https support; call for testers

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

https support; call for testers

Michael Van Canneyt

Hello,

I've just committed support for SSL in the ssockets unit of FPC.
I also made the OpenSSL unit more thread-safe.

One consequence of this is that the fphttpclient unit now has support
for the https:// protocol.

I have tested on windows and unix, the support for client-side SSL support works.
Server-side support (as could be done in the embedded httpserver) is not yet tested.

I would like to invite people to test and report if they find problems or missing
features.

That this support is released around the same time as the heartbleed leak issue,
is entirely coincidental and definitely not intended.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Reinier Olislagers
On 11/04/2014 15:00, Michael Van Canneyt wrote:
> One consequence of this is that the fphttpclient unit now has support
> for the https:// protocol.
<snip>
> I have tested on windows and unix, the support for client-side SSL
> support works.
>
> I would like to invite people to test and report if they find problems
> or missing features.
Thanks a lot - I'll test client side encryption against a CGI
application on Apache... almost posted this morning asking whether
support was upcoming ;)

> That this support is released around the same time as the heartbleed
> leak issue,
> is entirely coincidental and definitely not intended.
Of course. I'll just make sure to use the proper openssl version when
traversing the big bad internet ;)

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Michael Van Canneyt


On Fri, 11 Apr 2014, Reinier Olislagers wrote:

> On 11/04/2014 15:00, Michael Van Canneyt wrote:
>> One consequence of this is that the fphttpclient unit now has support
>> for the https:// protocol.
> <snip>
>> I have tested on windows and unix, the support for client-side SSL
>> support works.
>>
>> I would like to invite people to test and report if they find problems
>> or missing features.
> Thanks a lot - I'll test client side encryption against a CGI
> application on Apache... almost posted this morning asking whether
> support was upcoming ;)

Well, I committed just in time then :)

>
>> That this support is released around the same time as the heartbleed
>> leak issue,
>> is entirely coincidental and definitely not intended.
> Of course. I'll just make sure to use the proper openssl version when
> traversing the big bad internet ;)

People that want to be 100% safe should pull out the internet cable,
and go sit in a Faraday cage. Watch 'enemy of the state' if you need convincing ;)

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Dimitrios Chr. Ioannidis-2
In reply to this post by Michael Van Canneyt
Hi,

Στις 11/4/2014 4:00 μμ, ο/η Michael Van Canneyt έγραψε:
> I've just committed support for SSL in the ssockets unit of FPC.
> I also made the OpenSSL unit more thread-safe.
<snip>
> I would like to invite people to test and report if they find problems
> or missing features.

the "Writeln(pchar(@buffer));" at line 417 in sslsockets i assume is a
leftover from debugging ?

regards,

--
Dimitrios Chr. Ioannidis


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

silvioprog
 


Hello,
I've just committed support for SSL in the ssockets unit of FPC.
I also made the OpenSSL unit more thread-safe.

One consequence of this is that the fphttpclient unit now has support
for the https:// protocol.

I have tested on windows and unix, the support for client-side SSL support 
works.
Server-side support (as could be done in the embedded httpserver) is not yet 
tested.

I would like to invite people to test and report if they find problems or missingfeatures.

That this support is released around the same time as the heartbleed leak issue,
is entirely coincidental and definitely not intended.

Michael.

Thanks a lot Michael! I'll test it in my new TDropbox class!

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Michael Van Canneyt
In reply to this post by Dimitrios Chr. Ioannidis-2


On Fri, 11 Apr 2014, Dimitrios Chr. Ioannidis wrote:

> Hi,
>
> Στις 11/4/2014 4:00 μμ, ο/η Michael Van Canneyt έγραψε:
>> I've just committed support for SSL in the ssockets unit of FPC.
>> I also made the OpenSSL unit more thread-safe.
> <snip>
>> I would like to invite people to test and report if they find problems or
>> missing features.
>
> the "Writeln(pchar(@buffer));" at line 417 in sslsockets i assume is a
> leftover from debugging ?
Yes. Removed, thanks for pointing it out.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Reinier Olislagers
In reply to this post by Reinier Olislagers
On 11/04/2014 15:27, Reinier Olislagers wrote:
> On 11/04/2014 15:00, Michael Van Canneyt wrote:
>> One consequence of this is that the fphttpclient unit now has support
>> for the https:// protocol.
> <snip>
>> I have tested on windows and unix, the support for client-side SSL
>> support works.
>>
>> I would like to invite people to test and report if they find problems
>> or missing features.

Windows Laz/FPC x86 client: just by replaced my URL http with https,
making sure the openssl libraries are present. No problems with a remote
Linux x64 apache+fcl-web CGI server.

If you want to use client side certificates with httpclient, how would
you do specify that?

PS: This:
  * Https support.
note in fphttpclient.pp can probably go...
PPS: If you're touching fcl-web anyway, perhaps could you implement
the patch in
http://bugs.freepascal.org/view.php?id=25940
Thanks

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Michael Van Canneyt


On Sun, 13 Apr 2014, Reinier Olislagers wrote:

> On 11/04/2014 15:27, Reinier Olislagers wrote:
>> On 11/04/2014 15:00, Michael Van Canneyt wrote:
>>> One consequence of this is that the fphttpclient unit now has support
>>> for the https:// protocol.
>> <snip>
>>> I have tested on windows and unix, the support for client-side SSL
>>> support works.
>>>
>>> I would like to invite people to test and report if they find problems
>>> or missing features.
>
> Windows Laz/FPC x86 client: just by replaced my URL http with https,
> making sure the openssl libraries are present. No problems with a remote
> Linux x64 apache+fcl-web CGI server.
>
> If you want to use client side certificates with httpclient, how would
> you do specify that?

I don't want to burden the component with too much properties.

So, I have implemented 2 methods:

1. The socket handler is now created in a virtual method:
    GetSocketHandler
    it can be overridden to implement custom behaviour.

2. There is an event OnGetSocketHandler which can be assigned to create the socket.
    the default GetSocketHandler calls this event, and if the event handler is not
    set or returns a Nil handler, it will create a default handler.

See if you can do it with this system, if not let me know what I would need to add.

> PS: This:
>  * Https support.
> note in fphttpclient.pp can probably go...

Done, rev 27571.

> PPS: If you're touching fcl-web anyway, perhaps could you implement
> the patch in
> http://bugs.freepascal.org/view.php?id=25940

Done, I have been staring myself blind at what could have caused this regression.
Thanks !!!

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Reinier Olislagers
On 13/04/2014 22:29, Michael Van Canneyt wrote:

> On Sun, 13 Apr 2014, Reinier Olislagers wrote:
>> On 11/04/2014 15:27, Reinier Olislagers wrote:
>>> On 11/04/2014 15:00, Michael Van Canneyt wrote:
>> If you want to use client side certificates with httpclient, how would
>> you do specify that?
>
> I don't want to burden the component with too much properties.
>
> So, I have implemented 2 methods:
>
> 1. The socket handler is now created in a virtual method:
>    GetSocketHandler
>    it can be overridden to implement custom behaviour.
>
> 2. There is an event OnGetSocketHandler which can be assigned to create
> the socket.
>    the default GetSocketHandler calls this event, and if the event
> handler is not
>    set or returns a Nil handler, it will create a default handler.

Suggest promoting OnGetSocketHandler to public:
Index: packages/fcl-web/src/base/fphttpclient.pp
===================================================================
--- packages/fcl-web/src/base/fphttpclient.pp   (revision 27579)
+++ packages/fcl-web/src/base/fphttpclient.pp   (working copy)
@@ -266,6 +266,7 @@
     Property OnPassword;
     Property OnDataReceived;
     Property OnHeaders;
+    Property OnGetSocketHandler;
   end;
   EHTTPClient = Class(Exception);

I've tested with code like this in the callback:
  AHandler:=nil;
  if UseSSL and (FClientCertificate<>'') then
  begin
    // Only set up client certificate if needed.
    // If not, let normal fphttpclient flow create
    // required socket handler
    AHandler:=TSSLSocketHandler.Create;
    (AHandler as
TSSLSocketHandler).Certificate.FileName:=FClientCertificate;
  end;
which seems to work fine (no crash, stepping through the code gave good
init) but I can't test further as I've misconfigured my server (can't
get it to accept client certs from browser either; probably need some
more fiddling with CA files)


Thanks!
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

sami
In reply to this post by Michael Van Canneyt
Hi to all.

Michael Van Canneyt wrote
I have tested on windows and unix, the support for client-side SSL support works.
Server-side support (as could be done in the embedded httpserver) is not yet tested.
I Could not find how to enable server-side support for https on fphttpserver/ fpcustomhttpserver,
There´s no OnGetSocketHandler event on it.

How do i enable https support on fpHttpServer.  
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

leledumbo
Administrator
> I Could not find how to enable server-side support for https on fphttpserver/ fpcustomhttpserver,
> There´s no OnGetSocketHandler event on it.
>
> How do i enable https support on fpHttpServer.

You can't yet, the support is still in fphttpclient only for now.
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

sami
leledumbo wrote
You can't yet, the support is still in fphttpclient only for now.
Can i implement it just like in fpHttpClient and upload a patch ?

or in server-side it is more complicated or have different approach than client-side ?

In fact i trying to write a more complete server that can listen http and https(keeping user sessions)
and more functions but i´m not too experienced in web programing and concepts.

Following this thread http://forum.lazarus.freepascal.org/index.php?topic=25433.0,I could write a server with a thread pool,
that improved performance a lot.

If someone interested i can share the code and contribute with some functionality.
but i need someone to guide my steps. starting with https support.

My final target is a Multi-tenancy server for a SaaS provider.  
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Michael Van Canneyt


On Thu, 27 Aug 2015, sami wrote:

> leledumbo wrote
>> You can't yet, the support is still in fphttpclient only for now.
>
> Can i implement it just like in fpHttpClient and upload a patch ?
>
> or in server-side it is more complicated or have different approach than
> client-side ?

You can try. But it is more complicated, since you will need to make provisions
for adding a certificate.

> In fact i trying to write a more complete server that can listen http and
> https(keeping user sessions)
> and more functions but i´m not too experienced in web programing and
> concepts.
>
> Following this thread
> http://forum.lazarus.freepascal.org/index.php?topic=25433.0
> <http://forum.lazarus.freepascal.org/index.php?topic=25433.0>  ,I could
> write a server with a thread pool,
> that improved performance a lot.
>
> If someone interested i can share the code and contribute with some
> functionality.
> but i need someone to guide my steps. starting with https support.
Ask questions, I will do my best to answer that.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

sami
2yf8lThanks,

Let me learn more about server(and clients) certificates to try to not waste your time with dummy questions, I'll try to study sample codes of others open source web framework, i think it can help.

See you later.
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

sami
In reply to this post by Michael Van Canneyt
Hi all,

I´m follow the same ideia from fpHttpClient by use a event to handle the creation of
TSSLSocketHandler for fpHttpServer.

the event handler was implemented this way:

procedure TForm1.sockHandleEvent(Sender: TObject; const UseSSL: Boolean; out
  aHandler: TSocketHandler);
var
  h: TSSLSocketHandler;
begin
  aHandler := nil;
  if UseSSL then
  begin
    h := TSSLSocketHandler.Create;
// h.RemoteHostName:= ????;
    h.SSLType := stTLSv1;
    h.CertCA.FileName := 'c:\ca_certificate.pem';
    h.Certificate.FileName := 'c:\certificate.pem';
    h.PrivateKey.FileName := 'c:\privatekey.pem';
//  h.KeyPassword := ????;
//  h.PFX.FileName := 'cert.pfx'; / if exists
    aHandler := h;
  end;
end;

it work without errors and i can put the server to StartAccepting incoming connections.

but when a https request arrives, i get a SIGSEGV error
on TSSLSocketHandler.Accept method
line 379 = "Result:=CheckSSL(FSSL.setfd(Socket.Handle));"
because Socket is NIL. looking the code, i could not find
where the TSSLSocketHandler.Socket property would be set.
 

function TSSLSocketHandler.Accept: Boolean;

begin
  Result:=InitContext(True);
  if Result then
    begin
    Result:=CheckSSL(FSSL.setfd(Socket.Handle)); // here Socket is NIL = SIGSEGV
    if Result then
      Result:=CheckSSL(FSSL.Accept);
    end;
  FSSLActive:=Result;
end;

So i need some help on this.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

sami
In reply to this post by Michael Van Canneyt
Hi Again,

I did it work but still having problems

Thres two patches attached for sscokets.pp and fphttpserver.pp

Using TSSLSocketHandler worked, but i think it is not for use with concurrency

TSSLSocketHandler use FSSL: TSSL; object that is freed at the end of every connection

if there´s two or more concurrent connections it crash with SIGSEGV because FSSL = nil on line 436

  Result:=FSSL.Read(@Buffer ,Count);

Ideas how to make TSSLSocketHandler work with concurrency ???

Thanks.
fphttpserver.patch
ssockets.patch

 
Reply | Threaded
Open this post in threaded view
|

Re: https support; call for testers

Michael Van Canneyt


On Wed, 2 Sep 2015, sami wrote:

> Hi Again,
>
> I did it work but still having problems
>
> Thres two patches attached for sscokets.pp and fphttpserver.pp
>
> Using TSSLSocketHandler worked, but i think it is not for use with
> concurrency
>
> TSSLSocketHandler use FSSL: TSSL; object that is freed at the end of every
> connection
>
> if there´s two or more concurrent connections it crash with SIGSEGV because
> FSSL = nil on line 436
>
>  Result:=FSSL.Read(@Buffer ,Count);
>
> Ideas how to make TSSLSocketHandler work with concurrency ???
We'll need to introduce some extra argument to control the freeing of the FSSL.

>
> Thanks.
> fphttpserver.patch
> <http://free-pascal-general.1045716.n5.nabble.com/file/n5722526/fphttpserver.patch>
> ssockets.patch
> <http://free-pascal-general.1045716.n5.nabble.com/file/n5722526/ssockets.patch>

Thanks for the patch. I'll see about integrating this ASAP.

Michael.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal