2016-02-08 23:45:57 +01:00
|
|
|
.. _doc_ssl_certificates:
|
2016-02-08 22:07:55 +01:00
|
|
|
|
2016-02-06 01:54:33 +01:00
|
|
|
SSL Certificates
|
|
|
|
================
|
|
|
|
|
|
|
|
Introduction
|
|
|
|
------------
|
|
|
|
|
|
|
|
It is often desired to use SSL connections for communications to avoid
|
|
|
|
"man in the middle" attacks. Godot has a connection wrapper,
|
2016-02-09 23:03:27 +01:00
|
|
|
:ref:`StreamPeerSSL <class_StreamPeerSSL>`,
|
2016-02-06 01:54:33 +01:00
|
|
|
which can take a regular connection and add security around it. The
|
2016-02-09 23:03:27 +01:00
|
|
|
:ref:`HTTPClient <class_HTTPClient>`
|
2016-02-06 01:54:33 +01:00
|
|
|
class also supports HTTPS by using this same wrapper.
|
|
|
|
|
|
|
|
For SSL to work, certificates need to be provided. A .crt file must be
|
|
|
|
specified in the project settings:
|
|
|
|
|
|
|
|
.. image:: /img/ssl_certs.png
|
|
|
|
|
|
|
|
This file should contain any number of public certificicates in
|
2016-02-10 18:57:06 +01:00
|
|
|
http://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail format.
|
2016-02-06 01:54:33 +01:00
|
|
|
|
|
|
|
Of course, remember to add .crt as filter so the exporter recognizes
|
|
|
|
this when exporting your project.
|
|
|
|
|
|
|
|
.. image:: /img/add_crt.png
|
|
|
|
|
|
|
|
There are two ways to obtain certificates:
|
|
|
|
|
|
|
|
Approach 1, Self Signed Cert
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
The first approach is the simplest, just generate a private and public
|
|
|
|
key pair, and put the public pair in the .crt file (again, in PEM
|
|
|
|
format). The private key should go to your server.
|
|
|
|
|
|
|
|
OpenSSL has `some
|
|
|
|
documentation <https://www.openssl.org/docs/HOWTO/keys.txt>`__ about
|
|
|
|
this. This approach also **does not require domain validation** nor
|
|
|
|
requires you to spend a considerable amount of money in purchasing
|
|
|
|
certificates from a CA.
|
|
|
|
|
|
|
|
Approach 2, CA Cert
|
|
|
|
-------------------
|
|
|
|
|
2016-02-09 23:40:35 +01:00
|
|
|
The second approach consists of using a certificate authority (CA)
|
|
|
|
such as Verisign, Geotrust, etc. This is a more cumbersome process,
|
|
|
|
but it's more "official" and ensures your identity is clearly
|
|
|
|
represented.
|
|
|
|
|
|
|
|
Unless you are working with large companies or corporations, or need
|
|
|
|
to connect to someone else's servers (ie, connecting to Google or some
|
|
|
|
other REST API provider via HTTPS) this method is not as useful.
|
2016-02-06 01:54:33 +01:00
|
|
|
|
|
|
|
Also, when using a CA issued cert, **you must enable domain
|
|
|
|
validation**, to ensure the domain you are connecting to is the one
|
|
|
|
intended, otherwise any website can issue any certificate in the same CA
|
|
|
|
and it will work.
|
|
|
|
|
|
|
|
If you are using Linux, you can use the supplied certs file, generally
|
|
|
|
located in:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
/etc/ssl/certs/ca-certificates.crt
|
|
|
|
|
|
|
|
This file allows HTTPS connections to virtually any website (ie, Google,
|
|
|
|
Microsoft, etc) .
|
|
|
|
|
|
|
|
Or just pick any of the more specific certificates there if you are
|
|
|
|
connecting to a specific one.
|
|
|
|
|
|
|
|
|
|
|
|
|