HTTP Support
(originally taken from
http://www.towersoft.com/sdk/doku.php?id=ice:setting_up_an_ice_server_to_use_ssl)
Introduction
For added security, the ICE Server supports the Secure Sockets Layer (SSL) Protocol. This encrypts all traffic between the client and the ICE server, so that sensitive data is protected. If you’re running your ICE server over the internet, encrypting your ICE server data is highly recommended.
This article describes how to use ICE with SSL. It also discusses how to use the OpenSSL toolkit or Microsoft Makecert to generate a self signed certificate to test the ICE functionality.
About SSL Certificates
The certificates used by C# Webserver to encrypt traffic need to be valid PKCS#12 certificates, with the extension “pfx” or "p12". You can obtain these certificates from a certifying authority like Verisign, or you can generate them yourself using an Open Source Toolkit called OpenSSL.
C# WebServer uses X509 security certificates to provide a secure interface between the client and the server. There are two basic types of certificate. Self-signed certificates which provide a poor level of security but are simple to produce. They should only be used during testing. A Certificate Authority (CA) signed certificate, these provide a high level of security.
Generate Self-signed Certificate with OpenSSL
To be able to use certificates using OpenSSL in ICE, here are the steps we used when testing out SSL (ready for production):
Note:
PERL must be installed to run the .pl scripts. Win32 user can download Active Perl at
http://www.activestate.com/If you haven’t got OpenSSL, you can download a win32 installer at
http://www.slproweb.com/products/Win32OpenSSL.htmlSet up the Certificate Authority (CA):
(Note: If the following command returns instantly, it might have detected that you have already got the demoCA setup. You will need to delete the folder demoCA under C:\OpenSSL\bin\
C:\openSSL\bin>CA.pl -newca
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ELEPHANT Software
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, YOUR name) []:ICE
Email Address []:john@elephant.com.au
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:elephant
An optional company name []:
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
bc:2e:d2:f7:40:e5:33:13
Validity
Not Before: Aug 16 01:20:38 2006 GMT
Not After : Aug 15 01:20:38 2009 GMT
Subject:
countryName = AU
stateOrProvinceName = ACT
organizationName = ELEPHANT Software
organizationalUnitName = R&D
commonName = ICE
emailAddress = john@elephant.com.au
X509v3 extensions:
X509v3 Subject Key Identifier:
19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73
X509v3 Authority Key Identifier:
keyid:19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73
DirName:/C=AU/ST=ACT/O=TOWER Software/OU=R&D/CN=ICE/emailAddress=john@elephant.com.au
serial:BC:2E:D2:F7:40:E5:33:13
X509v3 Basic Constraints: CA:TRUE
Certificate is to be certified until Aug 15 01:20:38 2009 GMT (1095 days)''
Write out database with 1 new entries
Data Base Updated
c:\openSSL\bin\>CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
...++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some
fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ELEPHANT Software
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, YOUR name) []:ICE
Email Address []:john@elephant.com.au
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:elephant
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
c:\openSSL\bin\>CA.pl -signreq
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
bc:2e:d2:f7:40:e5:33:14
Validity
Not Before: Aug 16 01:23:10 2006 GMT
Not After : Aug 16 01:23:10 2007 GMT
Subject:
countryName = AU
stateOrProvinceName = ACT
localityName = Canberra
organizationName = ELEPHANT Software
organizationalUnitName = R&D
commonName = ICE
emailAddress = john@elephant.com.au
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
04:7F:C7:5F:AB:F7:72:16:78:03:95:BC:0A:37:9E:91:A3:A0:DD:D5
X509v3 Authority Key Identifier:
keyid:19:B2:98:EA:0D:BE:A9:62:A3:54:72:37:D8:BF:25:D4:28:AB:7C:73
Certificate is to be certified until Aug 16 01:23:10 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
c:\openSSL\bin\>CA.pl -pkcs12 “ICE Test Certificate”
Loading 'screen' into random state - done
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
PKCS #12 file is in newcert.p12
You now have a self signed certificate ready for use in ICE.
Generate Self-signed Certificate With Microsoft Makecert
You can either download openSSL and follow the instruction above OR generate your self-signed certificate with Microsoft makecert utitliy. Either way should get your ICE server up and secured with SSL.
Get Makecert.exe
Download makecert program from Microsoft.
If you have visual studio installed, it should be in the “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” or get it here at
http://download.microsoft.com/download/platformsdk/update/5.131.3617.0/nt45xp/en-us/makecert.exeRead article.
There’s a good article explaining how to generate self-signed certificate with make cert.exe http://blogs.technet.com/jhoward/archive/2005/02/02/365323.aspx
Or you can paste the following commands in the MS-DOS command line. (Makesure makecert is available at the current working directory in DOS).
makecert -pe -n "CN=Test And Dev Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature -r "Test and Dev Root Authority.cer"
makecert -pe -n "CN=yourhostname.yourdomainname" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root
Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 yourhostname.cer
You will either have to add the “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” to the system path or run the above command in the same directory where makecert.exe resides.
Note: The certificate will be generated on the same directory that you running the makecert.exe from.
You now have a self signed certificate ready for use in ICE.