2023-01-12 20:49:14 +01:00
|
|
|
|
2022-03-18 17:46:08 +01:00
|
|
|
|
|
|
|
SSL certificates
|
|
|
|
================
|
|
|
|
|
|
|
|
Introduction
|
|
|
|
------------
|
|
|
|
|
|
|
|
It is often desired to use SSL connections for communications to avoid
|
2024-03-16 20:56:52 +01:00
|
|
|
"man in the middle" attacks. Pandemonium has a connection wrapper,
|
2023-01-12 19:30:47 +01:00
|
|
|
`StreamPeerSSL`,
|
2022-03-18 17:46:08 +01:00
|
|
|
which can take a regular connection and add security around it. The
|
2023-01-12 19:30:47 +01:00
|
|
|
`HTTPClient`
|
2022-03-18 17:46:08 +01:00
|
|
|
class also supports HTTPS by using this same wrapper.
|
|
|
|
|
2024-03-16 20:56:52 +01:00
|
|
|
Pandemonium includes SSL certificates from Mozilla, but you can provide your own
|
2022-03-18 17:46:08 +01:00
|
|
|
with a .crt file in the project settings:
|
|
|
|
|
2023-01-12 20:16:00 +01:00
|
|
|
![](img/ssl_certs.png)
|
2022-03-18 17:46:08 +01:00
|
|
|
|
|
|
|
This file should contain any number of public certificates in
|
2023-01-12 20:39:50 +01:00
|
|
|
`PEM format ( https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail )`.
|
2022-03-18 17:46:08 +01:00
|
|
|
|
|
|
|
Of course, remember to add .crt as filter so the exporter recognizes
|
|
|
|
this when exporting your project.
|
|
|
|
|
2023-01-12 20:16:00 +01:00
|
|
|
![](img/add_crt.png)
|
2022-03-18 17:46:08 +01:00
|
|
|
|
|
|
|
There are two ways to obtain certificates:
|
|
|
|
|
|
|
|
Approach 1: self signed cert
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
The first approach is the simplest: generate a private and public
|
|
|
|
key pair and add the public key (in PEM format) to the .crt file.
|
|
|
|
The private key should go to your server.
|
|
|
|
|
|
|
|
OpenSSL has `some
|
2023-01-12 20:39:50 +01:00
|
|
|
documentation ( https://raw.githubusercontent.com/openssl/openssl/master/doc/HOWTO/keys.txt )` about
|
2022-03-18 17:46:08 +01:00
|
|
|
this. This approach also **does not require domain validation** nor
|
|
|
|
requires you to spend a considerable amount of money in purchasing
|
|
|
|
certificates from a CA.
|
|
|
|
|
|
|
|
Approach 2: CA cert
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
The second approach consists of using a certificate authority (CA)
|
|
|
|
such as Verisign, Geotrust, etc. This is a more cumbersome process,
|
|
|
|
but it's more "official" and ensures your identity is clearly
|
|
|
|
represented.
|
|
|
|
|
|
|
|
Unless you are working with large companies or corporations, or need
|
|
|
|
to connect to someone else's servers (i.e., connecting to Google or some
|
|
|
|
other REST API provider via HTTPS), this method is not as useful.
|
|
|
|
|
|
|
|
Also, when using a CA issued cert, **you must enable domain
|
|
|
|
validation**, to ensure the domain you are connecting to is the one
|
|
|
|
intended, otherwise any website can issue any certificate in the same CA
|
|
|
|
and it will work.
|
|
|
|
|
|
|
|
If you are using Linux, you can use the supplied certs file, generally
|
|
|
|
located in:
|
|
|
|
|
2023-01-12 22:32:46 +01:00
|
|
|
```
|
2022-03-18 17:46:08 +01:00
|
|
|
/etc/ssl/certs/ca-certificates.crt
|
2023-01-12 22:32:46 +01:00
|
|
|
```
|
2022-03-18 17:46:08 +01:00
|
|
|
|
|
|
|
This file allows HTTPS connections to virtually any website (i.e.,
|
|
|
|
Google, Microsoft, etc.).
|
|
|
|
|
|
|
|
Or pick any of the more specific certificates there if you are
|
|
|
|
connecting to a specific one.
|