Tuesday, March 10, 2009

Enable SSL in goAhead web server


goAhead web server comes with internal ssl support. It's disabled by default, and I haven't seen a tutorial around this topic on the web. So here is the my adventure of enabling it.

Difficulties with goAhead
According to the goAhead's feature page, ssl is fully supported. But it's not so convienent to enable it. The downloaded source package doesn't include the source code of the ssl library that it depends it. Even the distribution package (header file and library file) isn't there.
If we trun the macro WEBS_SSL_SUPPORT definition on, what we get eventually is compilcation error. You may see the error of type SSL isn't defined.
Then we can see there is a mocana project file, so we guess go ahead is using mocana library. And now problem comes, mocana is a comerical product and it's not freely available.

Use openssl instead
Luckily, we found there was a macro named OPENSSL. It's a symbol of openssl can be an alternative option here.
Looking deeply inside the code, we can see that goAhead provides a abstract layer above the underlying ssl library. So that we can change the implementaion easily. See? It's a typical usage of adapter design pattern.
We downloaded the openssl source, compile a linux version binary set. The openssl is a powerful ssl tool set. In addition to the ssl library itself, it also contains several utility tools. Within those tools, openssl is a useful terminal tool. It can act as a ssl server, ssl client, and certificate file generator.
What's specifically useful is we can generate and sign certificate file with it and use them to test our server. This page tells how to generate and sign certificates.
In goAhead's code, it uses three certificate files.
privkey.pem : the private key
cacert.pem : the certificate
server.pem : A combination of private key and cacert. The first part of its content is privkey.pem and the second part is cacert.pem.

Having got those files, we changed the makefile to define WEBS_SSL_SUPPORT and OPENSSL macro to enable ssl. Compiled again and run.

How to visit
The goAhead web server listens on a differnt port for incoming secure connection. The port is defined as SSL_PORT macro n in websSSL.c with default value 433. To test, open the browser and visit https://address:SSL_PORT .
Since we used a self signed certificates, the firefox won't allow access to it. We have to add our site to firefox exception list from "tools - advanced - encryption - view certificates - add exception" .

7 comments:

Michael O'Brien said...

Thanks for this write up. We tried to make is much easier in GoAhead 3 which now discovered local OpenSSL stacks and configures for them automatically when you run configure. You can get GoAhead 3 from http://embedthis.com/products/goahead/index.html

Vamsi krishna said...

where should i place those .pem files if i am using goahead webserver for an embedded application.
(In my case This Webserver Binary is packed inside tar file and this tar file will be installed on a Hardware device.)
Do i have to make any extra changes for my case ??(Even though i did as per this article https is not working for me.)
I am using goahead 2.1.6 (very old . i know)
I will upgrade it in time but i need to make https work in this version for now.

Staff Ngeditblog said...

tempat nyari SSL murah ya di IDwebhost.com Cuman disini kamu bisa menemukan paket terbaik untuk hosting webkamu.

Shantibhushan said...

Hi,
We are testing go-ahead 1.161 and there are few memory leaks.

We are testing against vulnerability scanner called openVAS.For every scan of openvas we see there is 3%(3mb) memory leaks.

We have not seen any help on site.could you please help on this.

Thanks in advance.

Shantibhushan said...

Hi,
We are testing go-ahead 1.161 and there are few memory leaks.

We are testing against vulnerability scanner called openVAS.For every scan of openvas we see there is 3%(3mb) memory leaks.

We have not seen any help on site.could you please help on this.

Thanks in advance.

Shantibhushan said...

Hi,
We are testing go-ahead 1.161 and there are few memory leaks.

We are testing against vulnerability scanner called openVAS.For every scan of openvas we see there is 3%(3mb) memory leaks.

We have not seen any help on site.could you please help on this.

Thanks in advance.

rx wen said...

To detect memory leaks, why not use valgrind to launch go-ahead and then scan it with openVAS? valgrind should be able to give you some hints about possible memory leaks.