I've spent the better part of this afternoon trying to figure out how to implement SSL/TLS support directly in the Play Framework 2.1 web server without having to use a front end proxy, to no avail. I have all of my certificates signed by a CA and I'm told Play 2.1 supports SSL, but am lost on the configuration options to use in application.conf to set this up. There doesn't appear to be a clear answer out there in the documentation.
Couple questions:
Do I HAVE to convert my .crt and .key files to a .jks file (Java keystore) or can I use them as-is?
If I have to import to the Java keystore, can someone provide some insight into how this is done? I have seen a lot of conflicting documentation on this.
What are the configuration options in the Play Framework 2.1.x application.conf to set this up?
As I stated before, I could not find any clear answers after a couple hours of Googling, so I figured I better ask here. Also, I want to reiterate - I DO NOT want to use a front-end web server like Apache for specific reasons, so I am looking ONLY to set up SSL/TLS support directly in Play.
EDIT:
I have found this thread: http://grokbase.com/t/gg/play-framework/1326s1ttny/2-1-ssl but I can't get any of it to work still. Not sure if I'm created the JKS file correctly by combining all of my bundled CRT files AND the private key into a single file then importing and I'm not sure what I should use for the "path to keystore".
Related
I know little bit about certificates but not in details. I am asked to install .CER certificate in an android app, I saw currently app uses three files(see below). I am confused how just one CER file will used for authentication/identification if currently system is using multiple files.
I tried to look online but did not find good explanation of how these files work together for authentication/identification. I am sure I need same set of new files and only CER file will not be suffice, its just I don't know the relation between these files and how these files used by system.
If you can point me to some good online resource that would be great help.
cacert.file=ca.cert.pem
cert.file=client.cert.pem
key.file=client.key.pem
In looking to provide a self-hosted ServiceStack backend to a single-page app, I want to require SSL.
I've seen the answers related to configuring the server with the certificate using httpcfg/netsh, but I'd like to not have that configuration step if possible.
I found this answer, but it doesn't compile.
The PrivateKey class is missing. Of course, I'm assuming PrivateKey.Save(...) does something similar to what httpcfg/netsh does during the manual configuration. My question is, is this 'no configuration' approach with SSL on HttpListener possible? Is that previously linked answer even possible? If so, where does PrivateKey come from?
I'm experimenting with an instance of Glassfish v4.1 installed in a VM trying to make mutal authentication work. Everything goes like a charm, except the CRL (certificate revocation list) part. I've searched through the whole Internet, but it seems nobody knows about managing CRL's in Glassfish v4.1. The only sites I found were this and this. The first one refers to Glassfish v2/v3. None of them works.
Does anyone know if Glassfish v4.1 allows the implementation of CRL through a static file, like the article at the first link suggests? If so, how can I achieve it?
I finally found out how to make it work. The first link I gave in my question pointed in the good direction, but it had an error. Actually, the property "crlFile" doesn't exist, at least not in Glassfish v3.0.1 ([Oracle GlassFish Server 3.0.1 Domain File Format Reference]). The right name is "crl-file" and it's an atribute of the element ssl.
<ssl crl-file="config/crl.pem" .... />
If you define this attribute, Glassfish enables the CRL checking, looking for the revoked certificates in the specified file. The solution is also valid for Glassfish v4.1.
I wish this may help someone at some moment.
I am on Mac OSX Lion using Nginx 1.4.1. I am using nginx in conjunction with Tornado.
In the process of installing the Nginx upload module (v. 2.2.0) I encountered some compatibility issues. See this reference for more info. Apparently, there is no great fix for this as of yet. My specific error is rooted in: error: no member
named 'to_write' in 'ngx_http_request_body_t'
Is there a way to make the two of these reliably compatible without jumping through hoops?
Or, is there a suitable alternative to using this upload module that will work with Nginx 1.4.1?
If not, should I considering using Nginx 1.3.8? And if so, where can I download this version? I do not see it available for download on their website here.
Thank you for the help. Regards.
1) No, it doesn't seem like there is as the maintainer of nginx-file-upload has implied he doesn't want to maintain it any more.
2) I found this article which lists some alternatives. One of which is nginx-big-upload I've not tried it yet.
3) Well you could consider it but then you're tied in to a package that isn't maintained. What happens if there's a security vulnerability for 1.3.8? You can't upgrade without either patching or changing your file upload strategy. If you want to, you can find all of the older Nginx versions here
The situation is pretty frustrating at the moment but there are options, just none of them are tried and true. When dealing with production systems stability and security are key.
1) Yes, this module dose not support for nginx 1.4+.
2) The reason is that nginx support chunked of thansfer-encode, and improve its code design. that it remove the field to_write of ngx_http_request_body_t struct.
3) https://github.com/hongzhidao/nginx-upload-module. This is an alter module. It support the latest nginx, and the feature is equal.
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.