Security FAQ

From Resin 3.0

(Difference between revisions)
Jump to: navigation, search
 
Line 1: Line 1:
 
=== Can I use different SSL certificates for each virtual host? ===
 
=== Can I use different SSL certificates for each virtual host? ===
  
<p>''We have two domains on one server.  Is there an example config file showing
+
<p>''We have two domains on one server.  Is there an example config file showing how to have multiple ssl certificates, one for each virtual host?''</p>
how to have multiple ssl certificates, one for each virtual host?
+
''</p>
+
  
 
<p>This is not possible if you are using Resin's virtual hosting capability to
 
<p>This is not possible if you are using Resin's virtual hosting capability to
Line 10: Line 8:
 
<p>The SSL connection (and certificate) are handled before the HTTP request is
 
<p>The SSL connection (and certificate) are handled before the HTTP request is
 
sent.  Unless the domain name is mapped to a unique ip address, the server
 
sent.  Unless the domain name is mapped to a unique ip address, the server
doesn't know which domain name the user is using until after SSL is set up.
+
cannot know which domain name the user is using until after SSL is set up.
 
There is no way for Resin to determine which domain name the user has specified
 
There is no way for Resin to determine which domain name the user has specified
in the url.</p>
+
in the request until after the SSL decryption has occurred.</p>
  
<p>It is possible if you have separate IP addresses for the hosts.  You would
+
<p>It is possible if you have separate IP addresses for the hosts.  You need
start separate http servers that only bind on that ip
+
unique http port listeners that only bind on that ip
address.  Each of these http servers can have seperate ssl
+
address.  Each of these http ports can have it's own ssl
 
configurations.</p>
 
configurations.</p>
 +
 +
<code><pre>
 +
&lt;resin xmlns="http://caucho.com/ns/resin">
 +
&lt;cluster id="">
 +
 +
  &lt;server id="">
 +
    &lt;http address="*" port="80"/&gt;
 +
 +
    &lt;http address="199.199.0.10" port="443" virtual-host="gryffindor.com"&gt;
 +
      &lt;openssl&gt;
 +
        &lt;certificate-file&gt;keys/gryffindor.crt&lt;/certificate-file&gt;
 +
        &lt;certificate-key-file&gt;keys/gryffindor.key&lt;/certificate-key-file&gt;
 +
        &lt;password&gt;test123&lt;/password&gt;
 +
      &lt;/openssl&gt;
 +
    &lt;/http&gt;
 +
 +
    &lt;http address="199.199.0.11" port="443" virtual-host="slytherin.com"&gt;
 +
      &lt;openssl&gt;
 +
        &lt;certificate-file&gt;keys/slytherin.crt&lt;/certificate-file&gt;
 +
        &lt;certificate-key-file&gt;keys/slytherin.key&lt;/certificate-key-file&gt;
 +
        &lt;password&gt;test123&lt;/password&gt;
 +
      &lt;/openssl&gt;
 +
    &lt;/http&gt;
 +
 +
  ...
 +
  &lt;/server>
 +
 +
  &lt;host id="gryffindor.com"&gt;
 +
    &lt;host-alias&gt;www.gryffindor.com&lt;/host-alias&gt;
 +
 +
    ...
 +
 +
  &lt;/host&gt;
 +
 +
  &lt;host id="slytherin.com"&gt;
 +
    &lt;host-alias&gt;www.slytherin.com&lt;/host-alias&gt;
 +
 +
    ...
 +
  &lt;/host&gt;
 +
 +
  ...
 +
&lt;/cluster>
 +
&lt;/resin>
 +
</pre></code>
  
 
=== Why does Resin say I need OPENSSL_THREADS when I try to use OpenSSL? ===
 
=== Why does Resin say I need OPENSSL_THREADS when I try to use OpenSSL? ===
Line 67: Line 109:
  
 
* [http://www.thauvin.net/blog/stories.jsp?id=42 Erik's Weblog - Converting a JSSE Keystore to OpenSSL]
 
* [http://www.thauvin.net/blog/stories.jsp?id=42 Erik's Weblog - Converting a JSSE Keystore to OpenSSL]
 
=== How can I handle SSL for virtual hosts if I have a  separate IP for each host? ===
 
 
<p>''I have different IPs, but am trying to avoid using them in the config
 
files as we have a develepment, staging and production environment each of which would have
 
different IPs.  Is it possible to specify multiple IPs for it to try binding
 
to?''</p>
 
 
<code><pre>
 
&lt;resin xmlns="http://caucho.com/ns/resin">
 
&lt;cluster id="">
 
 
  &lt;server id="">
 
    &lt;http host="*" port="80"/&gt;
 
 
    &lt;http host="199.199.0.10" port="443" virtual-host="gryffindor.com"&gt;
 
      &lt;openssl&gt;
 
        &lt;certificate-file&gt;keys/gryffindor.crt&lt;/certificate-file&gt;
 
        &lt;certificate-key-file&gt;keys/gryffindor.key&lt;/certificate-key-file&gt;
 
        &lt;password&gt;test123&lt;/password&gt;
 
      &lt;/openssl&gt;
 
    &lt;/http&gt;
 
 
    &lt;http host="199.199.0.11" port="443" virtual-host="slytherin.com"&gt;
 
      &lt;openssl&gt;
 
        &lt;certificate-file&gt;keys/slytherin.crt&lt;/certificate-file&gt;
 
        &lt;certificate-key-file&gt;keys/slytherin.key&lt;/certificate-key-file&gt;
 
        &lt;password&gt;test123&lt;/password&gt;
 
      &lt;/openssl&gt;
 
    &lt;/http&gt;
 
 
  ...
 
  &lt;/server>
 
 
  &lt;host id="gryffindor.com"&gt;
 
    &lt;host-alias&gt;www.gryffindor.com&lt;/host-alias&gt;
 
 
    ...
 
 
  &lt;/host&gt;
 
 
  &lt;host id="slytherin.com"&gt;
 
    &lt;host-alias&gt;www.slytherin.com&lt;/host-alias&gt;
 
 
    ...
 
  &lt;/host&gt;
 
 
  ...
 
&lt;/cluster>
 
&lt;/resin>
 
 
 
<p>
 
If you want to keep one .conf file for different environments,
 
you can use the configuration [http://caucho.com/resin/doc/config-control.xtp control statements].
 
</p>
 

Latest revision as of 17:06, 1 April 2008

Contents

Can I use different SSL certificates for each virtual host?

We have two domains on one server. Is there an example config file showing how to have multiple ssl certificates, one for each virtual host?

This is not possible if you are using Resin's virtual hosting capability to serve to multiple domain names using a single IP address.

The SSL connection (and certificate) are handled before the HTTP request is sent. Unless the domain name is mapped to a unique ip address, the server cannot know which domain name the user is using until after SSL is set up. There is no way for Resin to determine which domain name the user has specified in the request until after the SSL decryption has occurred.

It is possible if you have separate IP addresses for the hosts. You need unique http port listeners that only bind on that ip address. Each of these http ports can have it's own ssl configurations.

<resin xmlns="http://caucho.com/ns/resin">
<cluster id="">

  <server id="">
    <http address="*" port="80"/>

    <http address="199.199.0.10" port="443" virtual-host="gryffindor.com">
      <openssl>
        <certificate-file>keys/gryffindor.crt</certificate-file>
        <certificate-key-file>keys/gryffindor.key</certificate-key-file>
        <password>test123</password>
      </openssl>
    </http>

    <http address="199.199.0.11" port="443" virtual-host="slytherin.com">
      <openssl>
        <certificate-file>keys/slytherin.crt</certificate-file>
        <certificate-key-file>keys/slytherin.key</certificate-key-file>
        <password>test123</password>
      </openssl>
    </http>

  ...
  </server>

  <host id="gryffindor.com">
     <host-alias>www.gryffindor.com</host-alias>

    ...

  </host>

  <host id="slytherin.com">
    <host-alias>www.slytherin.com</host-alias>

    ...
  </host>

  ...
</cluster>
</resin>

Why does Resin say I need OPENSSL_THREADS when I try to use OpenSSL?

Resin dies with an error on startup "Resin requires a threaded version of OpenSSL. OpenSSL must be compiled with OPENSSL_THREADS for Resin to use it."

Resin requires a threaded version of the OpenSSL libraries. Usually a threaded version is the default for OpenSSL, however on some systems it is necessary to explicitly request a thread version.

To recompile the openssl libraries with threading enabled:

$ cd openssl-0.9.7c
$ ./config threads
$ make
$ make install

The INSTALL document from the OpenSSL package contains more information on the threads option.

What is the sequence of handshakes for an SSL connection?

ClientHello->
<-ServerHello
<-CertificateChain
<-ServerHelloDone
ClientKeyExchange->
ChangeCipherSpec->
Finished->
<-ChangeCipherSpec
<-Finished

How do I handle port 80 and root issues on Linux?

Use Resin 3.1 Professional with the <user-name> tag. The Resin [watchdog] will start as root and bind to port 80 as root. Before the watchdog launches the Resin instance, it will change to the <user-name>.

Where can I learn more about SSL?

Converting a JSSE Keystore to OpenSSL

Personal tools