Tuesday, March 10, 2009
goAhead web server comes with internal ssl support. It's disabled by default, and I haven't seen a tutorial around this topic on the web. So here is the my adventure of enabling it.
Difficulties with goAhead
According to the goAhead's feature page, ssl is fully supported. But it's not so convienent to enable it. The downloaded source package doesn't include the source code of the ssl library that it depends it. Even the distribution package (header file and library file) isn't there.
If we trun the macro WEBS_SSL_SUPPORT definition on, what we get eventually is compilcation error. You may see the error of type SSL isn't defined.
Then we can see there is a mocana project file, so we guess go ahead is using mocana library. And now problem comes, mocana is a comerical product and it's not freely available.
Use openssl instead
Luckily, we found there was a macro named OPENSSL. It's a symbol of openssl can be an alternative option here.
Looking deeply inside the code, we can see that goAhead provides a abstract layer above the underlying ssl library. So that we can change the implementaion easily. See? It's a typical usage of adapter design pattern.
We downloaded the openssl source, compile a linux version binary set. The openssl is a powerful ssl tool set. In addition to the ssl library itself, it also contains several utility tools. Within those tools, openssl is a useful terminal tool. It can act as a ssl server, ssl client, and certificate file generator.
What's specifically useful is we can generate and sign certificate file with it and use them to test our server. This page tells how to generate and sign certificates.
In goAhead's code, it uses three certificate files.
privkey.pem : the private key
cacert.pem : the certificate
server.pem : A combination of private key and cacert. The first part of its content is privkey.pem and the second part is cacert.pem.
Having got those files, we changed the makefile to define WEBS_SSL_SUPPORT and OPENSSL macro to enable ssl. Compiled again and run.
How to visit
The goAhead web server listens on a differnt port for incoming secure connection. The port is defined as SSL_PORT macro n in websSSL.c with default value 433. To test, open the browser and visit https://address:SSL_PORT .
Since we used a self signed certificates, the firefox won't allow access to it. We have to add our site to firefox exception list from "tools - advanced - encryption - view certificates - add exception" .