Re: [libmicrohttpd] Problems with SSL/TLS

[Christian Grothoff]

Dear Jesse,

I've just tried this myself, and it worked as expected.  I first used openssl 
to generate the KEY, PEM and CERT files:

$ cd svn/libmicrohttpd/doc/examples/
$ openssl genrsa 1024 > server.key
$ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.cert
$ cat server.cert server.key > server.pem

Then I compiled the example

$ gcc -o fs tlsauthentication.c -I ~/include/ -I ../../src/include/ -I ../.. -
I ../daemon/https/ -lmicrohttpd

Started fs

$ ./fs 

and then accessed https://localhost:8888/ using firefox (3.5.6).  It "warned" 
me about the self-signed cert (also attached for your reference), I confirmed 
that I knew what I was doing, then was prompted for username & password 
(entered those from the source code) and then got the "secret" page.

So I cannot confirm your problem.  This was on Ubuntu GNU/linux (karmic) using 
the example as given in SVN HEAD.

I hope this helps...

Best,

Christian


On Monday 04 January 2010 05:27:10 pm Jesse Anderton wrote:
> I'm still struggling with this.  I can't get the code example from
> http://www.gnu.org/software/libmicrohttpd/tutorial.html#tlsauthentication_0
> 02ec working
> with either MHD_USE_SELECT_INTERNALLY or MHD_USE_THREAD_PER_CONNECTION: the
> program compiles and launches, but any browser I try to connect with waits
> indefinitely.  If I kill the server the browsers immediately give up, so I
> know they have an open socket to the server.
> 
> Does anybody have a working TLS example I could start from?  I'm almost out
> of time to add TLS to my web server, but I'd strongly prefer to use
> libmicrohttpd's built in support instead of re-implementing the feature in
> my own custom select handler.
> 
> Thanks for your time,
> 
> Jesse
> 
> On Thu, Dec 24, 2009 at 12:16 PM, Jesse Anderton 
<address@hidden>wrote:
> > Christian,
> >
> > I decided to start with the example in the tutorial at
> > http://www.gnu.org/software/libmicrohttpd/tutorial.html#tlsauthentication
> >_002ec and incrementally change it until the code is set up the way I need
> > it for my program.  To my surprise, the tutorial itself didn't work -
> > Chrome reports:
> >
> > Error 107 (net::ERR_SSL_PROTOCOL_ERROR): Unknown error
> >
> > IE simply says it couldn't load the page.
> >
> > This makes me think that my problem is more likely caused by, say, the
> > version of libgcrypt I'm using.  I get the same error in both Linux and
> > Solaris, so it seems unlikely to be one of the other system libraries I'm
> > linking to.
> >
> > Any idea which version of libgcrypt the code was tested with?
> >
> > Thanks,
> >
> > Jesse Anderton
> >
> > On Wed, Dec 23, 2009 at 1:42 PM, Christian Grothoff <
> >
> > address@hidden> wrote:
> >> Dear Jesse,
> >>
> >> poll support was added after 0.4.4 (see ChangeLog).  The version
> >> constant in
> >> SVN HEAD will be updated once we make the next release to allow for an
> >> easy
> >> test for this feature.
> >>
> >> And no, you do not need MHD_USE_POLL for MHD_USE_SELECT_INTERNALLY.
> >>
> >> Best,
> >>
> >> Christian
> >>
> >> On Wednesday 23 December 2009 15:27:01 Jesse Anderton wrote:
> >> > Christian,
> >> >
> >> > Thanks for your advice!  I tried replacing MHD_USE_SELECT_INTERNALLY
> >> > with MHD_USE_THREAD_PER_CONNECTION and it failed with a different
> >> > error. Do I need to use this in conjunction with MHD_USE_POLL?  If so,
> >> > do you know whether this option is only available in the development
> >> > version
> >>
> >> of
> >>
> >> >  libmicrohttpd, or whether it's an option for configure to find?  It
> >>
> >> isn't
> >>
> >> >  defined in my copy of microhttpd.h, but my copy has the same value
> >> > for MHD_VERSION as the version in the documentation at
> >>
> >> http://www.gnu.org/software/libmicrohttpd/doxygen/dc/d0c/microhttpd_8h_s
> >>our
> >>
> >> > ce.html (which does include MHD_USE_POLL).  That is, both contain the
> >>
> >> line:
> >> > #define MHD_VERSION 0x00040400
> >> >
> >> >
> >> > Thanks again,
> >> >
> >> > Jesse Anderton
> >> >
> >> > On Tue, Dec 22, 2009 at 9:56 AM, Christian Grothoff
> >> >
> >> > <address@hidden>wrote:
> >> > > SSL support is known to be not playing nicely with select -- this is
> >> > > largely
> >> > > an issue with gnuTLS and its API.  Until this is fixed, try using
> >> > > the thread-
> >> > > per-connection mode and most likely it'll work.
> >> > >
> >> > > Best,
> >> > >
> >> > > Christian
> >> > >
> >> > > On Monday 21 December 2009 19:34:21 Jesse Anderton wrote:
> >> > > > I have just started using libmicrohttpd, and can't seem to get the
> >>
> >> SSL
> >>
> >> > > > support working.  It may contribute to the problem that the
> >> > > > library
> >>
> >> is
> >>
> >> > > > not retrying gnutls_handshake() when it returns GNUTLS_E_AGAIN, as
> >> > > > suggested in the documentation at
> >>
> >> http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#
> >>g
> >>
> >> > >nu
> >> > >
> >> > > > tls_005fhandshake, but it seems likely that I'm making a mistake
> >> > >
> >> > > somewhere.
> >> > >
> >> > > > I am using the following library versions:
> >> > > > * libmicrohttpd - 0.4.4
> >> > > > * libgcrypt - 1.4.4
> >> > > > * libgpg-error - 1.7
> >> > > >
> >> > > > I am using a wrapper class in C++ to invoke libmicrohttpd.  My
> >> > > > code
> >>
> >> to
> >>
> >> > > > start up the daemon is:
> >> > > >
> >> > > >         // std::string _httpsKey = contents of a RSA private key
> >> > > >         // std::string _httpsCertificate = contents of a
> >> > > > certificate for _httpsKey
> >> > > >         _daemon = MHD_start_daemon( MHD_USE_SELECT_INTERNALLY
> >> > > >      // We don't need to implement our own select
> >> > > >
> >> > > >                                   | MHD_USE_DEBUG
> >> > > >
> >> > > >      // Output messages to the errorCallback
> >> > > >
> >> > > >                                   | ( _httpsKey.empty() ? 0 :
> >> > > >
> >> > > > MHD_USE_SSL ) // Enable SSL/TLS if so requested
> >> > > >                                   , port
> >> > > >                                   , &webClientAuthCallback, this
> >> > > >                                   , &webCallback, this
> >> > > >                                   , MHD_OPTION_THREAD_POOL_SIZE,
> >> > > > _options[ THREAD_POOL_SIZE ]
> >> > > >                                   , MHD_OPTION_CONNECTION_LIMIT,
> >> > > > _options[ CONNECTION_LIMIT ]
> >> > > >                                   ,
> >> > > > MHD_OPTION_PER_IP_CONNECTION_LIMIT, _options[
> >>
> >> PER_IP_CONNECTION_LIMIT
> >>
> >> > > > ]
> >> > > >                                   , MHD_OPTION_CONNECTION_TIMEOUT,
> >> > > > _options[ CONNECTION_TIMEOUT ]
> >> > > >                                   , MHD_OPTION_URI_LOG_CALLBACK,
> >> > > > uriLogCallback, this
> >> > > >                                   , MHD_OPTION_EXTERNAL_LOGGER,
> >> > > > webErrorCallback, this
> >> > > >                                   , MHD_OPTION_HTTPS_MEM_KEY,
> >> > > >  _httpsKey.c_str() , MHD_OPTION_HTTPS_MEM_CERT,
> >> > > > _httpsCertificate.c_str()
> >> > > >                                   , MHD_OPTION_END );
> >> > > >
> >> > > > I am also using HTTP basic auth in webCallback(), using code very
> >> > > > similar to that in the tutorial which has been proven to work
> >>
> >> without
> >>
> >> > > > using TLS.
> >> > > >
> >> > > > The private key and certificate were both generated by the
> >> > > > commands listed in the libmicrohttpd tutorial:
> >> > > > openssl genrsa -out server.key 1024
> >> > > > openssl req -days 365 -out server.pem -new -x509 -key server.key
> >> > > >
> >> > > > If I fetch a page with a URL like https://host:port/some/file.html
> >>
> >> I
> >>
> >> > > > get the following messages in webErrorCallback():
> >> > > >
> >> > > > Google Chrome 4.0.249.30:
> >> > > > Error: Handshake has failed (-28)
> >> > > > Error: Handshake has failed (-28)
> >> > > > Error: unrecognized TLS message type: 0, connection state: secure
> >> > > > connection init. l: 254, f: MHD_tls_connection_handle_read
> >> > > >
> >> > > > Mozilla Firefox 3.5.5:
> >> > > > Error: unrecognized TLS message type: 128, connection state:
> >> > > > secure connection init. l: 254, f: MHD_tls_connection_handle_read
> >> > > >
> >> > > > Microsoft Internet Explorer 6.0:
> >> > > > Error: unrecognized TLS message type: 128, connection state:
> >> > > > secure connection init. l: 254, f: MHD_tls_connection_handle_read
> >> > > >
> >> > > > Note that -28 is the value of GNUTLS_E_AGAIN.
> >> > > >
> >> > > > Can anyone offer a hand?
> >> > > >
> >> > > > Thanks for your time,
> >> > > >
> >> > > > Jesse Anderton
> >> > >
> >> > > --
> >> > > http://grothoff.org/christian/
> >>
> >> --
> >> http://grothoff.org/christian/
>

server.pem
Description: application/x509-ca-cert

server.key
Description: Text Data

server.cert
Description: application/x509-ca-cert