pandemonium_engine_docs/03_usage/08_networking/ssl_certificates.md

73 lines
2.3 KiB
Markdown
Raw Normal View History

2023-01-12 20:49:14 +01:00
SSL certificates
================
Introduction
------------
It is often desired to use SSL connections for communications to avoid
2024-03-16 20:56:52 +01:00
"man in the middle" attacks. Pandemonium has a connection wrapper,
2023-01-12 19:30:47 +01:00
`StreamPeerSSL`,
which can take a regular connection and add security around it. The
2023-01-12 19:30:47 +01:00
`HTTPClient`
class also supports HTTPS by using this same wrapper.
2024-03-16 20:56:52 +01:00
Pandemonium includes SSL certificates from Mozilla, but you can provide your own
with a .crt file in the project settings:
2023-01-12 20:16:00 +01:00
![](img/ssl_certs.png)
This file should contain any number of public certificates in
2023-01-12 20:39:50 +01:00
`PEM format ( https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail )`.
Of course, remember to add .crt as filter so the exporter recognizes
this when exporting your project.
2023-01-12 20:16:00 +01:00
![](img/add_crt.png)
There are two ways to obtain certificates:
Approach 1: self signed cert
----------------------------
The first approach is the simplest: generate a private and public
key pair and add the public key (in PEM format) to the .crt file.
The private key should go to your server.
OpenSSL has `some
2023-01-12 20:39:50 +01:00
documentation ( https://raw.githubusercontent.com/openssl/openssl/master/doc/HOWTO/keys.txt )` about
this. This approach also **does not require domain validation** nor
requires you to spend a considerable amount of money in purchasing
certificates from a CA.
Approach 2: CA cert
-------------------
The second approach consists of using a certificate authority (CA)
such as Verisign, Geotrust, etc. This is a more cumbersome process,
but it's more "official" and ensures your identity is clearly
represented.
Unless you are working with large companies or corporations, or need
to connect to someone else's servers (i.e., connecting to Google or some
other REST API provider via HTTPS), this method is not as useful.
Also, when using a CA issued cert, **you must enable domain
validation**, to ensure the domain you are connecting to is the one
intended, otherwise any website can issue any certificate in the same CA
and it will work.
If you are using Linux, you can use the supplied certs file, generally
located in:
2023-01-12 22:32:46 +01:00
```
/etc/ssl/certs/ca-certificates.crt
2023-01-12 22:32:46 +01:00
```
This file allows HTTPS connections to virtually any website (i.e.,
Google, Microsoft, etc.).
Or pick any of the more specific certificates there if you are
connecting to a specific one.