mirror of
https://github.com/cesanta/mongoose.git
synced 2024-11-26 03:59:00 +08:00
76 lines
3.3 KiB
Markdown
76 lines
3.3 KiB
Markdown
|
# Mongoose SSL guide
|
||
|
|
|
||
|
|
SSL is a protocol that makes web communication secure. To enable SSL
|
||
|
|
in mongoose, 3 steps are required:
|
||
|
|
|
||
|
|
1. Valid certificate file must be created
|
||
|
|
2. `ssl_certificate` options must be set to contain path to the
|
||
|
|
certificate file.
|
||
|
|
3. `listening_ports` option must contain a port number with letter `s`
|
||
|
|
appended to it, which instructs Mongoose to use SSL for all connections
|
||
|
|
made to that port.
|
||
|
|
|
||
|
|
Below is the `mongoose.conf` file snippet for typical SSL setup:
|
||
|
|
|
||
|
|
document_root www_root # Serve files in www_root directory
|
||
|
|
listening_ports 80r,443s # Redirect all HTTP requests to HTTPS
|
||
|
|
ssl_certificate ssl_cert.pem # Location of certificate file
|
||
|
|
|
||
|
|
## How to create SSL certificate file
|
||
|
|
|
||
|
|
SSL certificate file is a text file that must contain at least two
|
||
|
|
sections:
|
||
|
|
|
||
|
|
1. A private key
|
||
|
|
2. A certificate
|
||
|
|
|
||
|
|
Both sections should be chunks of text in PEM format. When PEM file is
|
||
|
|
opened in a text editor, it looks like this:
|
||
|
|
|
||
|
|
-----BEGIN RSA PRIVATE KEY-----
|
||
|
|
MIIEogIBAAKCAQEAwONaLOP7EdegqjRuQKSDXzvHmFMZfBufjhELhNjo5KsL4ieH
|
||
|
|
hYN0Zii2yTb63jGxKY6gH1R/r9dL8kXaJmcZrfSa3AgywnteJWg=
|
||
|
|
-----END RSA PRIVATE KEY-----
|
||
|
|
-----BEGIN CERTIFICATE-----
|
||
|
|
MIIDBjCCAe4CCQCX05m0b053QzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJB
|
||
|
|
SEGI4JSxV56lYg==
|
||
|
|
-----END CERTIFICATE-----
|
||
|
|
|
||
|
|
Two aforementioned sections are clearly seen. Typically, those section
|
||
|
|
are bigger then in the example shown. The text between the `BEGIN` and
|
||
|
|
`END` is the text representation of binary data, a private key and a
|
||
|
|
certificate. Therefore, in order to create a certificate file,
|
||
|
|
|
||
|
|
* private key must be converted to PEM format
|
||
|
|
* certificate must be converted to PEM format
|
||
|
|
* those two should be concatenated into a single file
|
||
|
|
|
||
|
|
If the certificate chain in used, a chain file also needs to be
|
||
|
|
converted into PEM format and appended to the certificate file.
|
||
|
|
|
||
|
|
## How SSL works
|
||
|
|
|
||
|
|
SSL is a protocol that can encrypt communication between two parties. If third
|
||
|
|
party observes all messages passed by, it would be very
|
||
|
|
hard for the third party (though not impossible) to decrypt the communication.
|
||
|
|
|
||
|
|
The idea is based on so-called public key encryption. Communicating parties
|
||
|
|
have two keys: a public key and a private key. A public key is advertised
|
||
|
|
to everybody, and it is contained in a certificate. A private key is kept
|
||
|
|
secret. Security algorithm works in a way that anybody can encrypt
|
||
|
|
a message using public key, and only private key can decrypt it.
|
||
|
|
|
||
|
|
This is why web server needs both private key and certificate: private key
|
||
|
|
is used to decrypt incoming messages, and certificate is used to tell the
|
||
|
|
public key to the other party. When communication starts, parties exchange
|
||
|
|
their public keys, and keep private keys to themselves. Man-in-the-middle
|
||
|
|
who observes the communication is unable to decrypt the messages cause
|
||
|
|
private keys are required for decryption.
|
||
|
|
|
||
|
|
Encryption algorithms are built on top of hard mathematical problem, which
|
||
|
|
makes it very expensive for man-in-the-middle to compute private keys.
|
||
|
|
For example, RSA algorithm is based on a mathematical problem of factorization.
|
||
|
|
It is easy to generate two very large prime numbers `P` and `Q` and make
|
||
|
|
a product `P * Q`. But given a product, it is very hard to recover these
|
||
|
|
two prime numbers - this is called factorization.
|