]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:3036]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:3320]: https connected from 10.10.14.1:39588
2006.08.22 02:21:22 LOG3[464:3320]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:3320]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:26 LOG5[464:2060]: https connected from 10.10.14.1:56992
2006.08.22 02:21:26 LOG3[464:2060]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:26 LOG5[464:2060]: Connection reset: 0 bytes sent to





--
======
 SSL, 0 bytes sent to socket; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = stunnel.pem
key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[ssmtp]
accept  = 465
connect = 25

[https]
accept = 10.10.14.2:443
connect = 10.10.14.2:80
TIMEOUTclose = 0

; vim:ft=dosini

Offline maverick

  • Tireless poster
  • ****
  • Posts: 1052
  • Computer Solutions
    • View Profile
How about SSL support
« Reply #40 on: August 22, 2006, 06:21:50 AM »
Should be:

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0
maverick

gees

  • Guest
How about SSL support
« Reply #41 on: August 22, 2006, 06:24:34 AM »
Quote
[https]
accept = 10.10.14.2:443
connect = 10.10.14.2:80
TIMEOUTclose = 0


Please do exactly as described in this thread:

accept = 443
connect = 80


Only port numbers are valid, Stunnel listens to localhost.
_________
~GeeS~

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #42 on: September 08, 2006, 05:36:03 PM »
Vulnerability in openssl, please update:

http://www.openssl.org/news/secadv_20060905.txt
~GeeS~

Offline ~GeeS~

  • Tireless poster
  • ****
  • Posts: 270
  • "The web was made for sharing..."
    • View Profile
Re: How about SSL support
« Reply #43 on: September 18, 2006, 08:30:07 PM »
~GeeS~

tenacious_b

  • Guest
Re: How about SSL support
« Reply #44 on: March 27, 2007, 04:43:36 PM »
Maybe I am just stupid but its not working.

I installed it created a certificate put it in the proper place (I think) but whenever I go to http://localhost:*accept port* i get a page cannot be displayed. I am positive this isnt enough info for anyone to help but I dont know where to start :/ Help would be greatly appreciated.