How to serve https

I’ve got a “web server” on my central heating controller. The quotation marks are because it is nothing like a proper web server. It does a highly specific job, and it only responds to a very few http commands from the client. It’s written in BASIC and is quite small.

How would I make it do https instead of http?

You can probably find out how to do it in the RFC’s. The big stumbling block is going to be SSL or TLS. You may be able to extract that from Netsurf. I you have rcomps hermes mail fetcher I think there’s a SSL module in that that you could use for your own use.

I you have rcomps hermes mail fetcher I think there’s a SSL module in that that you could use for your own use.

If you have the NutPi card the R-Comp SSL module is on there. I think you can simply ask for it from R-Comp as I believe they regard it as a support item rather than a major product.

From all accounts it could do with a “refresh” anyway.

I think you can simply ask for it from R-Comp as I believe they regard it as a support item rather than a major product.

LOL! That’s what I thought. Not the impression I got when I wanted to use it with AntiSpam.

@Dave, take a look at AntiSpam for a way to integrate it. I know it’s a client and not a server, but it may still be useful.
To be honest, the module is thoroughly out of date, but if you’re not relying on anything above TLS 1.0, it should do the job.

LOL! That’s what I thought. Not the impression I got when I wanted to use it with AntiSpam.

Ah, now be fair.
Hermes and NetFetch are in their current commercial portfolio and a combination of PopStar sending and AntiSpam fetching (and filtering) offered for free is a bit high on the competition stakes.

We can build the latest OpenSSL (1.0.2a) automatically¹ (build log and download ). That’s the version released 19 March 2015 (fixing 12 vulnerabilities that day alone), as opposed to the R-Comp SSL module which dates from 2000. The CVE database lists 205 OpenSSL-related vulnerabilities since 2000 (though some of those are in programs that use OpenSSL rather than the library itself so this is an overestimate).

¹ It currently requires me to click a button to build – it needs some more infrastructure to do it on a rolling basis.

However, the RISC OS build is an ELF library. So your challenge is how to connect your BASIC program to the ELF code. One option may be to use the supplied ‘openssl’ command line executable and pipe your ‘web server’ traffic in and out.

It would be good to build a replacement for the elderly SSL module using OpenSSL.

This is not relevant to Dave’s question, but is there a URL fetcher module that supports https? The URL_Fetcher module originally written by Acorn comes with several fetcher modules for things like FTP and HTTP (module name AcornHTTP) but I am unaware as to whether an HTTPS fetcher module was ever provided. That would be useful, as the URL_Fetcher system is quite nice and straightforward to work with.

It would be good to build a replacement for the elderly SSL module using OpenSSL.

I agree. Is there a published API?

Perhaps mbed TLS or wolfSSL would be a better fit than OpenSSL.

Perhaps mbed TLS or wolfSSL would be a better fit than OpenSSL.

mbedTLS is available dual¹ license, wolfSSL is solid GPL2² so I think most people would head for mbedTLS

¹ They quote it as “FOSS exception” and list BSD and EUPL among the permitted open source

² Should we head for the trenches/shelters now or wait a while?

Ohhh! I’ll be taking a good look at that :-D
Hopefully it supports TLS 1.2 otherwise it’s useless.

Hopefully it supports TLS 1.2

“A central SSL module uses the cryptographic components, the abstraction layers and the support components to provide a complete protocol implementation for SSL v3, TLS v1.0, TLS v1.1 and TLS v1.2.”

According to the info individual elements can be built as modules for specific features.

Latest stable release February, test branch the other day…

Well, that was easy. mbedtls 1.3.10 built I simply added it to the autobuilder and it ‘just built’. That’s untested (since I’m not near a RISC OS machine) – there are some included binaries that may be worth playing with (they’re ELF binaries so you’ll need the !SharedLibs from GCC).

It probably won’t be massively complex to build with Norcroft if you’re in the AIF world, however you’ll need to rewrite the Makefile as it’s fairly simple but not RISC OS friendly.

That’s great news! TLS 1.2 and likely to be Norcroft compatible. I really need to focus now and get stuff done.
A also notice the “Not affected” against POODLE and Heartbleed. Not a suprise, but nice to see ;-)
It also makes me happy seeing the ARM logo plastered everywhere!
I tried to google search for crypto acceleration (as I have a couple of arm systems at home that have aes acceleration hardware on them) but it seems google search is busted in netsurf (or at least for me)
[Works with javascript enabled]

mbedTLS is available dual license

In the foss exception I can’t see how you can ‘obey the GPL in all respects’ (clause 2.1) and use a different licence – seems contradictory to me.

(they’re ELF binaries so you’ll need the !SharedLibs from GCC)

What about after using elf2aif on them?
My knowledge of web is small, but I have a big new HTML5 book at the moment, and one thing new for HTML5 is in the forms category the keygen command (creates private and public pairs), which sounds like a step towards ordinary SSH/SSL useage.
I’m not sure what browsers did before.

In the foss exception I can’t see how you can ‘obey the GPL in all respects’ (clause 2.1) and use a different licence – seems contradictory to me.

You mean after you’ve dealt with the fact the GPL contradicts itself?

Just work with the fact that they state you can use one of those other licenses

Several things are available as GPL or something else. Perhaps the something else is the preferred way of licensing but GPL had to be added due to its weight of movement and the built in exclusion of everything else. Kudos to the developers for giving us a choice. At least they seem to understand what open source is about, unlike most of the RMS groupies.

Several things are available as GPL or something else

Of course they are the copyright owner can use as many licences as they like. But that is not what is happening here – if it was it would just say you can use any of the following licences. The foss exception in section 2 states you must meet all the conditions in the section, one of which is ‘You obey the GPL in all respects’.

It seems to me just a reiteration of the GPL in different words.

It make sense to me as the company sells other licences – if you could use a bsd licence they’d have nothing to sell.

Yeah, it doesn’t make much sense. It basically says “you can use BSD (or another listed licence) so long as your app complies with the GPL”. I don’t get it…

What about after using elf2aif on them?

That should work. My build setup currently isn’t doing that – for some reason filetypes are going missing during the build, so the automatic elf2aif isn’t being applied, and I haven’t worked out why yet. In any case the library is the important bit, and the demo programs that come with it are just examples of how to use it.

My knowledge of web is small, but I have a big new HTML5 book at the moment, and one thing new for HTML5 is in the forms category the keygen command (creates private and public pairs), which sounds like a step towards ordinary SSH/SSL useage.

Not really – < keygen> is an obscure HTML tag that’s supposedly useful for forms doing certificate generation (a rather niche interest). That’s to do with authenticating users (you to account number 12345), while SSL is about authenticating connections (you to megabank.com). It’s been around since Netscape days, and even Microsoft wants keygen to die

SSH is nothing to do with the web by the way – only similarities are the letters ‘SS’ and that the most common implementation (OpenSSH) uses OpenSSL as a library for some of the crypto.

My thanks to all of you for your responses.

I read more of the Wikipedia TLS entry yesterday, more deeply, and I used Wiresalmon and Wireshark to look at the initial exchanges when accessing an https site. It’s all beginning to make sense.

So let’s see if I’ve got any of this right.

In the first place, I need to get at least one certificate. There do appear to be a couple of free options. I also need a TLS module, be it the old one that R-Comp use, or a new one built with one of the libraries listed above.

When the code is running:

• I have to open a stream socket on my chosen port (which will not be the standard one).
• I accept a connection on that socket.
• I initially pass the incoming data to the TLS module, which does the negotiation for me.
• The TLS module passes back responses to me, which I return to the client.
• When the handshake is complete, I pass (now encrypted) incoming HTTP data to the TLS module, and it passes decrypted HTTP data back to me.
• I pass plain HTTP data to the TLS module, which passes back an encrypted version, which I send to the client.
• At some stage the connection is closed, either by my end or by the far end.

How am I doing so far?

In the first place, I need to get at least one certificate.

Or generate one. Various systems allow you to do that, I only ever did the thing once following the instructions in the FreeRADIUS setup documentation.

Two things about a self generated certificate:
You have total control
No one else could ever use that certificate or a root certificate of that certificate from an outside location.

How am I doing so far?

Matches my understanding – there’s normally a timeout in the endpoints.

On a slight deviation, but possibly of interest – one of the great things about TLS is that you can turn it on and off at will.
i.e. you can connect unencrypted, then talk to the service and then decide you want to send sensitive data and turn it on, then turn it off afterwards – all down the same socket.
SSL is just awful in comparison.

SSL – Socket (or S***y Security Layer) Layer
TLS – Transport Layer

Or that’s my understanding, feel free to correct.

Not really. TLS is just a newer version of SSL.

What you may be thinking of is STARTTLS, which is a way to offer both an encrypted and unencrypted connection on the same port, and the client can choose. Personally I’m not keen on that because I’d rather the client didn’t have a way to opt out of encryption – encryption is frequently in the server’s interest as well as the client’s. It also makes for a bigger attack surface as you have to expose both stacks at the same time. If you offer encrypted and non-encrypted on different ports you can implement different policies – for instance IMAPS from the Internet, IMAP from the local network only – which you can’t with STARTTLS over IMAP (without deep packet inspection – better not to go there).