elective-stereophonic
elective-stereophonic
Setting up SSL/Https on a public node singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Pages: [1] 2  All

Author Topic: Setting up SSL/Https on a public node  (Read 11021 times)

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Setting up SSL/Https on a public node
« on: August 03, 2014, 10:49:26 am »

Background:
In a nutshell, the Https protocol refers to layering SSL based encryption on top of the of Http protocol in order to encrypt the communication between browser (NXT client in our case) and a web server (NRS in our case) to prevent wiretapping and man-in-the-middle attacks.
This post explains how to configure your public NXT node to encrypt all communication on the API server port (port 7876 by default) using SSL/Https so that you can securely connect to it from your local workstation.

The process is composed of two general steps:
Step 1 - Configure Https using a test certificate:
At the end of this step you should be able to connect to your public node using Https but you'll receive a browser warning such as "The site's security certificate is not trusted!" which you'll have to ignore.
For many purposes this should be good enough since the communication is now encrypted.

Step 2 - Configure a trusted certification authority issued SSL certificate
This step is more complex and requires spending real money. At the end of the process your NXT node will support Https without a browser warning message.

Prerequisites:
Operational NXT VPS node with Java 7 or higher installed and basic knowledge how to operate it. These instructions should work equally well for Linux and Windows.

Implementation:
Step 1 - Configure Https using a test certificate
(a) Locate the keytool utility - the Java keytool utility is a tool for creation and management of Java keystores, a keystore is a central repository for private/public key pairs and certificates used by the underlying Java SSL implementation.
In some cases the keytool utility will be in your path so in a command line prompt simply type "keytool" and press Enter, in response you should see the message:
"Key and Certificate Management Tool" followed by some usage information.
If keytool is not found in your path, then you should locate the Java JRE installation folder and run it from there, for example on my VPS node the path to keytool is /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/keytool and on my Windows workstation it's "c:\Program Files\Java\jre7\bin\keytool.exe".

(b) Create a Java Keystore and private/public key pair.
From the command line cd to the nxt folder then issue the following command:
keytool -genkey -keystore keystore
Enter a keystore password, save it somewhere and don't lose it since you'll need it later.
Specify the server domain name correctly in reply to the confusing "What is your first and last name" prompt.
Fill the rest of the parameters, confirm and then enter a key password which should be the same as the keystore password.
Once you are done, verify that a file named "keystore" has been created in the root folder of your NXT server.

(c) List the content of your keystore file and verify that the information is correct:
keytool -list -v -keystore keystore

(d) In the NXT conf folder create the file nxt.properties (if it does not already exist) and add the following entries:
nxt.keyStorePath=keystore
nxt.keyStorePassword=<same password you provided in (b)>
nxt.apiSSL=true

In case you are still using the old UI on port 7875 also add:
nxt.uiSSL=true

(e) Restart your NXT node and wait for the "Started API server at 0.0.0.0:7876" message.

(f) Test your connection by pointing your browser to the following address: https://<vps node address>:7876
Dismiss the browser warning to start your NXT client using encrypted communication.
 
Step 2 - Configure a trusted certification authority issued SSL certificate

Creating a certified keystore requires following the procedures documented by Java JSSE, I recommend that you start with understanding the keytool command: http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html and work from there using the specific instructions provided by your certificate authority to familiarize yourself with the process.

I'd like to underscore the following common mistakes when managing the keystore file and certificate:
1. When you create a keystore and a private key, using the "keytool -genkey" command, make sure to specify the fully qualified server domain name correctly in reply to the mis-leading "What is your first and last name" question. For example "www.mydomain.com" is a fully qualified domain name you should poses. "John Smith" is not such domain name.
Once the keystore is created, generate a certificate signing request (CSR), using the "keytool -certreq" command, and send it to the certification authority of your choice.

See for example documentation from Verisign:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR227
Note that you can use any certification authority which support Java, JKS and X509 formats for this process.

Here is how your keystore should look when you list it using keytool -list -v

The keystore information:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: myalias
Creation date: 11/11/2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate1:
Owner: CN=www.mydomain.com, ...
Issuer: CN=www.mydomain.com, ...

2. Submit your CSR (certificate signing request) for the specific domain to the certificate authority of your choice to get a "Certificate Reply". This process takes time and costs money. Expect to pay at least 100$ annually.

3. Import the certificate reply
Using the "keytool -import -trustcacerts" command, import the certification authority primary and secondary intermediate certificates into the same keystore used for generating the CSR then import the certificate reply into the same keystore using the same alias you gave the private key when generating the keystore and the CSR.
Make sure you receive the message "Certificate reply was installed in keystore" when importing the certificate reply.

See more information: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO15518

Your keystore should now look like this (notice the PrivateKeyEntry and the two intermediate trustedCertEntry)

keytool -list -keystore keystore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

secondary, 12/11/2012, trustedCertEntry,

myalias, 12/11/2012, PrivateKeyEntry,

primary, 12/11/2012, trustedCertEntry,

Troubleshooting:
If things does not work as expected, use the -Djavax.net.debug=all Java command line option to generate diagnostic information.
See the following link for more information: http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html
« Last Edit: August 04, 2014, 12:46:42 pm by lyaffe »
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

EmoneyRu

  • Hero Member
  • *****
  • Karma: +31/-2
  • Offline Offline
  • Posts: 530
  • techDevComm
    • View Profile
    • Nxt Kit
Re: Setting up SSL/Https on a public node
« Reply #1 on: August 22, 2014, 09:20:57 am »

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #2 on: November 02, 2014, 08:55:54 am »

To test your CSR before submitting it the CA, validate it using the following web site https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp
« Last Edit: December 12, 2014, 06:48:30 am by lyaffe »
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #3 on: December 11, 2014, 10:30:13 pm »

Has there been any changes in SSL between NRS 1.26 and 1.34? I am unable to connect to any 1.34 node using CURL in ubuntu. Spend 2 days on this already, I ran out of options.... any help appreciated.

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #4 on: December 11, 2014, 11:49:08 pm »

In 1.3.2, the SSLv3 protocol was disabled because of a security vulnerability found in this protocol. In 1.3.3 and 1.3.4 jetty was upgraded to version 9.2.4 and 9.2.5. Could be that there are changes in jetty in those versions that affect SSL too.
I am using https when connecting to my node all the time, but this is from a browser, never tested curl.
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #5 on: December 11, 2014, 11:54:43 pm »

In 1.3.2, the SSLv3 protocol was disabled because of a security vulnerability found in this protocol. In 1.3.3 and 1.3.4 jetty was upgraded to version 9.2.4 and 9.2.5. Could be that there are changes in jetty in those versions that affect SSL too.
I am using https when connecting to my node all the time, but this is from a browser, never tested curl.

Thanks, JL. It works fine from a browser. If I run a cert test, everything is green. But if you try connecting with CURL 7.39 (the latest) it simply doesn't work.

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #6 on: December 12, 2014, 12:00:49 am »

Can you try jetty 9.2.6 that was released few days ago:

http://download.eclipse.org/jetty/stable-9/dist/

Just replace the jetty-* libraries under lib with those from the 9.2.6 package. The changelog does mention an SSL related bugfix:
 + 452246 Fixed SSL hang on last chunk

Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #7 on: December 12, 2014, 12:15:17 am »

Can you try jetty 9.2.6 that was released few days ago:

http://download.eclipse.org/jetty/stable-9/dist/

Just replace the jetty-* libraries under lib with those from the 9.2.6 package. The changelog does mention an SSL related bugfix:
 + 452246 Fixed SSL hang on last chunk

So I deleted nxt/lib/jetty-* and then copied the new jetty- into that same folder, restarted NXT and nothing changes (same problem). Does NXT find the right files in the lib folder even thought the previous ones were jetty-9.2.5 and the new ones are jetty-9.2.6?

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #8 on: December 12, 2014, 12:51:52 am »

In 1.3.2, the SSLv3 protocol was disabled because of a security vulnerability found in this protocol. In 1.3.3 and 1.3.4 jetty was upgraded to version 9.2.4 and 9.2.5. Could be that there are changes in jetty in those versions that affect SSL too.
I am using https when connecting to my node all the time, but this is from a browser, never tested curl.

Thanks, JL. It works fine from a browser. If I run a cert test, everything is green. But if you try connecting with CURL 7.39 (the latest) it simply doesn't work.
since it is to your own server, can you just use the -k option for curl?
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #9 on: December 12, 2014, 06:46:47 am »

Suggestions:
1. Just to state the obvious, make sure the URL you are using in curl is the fully qualified URL specified by the server certificate and not an IP address, localhost or any other abbreviation.
2. Install "Java Cryptography Extension (JCE) Unlimited Strength" on the server (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) see if this resolves the problem.
3. Enable SSL logging on the server side by using the -Djavax.net.debug=all command line flag. This will log diagnostic information to the server console. Compare the log produced by a successful SSL connection from a browser to the one produced by unsuccessful connection from curl and see where they differ. You can post the results here.
« Last Edit: December 12, 2014, 06:49:21 am by lyaffe »
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #10 on: December 13, 2014, 07:05:01 pm »

Hi,

Thanks for the suggestions, please see below:

1. Just to state the obvious, make sure the URL you are using in curl is the fully qualified URL specified by the server certificate and not an IP address, localhost or any other abbreviation.

Yes, it's a FQDN, in the browser I don't receive the "domain name doesn't match certificate" error which is seen when you are not using a FQDN.

2. Install "Java Cryptography Extension (JCE) Unlimited Strength" on the server (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) see if this resolves the problem.

Installed, rebooted the server but the problem persists.

3. Enable SSL logging on the server side by using the -Djavax.net.debug=all command line flag. This will log diagnostic information to the server console. Compare the log produced by a successful SSL connection from a browser to the one produced by unsuccessful connection from curl and see where they differ. You can post the results here.

How do I use this -Djavax.net.debug=all? How do I see the log from the browser (I use Windows). After several more hours trying to get this to work, it seems that:

- It works with curl and NSS
- It works with curl and SecureTransport
- It does NOT work with curl and openssl

I tried upgrading open openssl to 1.0.1 but no luck. If I do:  openssl s_client -connect my_url:7876 I get:

Quote
CONNECTED(00000003)
140060727989952:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Which seems to indicate that the certificates are not being presented by jetty? Any ideas?

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #11 on: December 13, 2014, 07:34:23 pm »

I need you to enable the -Djavax.net.debug=all on the server side and compare the server side logs between successful and unsuccessful connections. Let's compare curl with NSS (successful) to curl with OpenSSL (unsuccessful) to browser (successful)

To do that, edit run.sh and add the -Djavax.net.debug=all flag to the Java command line after the Java command.

Here is an example from my VPS node:
java -Djavax.net.debug=all -cp classes:lib/*:conf nxt.Nxt

On windows edit run.bat and add this flag the same way to the relevant Java command line.

The resulting log messages are printed to the standard output so make sure you redirect is to a log file.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #12 on: December 13, 2014, 10:56:42 pm »

I need you to enable the -Djavax.net.debug=all on the server side and compare the server side logs between successful and unsuccessful connections. Let's compare curl with NSS (successful) to curl with OpenSSL (unsuccessful) to browser (successful)

To do that, edit run.sh and add the -Djavax.net.debug=all flag to the Java command line after the Java command.

Here is an example from my VPS node:
java -Djavax.net.debug=all -cp classes:lib/*:conf nxt.Nxt

On windows edit run.bat and add this flag the same way to the relevant Java command line.

The resulting log messages are printed to the standard output so make sure you redirect is to a log file.

Hi, I sent a message to you with the logs.

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #13 on: December 14, 2014, 07:04:50 am »

Answer sent
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

abuelau

  • Sr. Member
  • ****
  • Karma: +74/-1
  • Offline Offline
  • Posts: 461
    • View Profile
    • mynxt.info
Re: Setting up SSL/Https on a public node
« Reply #14 on: December 14, 2014, 01:26:03 pm »

And problem solved.

I switched from Open JDK to Oracle JDK 8 and now it works. :)

Thank you very much Lyaffe!

HCLivess

  • Hero Member
  • *****
  • Karma: +121/-47
  • Offline Offline
  • Posts: 521
  • Hardcore Gaming CEO
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #15 on: June 02, 2015, 10:40:33 am »

Is there a way how to configure self-signed SSL for 1.5.9? I am getting an error (no data) when attempting to connect.
Logged
Producing, Lending, Mining, Trading, Forging, Staking

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1790
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #16 on: June 02, 2015, 02:49:54 pm »

Is there a way how to configure self-signed SSL for 1.5.9? I am getting an error (no data) when attempting to connect.

This should work, did you follow the instructions ? Which settings do you have in your nxt.properties ? Which browser are you using ?
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

lopalcar

  • Hero Member
  • *****
  • Karma: +99/-15
  • Offline Offline
  • Posts: 561
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #17 on: June 02, 2015, 03:51:48 pm »

Is there a way how to configure self-signed SSL for 1.5.9? I am getting an error (no data) when attempting to connect.
I have same problem as explained in last posts here: https://nxtforum.org/security/nxt-client-over-internet/
Using internet explorer it works...but...you know... In chrome instead of no data error, I get ERR_CONNECTION_CLOSED
If someone knows how to make it work would be nice :)
Logged

lurker10

  • Hero Member
  • *****
  • Karma: +168/-33
  • Offline Offline
  • Posts: 1334
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #18 on: June 02, 2015, 04:00:40 pm »

Is there a way how to configure self-signed SSL for 1.5.9? I am getting an error (no data) when attempting to connect.
I have same problem as explained in last posts here: https://nxtforum.org/security/nxt-client-over-internet/
Using internet explorer it works...but...you know... In chrome instead of no data error, I get ERR_CONNECTION_CLOSED
If someone knows how to make it work would be nice :)

Chrome specific bug?
https://nxtforum.org/index.php?topic=9215.msg180518#msg180518
Logged
Run a node - win a prize! "Lucky node" project jar: NXT-8F28-EDVE-LPPX-HY4E7

HCLivess

  • Hero Member
  • *****
  • Karma: +121/-47
  • Offline Offline
  • Posts: 521
  • Hardcore Gaming CEO
    • View Profile
Re: Setting up SSL/Https on a public node
« Reply #19 on: June 02, 2015, 08:07:43 pm »

Is there a way how to configure self-signed SSL for 1.5.9? I am getting an error (no data) when attempting to connect.
I have same problem as explained in last posts here: https://nxtforum.org/security/nxt-client-over-internet/
Using internet explorer it works...but...you know... In chrome instead of no data error, I get ERR_CONNECTION_CLOSED
If someone knows how to make it work would be nice :)

Chrome specific bug?
https://nxtforum.org/index.php?topic=9215.msg180518#msg180518

Looks like it, thanks for tracking!
Logged
Producing, Lending, Mining, Trading, Forging, Staking
Pages: [1] 2  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly