Configuring SSL

Appweb supports the Secure Sockets Layer (SSL) protocol for authenticating systems and encrypting data. Use of this protocol enables secure data transmission to and from clients in a standards-based manner.

This document provides step-by-step instructions for configuring SSL in Appweb. If you are unfamiliar with SSL, please read the SSL Overview first.

SSL Quick Start

The default binary installation of Appweb will support SSL for all network interfaces. You can immediately test SSL access to documents by using the https:// scheme. For example, to access the home page using SSL, use this URL in your browser:

https://localhost/index.html

Self-Signed Certificate

Appweb is shipped with a self-signed certificate to identify the web server.

SECURITY WARNING: This certificate is suitable for testing purposes only and your browser will issue a warning when you access the server. For production use, you should obtain your own service certificate from signing authorities such as Verisign.

SSL Configuration Directives

Appweb uses several configuration file directives to control SSL and manage secure access to the server. These directives can be specified in the Default Server section or in a Virtual Host section.

The relevant SSL directives are:

• SSLCertificateFile
• SSLCertificateKeyFile
• ListenSecure

There are some additional directives that are necessary should you wish to have Appweb verify client certificates. These directives are:

• SSLVerifyClient
• SSLVerifyIssuer
• SSLCACertificateFile
• SSLCACertificatePath

SSL Configuration Example

Consider the default Appweb SSL configuration in the appweb.conf configuration file:

SSLCertificateFile "self.crt"
SSLCertificateKeyFile "self.key"
ListenSecure 443

This set of directives enables SSL on port 443 for all network interfaces and uses the default supplied self-signed certificate to identify the server.

The ListenSecure directive instructs Appweb to process requests from all interfaces on port 443 using current SSL configuration.

The SSLCertificateFile directive specifies the server certificate to use and the SSLCertificateKeyFile directive specifies the server private key for signing.

SECURITY WARNING: You must obtain or generate a SSL certificate before using this example in a production environment.

The server key file is a PEM encoded private key. You may supply either an encrypted private key or a decrypted private key. If you use an encrypted private key, the server will prompt you for a pass-phrase to decrypt the key when the server boots.

SSL Providers

Appweb employs an open architecture SSL Provider interface so that customers can select the ideal SSL provider for their needs. Different SSL implementations excel in various ways. Some are compact, others are fast and some are extensive in their cipher support.

Appweb supports four SSL implementations:

• OpenSSL -- designed for enterprise use. See http://www.openssl.org.
• PeerSec MatrixSSL -- designed for embedding. See http://www.peersec.com.
• Mocana NanoSSL -- designed for embedding. See https://mocana.com/nanossl.html.
• EST SSL (Prototype) -- included with Appweb and designed for embedding.

If building an SSL provider from source, please consult Building SSL Providers for the suggested SSL provider compilation flags to work with Appweb.

The binary installation will use the OpenSSL provider by default.