Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add clearer instructions for making a simple HTTPS server for testing #2269

Merged
merged 1 commit into from
Jul 27, 2023
Merged

Add clearer instructions for making a simple HTTPS server for testing #2269

merged 1 commit into from
Jul 27, 2023

Conversation

abcpro1
Copy link
Contributor

@abcpro1 abcpro1 commented Jun 17, 2023

closes #2221


Add clear instructions on how to generate a self-signed TLS certificate, and how to use it to make a simple HTTPS server.


/claim #2221

Verified

This commit was signed with the committer’s verified signature.
chenrui333 Rui Chen
This includes clear instructions on how to generate a self-signed TLS certificate,
and where to store it.
@codecov-commenter
Copy link

Codecov Report

Patch and project coverage have no change.

Comparison is base (480cd69) 64.77% compared to head (b539e77) 64.77%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2269   +/-   ##
=======================================
  Coverage   64.77%   64.77%           
=======================================
  Files         143      143           
  Lines        6754     6754           
  Branches     1227     1227           
=======================================
  Hits         4375     4375           
  Misses       2379     2379           

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@gnp
Copy link

gnp commented Jun 18, 2023

This looks like the same technique I put in the issue itself.

When I used this technique and then tried to invoke the ZIO HTTP app via HTTPS using curl, the curl command hung and the error I put in the issue itself was logged in the running ZIO app.

I was only able to avoid the hang by testing with a command like curl -k https://localhost:8080/ping but I don't think a correctly functioning ZIO HTTP App with a correct (self-signed) certificate should cause curl (without the -k argument) to hang. That plus the log makes me thing more is required for self-signed SSL to work with ZIO HTTP.

@abcpro1
Copy link
Contributor Author

abcpro1 commented Jun 18, 2023

@gnp the output that you had posted in the issue #2221 shows that the certificate had a bad format or was not loaded.

If you carefully follow the updated instructions, everything should work fine. Just make sure to have the server.key and server.crt files inside the src/main/resources directory.

This is the output from my machine:

$ curl https://localhost:8090/text -v
*   Trying 127.0.0.1:8090...
* Connected to localhost (127.0.0.1) port 8090 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl https://localhost:8090/text -v --insecure

*   Trying 127.0.0.1:8090...
* Connected to localhost (127.0.0.1) port 8090 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=example.com; OU=?; O=?; L=?; ST=?; C=??
*  start date: Jun 17 10:13:10 2023 GMT
*  expire date: Jun 16 10:13:10 2024 GMT
*  issuer: CN=example.com; OU=?; O=?; L=?; ST=?; C=??
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/1.1
> GET /text HTTP/1.1
> Host: localhost:8090
> User-Agent: curl/8.0.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< content-type: text/plain
< content-length: 12
<
* Connection #0 to host localhost left intact
Hello World!

@jdegoes
Copy link
Member

jdegoes commented Jun 21, 2023

Can you also add documentation to the microsite that covers similar content? It's great to have it inside the source code and even better to have it on the website.

@gnp Can you confirm the instructions work correctly?

@abcpro1
Copy link
Contributor Author

abcpro1 commented Jun 22, 2023

@jdegoes this file itself is actually part of the microsite https://zio.dev/zio-http/examples/basic/https-server. Or do you have a specific suggestion?

@gnp
Copy link

gnp commented Jun 26, 2023

Hi. Thanks @abcpro1. I have used your proposed openssl command verbatim in my test project and unlike my previous experience curl did not hang, even though ZIO HTTP did log warnings about HTTPS handshake problems.

Concern: This recommends running the openssl command and putting the resulting server.crt and server.key files in src/main/resources which seems like a really bad idea because of high potential that secrets get checked into source control and/or built into jars. In my case, I first added those files to .gitignore, but its a real risk. Ideally, we would have progressive advice. For example:

  • Quick start -- you can use SSLConfig.generate(behaviour = SSLConfig.HttpBehaviour.Accept) which will automatically generate what is needed at runtime. But, beware you will have to have clients ignore validations (for example with -k aregument to curl).
  • Initial preparation for generated SSL configuration -- you can use openssl command to generate a self-signed certificate .crt and .key file that you store in src/main/resources. But, be careful to not check them in (list them in .gitignore for example).
  • Real development, and other environment (including PROD) deployment -- ??? what is the recommendation ??? surely not building into the jar file by putting in src/main/resources? How would we have local development use the same technique we'd want to use in deployed application to get the two files?

@jdegoes -- The suggested openssl command worked well enough for me that I've followed the proposed advice in my zio-quickstart-https example here: gnp/zio-quickstart-https@416a638. How would you like to proceed?

@jdegoes jdegoes merged commit fd7a239 into zio:main Jul 27, 2023
987Nabil pushed a commit to 987Nabil/zio-http that referenced this pull request Jul 28, 2023

Verified

This commit was signed with the committer’s verified signature.
…zio#2269)

This includes clear instructions on how to generate a self-signed TLS certificate,
and where to store it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SSL example needs crt and key file creation instructions
4 participants