Enabling SSL with Boa
时间:2006-09-25 来源:rwen2012
Enabling SSL with Boa
Steven Merrifield writes "The version of Boa included in the uClinux distribution includes SSL support, but by default it is not enabled due to export restrictions. This page describes how to install the openssl library and configure Boa to use secure web transfers (https). Although I've used a Coldfire platform, a similar procedure will apply for other targets."
This process can be broken into several steps,
1. Building the SSL library
2. Building Boa with SSL support
3. Generating a key and certificate
Download openssl-0.9.7b.tar.gz from http://www.openssl.org and extract it somewhere, then copy the tree without version numbers to uClinux-dist/lib/libssl.
In the libssl/Makefile, change the following:
-CC= cc
+CC= m68k-elf-gcc
-CFLAG= -DOPENSSL_NO_KRB5 -O
+CFLAG= -DOPENSSL_NO_KRB5 -O -msep-data -fomit-frame-pointer -m5307
-AR=ar $(ARFLAGS) r
-RANLIB= /usr/bin/ranlib
+AR=m68k-elf-ar $(ARFLAGS) r
+RANLIB= m68k-elf-ranlib
-DIRS= crypto ssl $(SHLIB_MARK) apps test tools
+DIRS= crypto ssl $(SHLIB_MARK)
+
+romfs:
+
Note that I am only interested in building the library, not the applications. If you're not building for a Coldfire target, make the relevant changes as appropriate.
Now that we have libssl available, building Boa with SSL support is quite simple. Choose "Network Applications", and enable "Boa uses SSL".
Then make dep; make as usual.
It is possible that building Boa fails due to a bunch of parse errors in des.h If this is the case, add the line
#define DES_LONG unsigned long
to libssl/include/openssl/des.h after the include statements. Yes, this is a hack, but it's quick and easy, and it works.
Unfortunately, enabling SSL support requires a lot of space:
Without SSL With SSL
File size: 80108 586248
Memory usage: 41k 150k
These results are for a 5272 platform, using uClibc, and compiled statically.
At this point, it would help to have syslog turned on so we can see how Boa is responding. Enable syslogd in the Busybox configuration.
Build a new image, reboot and check the log. You should see that Boa tried to start the SSL system, but failed because the certificate was missing.
/> cat /var/log/messages
Jul 29 16:08:17 2003 syslogd started: BusyBox v0.60.4 (2003.07.29-04:03+0000)
Jul 29 16:08:17 2003 boa: Enabling SSL security system
Jul 29 16:08:17 2003 boa: Failure reading SSL certificate file: /etc/config/ssl_cert.pem
Jul 29 16:08:17 2003 boa: Failure initialising SSL support -
Jul 29 16:08:17 2003 boa: supporting normal (unencrypted) sockets only
Jul 29 16:08:17 2003 boa: Boa/0.93.15 started
/>
Now we have Boa running with SSL support, we need to generate a key and certificate for the server. A nice (dummies) guide to SSL can be found at http://wp.netscape.com/security/techbriefs/ssl.htm l .
Fortunately, VeriSign allows us to install a free trial certificate for 14 days. This is ideal for testing before you shell out the dollars for a real certificate. This facility can be accessed from Netscape's "Implementing Server Certificates" at http://wp.netscape.com/security/techbriefs/serverc erts/get.html .
Click on the "free trial Server ID" link, sign up with VeriSign, and go through the required steps. During this process, you will need to generate a key, and a Certificate Signing Request (CSR).
I used the following to generate a key:
/usr/bin/openssl genrsa -out server.key 1024
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCVUQFvhhUxzlnb7Wb4fkGVfEtLOTrp/cZPTi KLEtFj+Ob9nhx3
+n51cTEkwx9o1Qv/2e5XtWsC8fSUhScgXLngxa7pxZrMoJMXfh YlprobQed4Eb+R
YKOR7nEjYg7LFmUdNZIQWD/mit3qwnZjiQXqpkZWwHVhA1M7PJ 4i0m3nBwIDAQAB
AoGAGQCtet0641IoXdlM6sNJfByKBxiYMuJZuKHeyublxRXCqC k3nyeE0WmYzw0V
T1qNXdRCQtGQD7gwOkZpnNOqFCXLHBDUeX0I/a5ofKz52BoW6x Xl0+Kgf9HSgetW
qO4xE6aMQN/vMuPxKSIN0HEYCRbnCoTd6O644GxAFAsMLuECQQ DFYF66kPDkwhVG
1hDhGdViGPDtAPb5M8nA4MmS6wCF3yi8O2Yn769QbP21v1N4tC AtTeFPMU2bsAPz
lcFa/HM5AkEAwapdakwCPG9jXfh8aCmaLsVnEm8nSzNyFzVI7G EjJNd3WiDKeFkb
lNvV+TDeinP8O3mpdzpUVbnpHFMpu73sPwJAFTq1VanLTz+U3E agECYgLmnyV/uX
lNw+IhHLfJLsPnnvPrfA2CDOoX7nlwnaJ4xwPY834bWy3EEFW8 jKwEeQ+QJAJsLv
cYAHDouIyt0aIUr6VhQifhkLN0zzr9t1XgJPI2eQttRLUe0bzR 525Co40GNIf6rp
FTjyejn8gzPN7YqkxwJAYUB3NoUpP7v+Mc21Rzo5jAWprwEqja TRBqkTQwt3Uy+Y
s4+bHRTBhTprwNtbMJ7h1rYwOdCXA5QvF0PwYKbwcQ==
-----END RSA PRIVATE KEY-----
Then I used this key to generate a Certificate Signing Request:
/usr/bin/openssl req -new -key server.key -out server.csr
You also need to enter a bunch of information that specifically links the site certificate to your individual server. In this case, since I'm on an intranet, I used the common name "coldfire", which will later allow me to access the server using https://coldfire
-----BEGIN CERTIFICATE REQUEST-----
MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAkFVMREwDwYDVQQIEw hWaWN0b3JpYTEQ
MA4GA1UEBxMHTWl0Y2hhbTEWMBQGA1UEChMNR0UgSW50ZXJsb2 dpeDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxETAPBgNVBAMTCGNvbGRmaXJlMScwJQ YJKoZIhvcNAQkB
FhhzdGV2ZW4ubWVycmlmaWVsZEBnZS5jb20wgZ8wDQYJKoZIhv cNAQEBBQADgY0A
MIGJAoGBAJVRAW+GFTHOWdvtZvh+QZV8S0s5Oun9xk9OIosS0W P45v2eHHf6fnVx
MSTDH2jVC//Z7le1awLx9JSFJyBcueDFrunFmsygkxd+FiWmuh tB53gRv5Fgo5Hu
cSNiDssWZR01khBYP+aK3erCdmOJBeqmRlbAdWEDUzs8niLSbe cHAgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQCMU/PbXvsmHIVjsh0Jus7Em8ZG00 0gpzEwGEBpEDwr
oONKkv5AsP0OkRxFpAVIth2N9DGMTegfMAv4YLB7rmrQHF8V7L +CHSN+PEWpaW78
noO+2loTpT7RKmIhpq3jqL4SAWYj00UjzDWVEnNPQWOEqlGLR9 bAi3TA/RIwW6nj
+g==
-----END CERTIFICATE REQUEST-----
Once you have generated a CSR, paste it into the VeriSign web page, fill out some more details, and wait for the certificate to arrive in your mailbox.
-----BEGIN CERTIFICATE-----
MIIDMzCCAt2gAwIBAgIQerMS2hhWjQyaKuJzZ3zF1DANBgkqhk iG9w0BAQUFADCB
qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3 d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZW YuIExpYWIuIExU
RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIH Rlc3Rpbmcgb25s
eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwNzI5MD AwMDAwWhcNMDMw
ODEyMjM1OTU5WjBzMQswCQYDVQQGEwJBVTERMA8GA1UECBMIVm ljdG9yaWExEDAO
BgNVBAcUB01pdGNoYW0xFjAUBgNVBAoUDUdFIEludGVybG9naX gxFDASBgNVBAsU
C0VuZ2luZWVyaW5nMREwDwYDVQQDFAhjb2xkZmlyZTCBnzANBg kqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAlVEBb4YVMc5Z2+1m+H5BlXxLSzk66f3GT0 4iixLRY/jm/Z4c
d/p+dXExJMMfaNUL/9nuV7VrAvH0lIUnIFy54MWu6cWazKCTF3 4WJaa6G0HneBG/
kWCjke5xI2IOyxZlHTWSEFg/5ord6sJ2Y4kF6qZGVsB1YQNTOz yeItJt5wcCAwEA
AaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR 8EOzA5MDegNaAz
hjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVTZXJ2ZX JUZXN0aW5nQ0Eu
Y3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYGCCsGAQ UFBwIBFipodHRw
Oi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUF MwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA0 EAkeGUSIUsNX6N
Iej8H+lMMTs/5I1GqM9QdmA9aAaELVr/OGN7kaHvzP0zqwF89q EftApRPI//D3Hy
wdMo7S6WAw==
-----END CERTIFICATE-----
Cut and paste this certificate into romfs/etc/config/ssl_cert.pem along with the key you generated earlier (but put this in romfs/etc/config/ssl_key.pem)
Build a new image, and load it on the target. If you have syslog enabled, you should see the following:
/> cat /var/log/messages
Jul 29 15:24:43 2003 syslogd started: BusyBox v0.60.4 (2003.07.29-04:03+0000)
Jul 29 15:24:43 2003 boa: Enabling SSL security system
Jul 29 15:24:43 2003 boa: Loaded SSL certificate file: /etc/config/ssl_cert.pem
Jul 29 15:24:43 2003 boa: Opened private key file: /etc/config/ssl_key.pem
Jul 29 15:24:43 2003 boa: SSL security system enabled
Jul 29 15:24:43 2003 boa: Boa/0.93.15 started
/>
I then added "coldfire" to my /etc/hosts file along with the IP address of the target, and fired up Mozilla. Using https://coldfire produced the home page on the target system, and the padlock closed in the browser. Very cool.
It is also possible to create self-signed certificates, so you don't need to deal with an external provider.
Create the key and CSR:
/usr/bin/openssl req -new > cert.csr
Strip the passphrase from the key:
/usr/bin/openssl rsa -in privkey.pem -out key.pem
Convert the CSR into a signed certificate:
/usr/bin/openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 365
This generates privkey.pem, cert.csr, cert.pem and key.pem
Copy cert.pem to uClinux-dist/romfs/etc/config/ssl_cert.pem and key.pem to uClinux-dist/romfs/etc/config/ssl_key.pem
Steven Merrifield
July 2003
Steven Merrifield writes "The version of Boa included in the uClinux distribution includes SSL support, but by default it is not enabled due to export restrictions. This page describes how to install the openssl library and configure Boa to use secure web transfers (https). Although I've used a Coldfire platform, a similar procedure will apply for other targets."
This process can be broken into several steps,
1. Building the SSL library
2. Building Boa with SSL support
3. Generating a key and certificate
Download openssl-0.9.7b.tar.gz from http://www.openssl.org and extract it somewhere, then copy the tree without version numbers to uClinux-dist/lib/libssl.
In the libssl/Makefile, change the following:
-CC= cc
+CC= m68k-elf-gcc
-CFLAG= -DOPENSSL_NO_KRB5 -O
+CFLAG= -DOPENSSL_NO_KRB5 -O -msep-data -fomit-frame-pointer -m5307
-AR=ar $(ARFLAGS) r
-RANLIB= /usr/bin/ranlib
+AR=m68k-elf-ar $(ARFLAGS) r
+RANLIB= m68k-elf-ranlib
-DIRS= crypto ssl $(SHLIB_MARK) apps test tools
+DIRS= crypto ssl $(SHLIB_MARK)
+
+romfs:
+
Note that I am only interested in building the library, not the applications. If you're not building for a Coldfire target, make the relevant changes as appropriate.
Now that we have libssl available, building Boa with SSL support is quite simple. Choose "Network Applications", and enable "Boa uses SSL".
Then make dep; make as usual.
It is possible that building Boa fails due to a bunch of parse errors in des.h If this is the case, add the line
#define DES_LONG unsigned long
to libssl/include/openssl/des.h after the include statements. Yes, this is a hack, but it's quick and easy, and it works.
Unfortunately, enabling SSL support requires a lot of space:
Without SSL With SSL
File size: 80108 586248
Memory usage: 41k 150k
These results are for a 5272 platform, using uClibc, and compiled statically.
At this point, it would help to have syslog turned on so we can see how Boa is responding. Enable syslogd in the Busybox configuration.
Build a new image, reboot and check the log. You should see that Boa tried to start the SSL system, but failed because the certificate was missing.
/> cat /var/log/messages
Jul 29 16:08:17 2003 syslogd started: BusyBox v0.60.4 (2003.07.29-04:03+0000)
Jul 29 16:08:17 2003 boa: Enabling SSL security system
Jul 29 16:08:17 2003 boa: Failure reading SSL certificate file: /etc/config/ssl_cert.pem
Jul 29 16:08:17 2003 boa: Failure initialising SSL support -
Jul 29 16:08:17 2003 boa: supporting normal (unencrypted) sockets only
Jul 29 16:08:17 2003 boa: Boa/0.93.15 started
/>
Now we have Boa running with SSL support, we need to generate a key and certificate for the server. A nice (dummies) guide to SSL can be found at http://wp.netscape.com/security/techbriefs/ssl.htm l .
Fortunately, VeriSign allows us to install a free trial certificate for 14 days. This is ideal for testing before you shell out the dollars for a real certificate. This facility can be accessed from Netscape's "Implementing Server Certificates" at http://wp.netscape.com/security/techbriefs/serverc erts/get.html .
Click on the "free trial Server ID" link, sign up with VeriSign, and go through the required steps. During this process, you will need to generate a key, and a Certificate Signing Request (CSR).
I used the following to generate a key:
/usr/bin/openssl genrsa -out server.key 1024
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCVUQFvhhUxzlnb7Wb4fkGVfEtLOTrp/cZPTi KLEtFj+Ob9nhx3
+n51cTEkwx9o1Qv/2e5XtWsC8fSUhScgXLngxa7pxZrMoJMXfh YlprobQed4Eb+R
YKOR7nEjYg7LFmUdNZIQWD/mit3qwnZjiQXqpkZWwHVhA1M7PJ 4i0m3nBwIDAQAB
AoGAGQCtet0641IoXdlM6sNJfByKBxiYMuJZuKHeyublxRXCqC k3nyeE0WmYzw0V
T1qNXdRCQtGQD7gwOkZpnNOqFCXLHBDUeX0I/a5ofKz52BoW6x Xl0+Kgf9HSgetW
qO4xE6aMQN/vMuPxKSIN0HEYCRbnCoTd6O644GxAFAsMLuECQQ DFYF66kPDkwhVG
1hDhGdViGPDtAPb5M8nA4MmS6wCF3yi8O2Yn769QbP21v1N4tC AtTeFPMU2bsAPz
lcFa/HM5AkEAwapdakwCPG9jXfh8aCmaLsVnEm8nSzNyFzVI7G EjJNd3WiDKeFkb
lNvV+TDeinP8O3mpdzpUVbnpHFMpu73sPwJAFTq1VanLTz+U3E agECYgLmnyV/uX
lNw+IhHLfJLsPnnvPrfA2CDOoX7nlwnaJ4xwPY834bWy3EEFW8 jKwEeQ+QJAJsLv
cYAHDouIyt0aIUr6VhQifhkLN0zzr9t1XgJPI2eQttRLUe0bzR 525Co40GNIf6rp
FTjyejn8gzPN7YqkxwJAYUB3NoUpP7v+Mc21Rzo5jAWprwEqja TRBqkTQwt3Uy+Y
s4+bHRTBhTprwNtbMJ7h1rYwOdCXA5QvF0PwYKbwcQ==
-----END RSA PRIVATE KEY-----
Then I used this key to generate a Certificate Signing Request:
/usr/bin/openssl req -new -key server.key -out server.csr
You also need to enter a bunch of information that specifically links the site certificate to your individual server. In this case, since I'm on an intranet, I used the common name "coldfire", which will later allow me to access the server using https://coldfire
-----BEGIN CERTIFICATE REQUEST-----
MIIB3TCCAUYCAQAwgZwxCzAJBgNVBAYTAkFVMREwDwYDVQQIEw hWaWN0b3JpYTEQ
MA4GA1UEBxMHTWl0Y2hhbTEWMBQGA1UEChMNR0UgSW50ZXJsb2 dpeDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxETAPBgNVBAMTCGNvbGRmaXJlMScwJQ YJKoZIhvcNAQkB
FhhzdGV2ZW4ubWVycmlmaWVsZEBnZS5jb20wgZ8wDQYJKoZIhv cNAQEBBQADgY0A
MIGJAoGBAJVRAW+GFTHOWdvtZvh+QZV8S0s5Oun9xk9OIosS0W P45v2eHHf6fnVx
MSTDH2jVC//Z7le1awLx9JSFJyBcueDFrunFmsygkxd+FiWmuh tB53gRv5Fgo5Hu
cSNiDssWZR01khBYP+aK3erCdmOJBeqmRlbAdWEDUzs8niLSbe cHAgMBAAGgADAN
BgkqhkiG9w0BAQQFAAOBgQCMU/PbXvsmHIVjsh0Jus7Em8ZG00 0gpzEwGEBpEDwr
oONKkv5AsP0OkRxFpAVIth2N9DGMTegfMAv4YLB7rmrQHF8V7L +CHSN+PEWpaW78
noO+2loTpT7RKmIhpq3jqL4SAWYj00UjzDWVEnNPQWOEqlGLR9 bAi3TA/RIwW6nj
+g==
-----END CERTIFICATE REQUEST-----
Once you have generated a CSR, paste it into the VeriSign web page, fill out some more details, and wait for the certificate to arrive in your mailbox.
-----BEGIN CERTIFICATE-----
MIIDMzCCAt2gAwIBAgIQerMS2hhWjQyaKuJzZ3zF1DANBgkqhk iG9w0BAQUFADCB
qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3 d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZW YuIExpYWIuIExU
RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIH Rlc3Rpbmcgb25s
eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwNzI5MD AwMDAwWhcNMDMw
ODEyMjM1OTU5WjBzMQswCQYDVQQGEwJBVTERMA8GA1UECBMIVm ljdG9yaWExEDAO
BgNVBAcUB01pdGNoYW0xFjAUBgNVBAoUDUdFIEludGVybG9naX gxFDASBgNVBAsU
C0VuZ2luZWVyaW5nMREwDwYDVQQDFAhjb2xkZmlyZTCBnzANBg kqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAlVEBb4YVMc5Z2+1m+H5BlXxLSzk66f3GT0 4iixLRY/jm/Z4c
d/p+dXExJMMfaNUL/9nuV7VrAvH0lIUnIFy54MWu6cWazKCTF3 4WJaa6G0HneBG/
kWCjke5xI2IOyxZlHTWSEFg/5ord6sJ2Y4kF6qZGVsB1YQNTOz yeItJt5wcCAwEA
AaOB0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR 8EOzA5MDegNaAz
hjFodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9TZWN1cmVTZXJ2ZX JUZXN0aW5nQ0Eu
Y3JsMFEGA1UdIARKMEgwRgYKYIZIAYb4RQEHFTA4MDYGCCsGAQ UFBwIBFipodHRw
Oi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUF MwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA0 EAkeGUSIUsNX6N
Iej8H+lMMTs/5I1GqM9QdmA9aAaELVr/OGN7kaHvzP0zqwF89q EftApRPI//D3Hy
wdMo7S6WAw==
-----END CERTIFICATE-----
Cut and paste this certificate into romfs/etc/config/ssl_cert.pem along with the key you generated earlier (but put this in romfs/etc/config/ssl_key.pem)
Build a new image, and load it on the target. If you have syslog enabled, you should see the following:
/> cat /var/log/messages
Jul 29 15:24:43 2003 syslogd started: BusyBox v0.60.4 (2003.07.29-04:03+0000)
Jul 29 15:24:43 2003 boa: Enabling SSL security system
Jul 29 15:24:43 2003 boa: Loaded SSL certificate file: /etc/config/ssl_cert.pem
Jul 29 15:24:43 2003 boa: Opened private key file: /etc/config/ssl_key.pem
Jul 29 15:24:43 2003 boa: SSL security system enabled
Jul 29 15:24:43 2003 boa: Boa/0.93.15 started
/>
I then added "coldfire" to my /etc/hosts file along with the IP address of the target, and fired up Mozilla. Using https://coldfire produced the home page on the target system, and the padlock closed in the browser. Very cool.
It is also possible to create self-signed certificates, so you don't need to deal with an external provider.
Create the key and CSR:
/usr/bin/openssl req -new > cert.csr
Strip the passphrase from the key:
/usr/bin/openssl rsa -in privkey.pem -out key.pem
Convert the CSR into a signed certificate:
/usr/bin/openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 365
This generates privkey.pem, cert.csr, cert.pem and key.pem
Copy cert.pem to uClinux-dist/romfs/etc/config/ssl_cert.pem and key.pem to uClinux-dist/romfs/etc/config/ssl_key.pem
Steven Merrifield
July 2003
相关阅读 更多 +
