Saturday, November 24, 2007

HTTP Server - SSL/TLS Encryption

We've already introduced our open source embedded HTTP server. (See Post)

We also showed how to extend the server to add suppport for password protection. (See Post)

Today we're going to show how to enable SSL/TLS encryption of traffic over the server.

Note: If you're not completely familiar with HTTPS and/or TLS encryption, check out wikipedia (1, 2) or other good sources for more information.

The first thing that is needed for a server to support SSL/TLS is of course a public key certificate. These need to be signed by a trusted certificate authority (such as verisign). Check out the keychain application for an easy way to do all this stuff. It looks like the keychain in leopard even has tools to request a certificate from an authority. However, that takes time and money. For testing purposes we can simply create a self-signed certificate. But don't bother doing it now, because I already wrote code to automatically create a self-signed certificate, and add it to the keychain. It's all within the sample code, and ready to go.

So now that we have our public key certificate, it's a snap to secure our HTTP server. Simply extend the server, and override 2 methods:

- (BOOL)isSecureServer;
- (NSArray *)sslIdentityAndCertificates;

And that's all there is to it!
The first method simply returns YES, and the second method pulls the proper identity from the keychain.

Included in the sample code is a file called DDKeychain which contains the following methods:

+ (NSString *)passwordForHTTPServer;
+ (BOOL)setPasswordForHTTPServer:(NSString *)password;

+ (void)createNewIdentity;
+ (NSArray *)SSLIdentityAndCertificates;

The first two allow you to easily store and retreive a password in the keychain. This is a secure way of storing sensitive information.

The 3rd method shows how to automatically create a self-singed certificate and add it to the keychain.
The 4th method shows how to retrieve a public key certificate (identity) from the keychain.

Download the full source code here.

With support for TLS encryption and digest access authentication, one could use this to make a very secure embedded server.
Posted by Robbie Hanson at
Labels: , , ,

1 comments:

ssl encryption said...

Thank you so much for your help, I really appreciate the posts you write and they have helped me a lot in what I've been trying to do. I look forward to your future posts, thanks again for the invaluable tips Robbie.

February 17, 2011 9:01:00 AM CST

Post a Comment

Subscribe to: Post Comments (Atom)