Thoughts about happstack-server + SSL

10 views
Skip to first unread message

Jeremy Shaw

unread,
Feb 8, 2012, 11:42:50 AM2/8/12
to HAppS
Hello,

The current SSL implementation in happstack-server has three issues:

 1. it is difficult to install the cryptopp libraries on some platforms (OS X, and probably Win32 as well)
 2. there is no way to serve only SSL
 3. there is no way to depend on a version of happstack-server that has SSL enabled

One solution to this would be to move the ssl code into a new package like, happstack-server-ssl, and create a new function, simpleHTTPS which starts a SSL-only server. If you want http and https you can just do:

> do http <- forkIO $ simpleHTTP nullConf httpParts
>      https <- forkIO $ simpleHTTPS sslConf httpsParts
>      waitForTermination
>      killThread http
>      killThread https

This doesn't make it any easier to install cryptopp on OS X, but it does mean that you only have to install that library if you actually want SSL. And you don't have to use any special flags to enable/disable SSL. You either install happstack-server-ssl or you do not. 

It provides a simple way to serve only SSL.

And, if you app requires SSL, you can depend on happstack-server-ssl and be sure SSL is actually enabled.

The primary drawback is that it is slightly harder to start listening for http + https than it currently is.. takes two lines instead of one..

Any comments?

- jeremy

p.s. there is actually a fourth issue: it generates a spurious error message when the timeout thread kills inactive connections. That will be fixed no matter what we do.

dag.od...@gmail.com

unread,
Feb 8, 2012, 12:00:11 PM2/8/12
to ha...@googlegroups.com
On 8 February 2012 17:42, Jeremy Shaw <jer...@n-heptane.com> wrote:
> Hello,
>
> The current SSL implementation in happstack-server has three issues:
>
>  1. it is difficult to install the cryptopp libraries on some platforms (OS
> X, and probably Win32 as well)
>  2. there is no way to serve only SSL
>  3. there is no way to depend on a version of happstack-server that has SSL
> enabled
>
> One solution to this would be to move the ssl code into a new package like,
> happstack-server-ssl, and create a new function, simpleHTTPS which starts a
> SSL-only server. If you want http and https you can just do:
>
>> do http <- forkIO $ simpleHTTP nullConf httpParts
>>      https <- forkIO $ simpleHTTPS sslConf httpsParts
>>      waitForTermination
>>      killThread http
>>      killThread https
>
> This doesn't make it any easier to install cryptopp on OS X, but it does
> mean that you only have to install that library if you actually want SSL.
> And you don't have to use any special flags to enable/disable SSL. You
> either install happstack-server-ssl or you do not.
>
> It provides a simple way to serve only SSL.
>
> And, if you app requires SSL, you can depend on happstack-server-ssl and be
> sure SSL is actually enabled.

+1

> The primary drawback is that it is slightly harder to start listening for
> http + https than it currently is.. takes two lines instead of one..

happstack-server-ssl could provide a function to start both easily, in
addition to the only-SSL version.

Antoine Latter

unread,
Feb 8, 2012, 12:21:43 PM2/8/12
to ha...@googlegroups.com
On Wed, Feb 8, 2012 at 10:42 AM, Jeremy Shaw <jer...@n-heptane.com> wrote:
> Hello,
>
> The current SSL implementation in happstack-server has three issues:
>
>  1. it is difficult to install the cryptopp libraries on some platforms (OS
> X, and probably Win32 as well)
>  2. there is no way to serve only SSL
>  3. there is no way to depend on a version of happstack-server that has SSL
> enabled
>
> One solution to this would be to move the ssl code into a new package like,
> happstack-server-ssl, and create a new function, simpleHTTPS which starts a
> SSL-only server. If you want http and https you can just do:
>
>> do http <- forkIO $ simpleHTTP nullConf httpParts
>>      https <- forkIO $ simpleHTTPS sslConf httpsParts
>>      waitForTermination
>>      killThread http
>>      killThread https
>
> This doesn't make it any easier to install cryptopp on OS X, but it does
> mean that you only have to install that library if you actually want SSL.
> And you don't have to use any special flags to enable/disable SSL. You
> either install happstack-server-ssl or you do not.
>
> It provides a simple way to serve only SSL.
>
> And, if you app requires SSL, you can depend on happstack-server-ssl and be
> sure SSL is actually enabled.
>

I like this - it means I either get secure deployment or none, if desired.

> The primary drawback is that it is slightly harder to start listening for
> http + https than it currently is.. takes two lines instead of one..
>

What dag.od...@gmail.com said.

It isn't well documented, but this seems to be the approach warp-tls
has taken - it looks like the warp-tls package only provides for
serving HTTPS traffic.

> Any comments?
>
> - jeremy
>
> p.s. there is actually a fourth issue: it generates a spurious error message
> when the timeout thread kills inactive connections. That will be fixed no
> matter what we do.
>

> --
> You received this message because you are subscribed to the Google Groups
> "HAppS" group.
> To post to this group, send email to ha...@googlegroups.com.
> To unsubscribe from this group, send email to
> happs+un...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/happs?hl=en.

Jeremy Shaw

unread,
Feb 10, 2012, 10:34:50 PM2/10/12
to HAppS
Hello,

In darcs, I have split TLS support out into a separate package, happstack-server-tls. 

There is an example in happstack-server-tls/example.

The new API is pretty simple. You just import 'Happstack.Server.SimpleHTTPS' and call,

> simpleHTTPS :: (ToMessage a) =>
>                TLSConf           -- ^ tls server configuration
>             -> ServerPartT IO a  -- ^ server part to run
>             -> IO ()

simpleHTTPS only listens for SSL connections. If you want plan http:// as well, then you just forkIO one simpleHTTP thread and one simpleHTTPS thread.

I also suppressed a bunch of uninteresting SSL exceptions. For example, if the server tries to shutdown the connection, but the client already closed the socket -- then HsOpenSSL raises an exception. Now we just ignore that exception. Unless someone thinks that is a terrible idea?

I am going to let this sit in darcs for a few days so people can test and then I will make a new hackage release.

The next thing to investigate is how best to build TLS support on OS X. I know we have a work around now. But perhaps the Setup.hs could do that for us automatically? Or we could link against the static version? Or, at the very least we could produce an error message that tells the user what command to run?

- jeremy


On Wed, Feb 8, 2012 at 10:42 AM, Jeremy Shaw <jer...@n-heptane.com> wrote:
Reply all
Reply to author
Forward
0 new messages