HTTPS....almost there, but need a nit of help

81 views
Skip to first unread message

Julian Ford

unread,
Jan 10, 2020, 11:15:45 AM1/10/20
to VA Smalltalk
Hello....

I am trying to switch over my web services to use HTTPS,
and I think I just about have it.

I gather the changes were actually pretty minimal,
but I needed to get a certificate and a private key file.

I have a great API that allows me to create self-signed certificates
(I did not spot anything in VA).  I used this to create a private key file,
in PEM format, that was password-encrypted.

I then used that primary key file, and the password, to create my certificate
(also in PEM format).

I can open the certificate successfully, using 
SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword'.

But when I try the SSL Echo Server Example, from the documentation,
and send a message to it, I get the following error.....

INTERNAL_ERROR (151404653): Unknown error
OpenSSLError
Error Code: 151404653
Error Object: ('problems getting password')
Error String: 'error:0906406D:PEM routines:PEM_def_callback:problems getting password'
Error Hint: 'PEM_def_callback:problems getting password'
AuxiliaryData: nil


Is there a way to specify the password somewhere, that I am just missing?

As a more general question, do I need to use the same private key file I used to create
my certificate?  I assumed I did.  But if I do not, then I could simply create a new private key file
using the VA crypto library, that does not have a password.

Any help would be greatly appreciated.....

Regards,
Julian

Seth Berman

unread,
Jan 11, 2020, 12:02:27 PM1/11/20
to VA Smalltalk
Hi Julian,

Does the following work?
Here we create the x509 object externally and pass that in as certificate:
That setter can accept <String> or <SciSslX509Certificate>
If you are using passphrases...then I thing you need the x509 object.

config := SciSslSocketConfiguration new
          certificate: (SciSslX509Certificate fromFile: 'myCert.pem' password: 'myPassword' asPSZ)
          privateKeyFilename: '<your-dir>/key.pem';
          sslVersion: SciSslConstants::SSLv23;
          yourself.

-Seth

Julian Ford

unread,
Jan 11, 2020, 8:47:25 PM1/11/20
to VA Smalltalk
Thanks for the reply, Seth....

Actually, I got it working earlier today.
My approach was similar. I was able to specify the certificate file, as in the example,
but I manually loaded the private key using #fromFile:password:, and passed THAT in
as the private key... instead of a file name.

Worked like a charm!

Now, I am not setting the SSL version.... should I be doing that?
Or is that really up to the partner company that will be consuming my
web services (this is not for a general browser...just direct communication from
a trusted partner).  I presume we must agree in the SSL version....

Regards,
Julian

Seth Berman

unread,
Jan 11, 2020, 8:58:45 PM1/11/20
to VA Smalltalk
Hi Julian,

Typically you want to just set the version as 'default' or 'tls'.  They currently resolve to the same thing.
This will try and use the highest tls protocol that both the client and server support.

i.e.
SciSslSocketConfiguration new
sslVersion: 'default';
yourself.

or

SciSslSocketConfiguration new
sslVersion: 'TLS';
yourself.


There are also some new setters for 9.2 that let you easily constrain the min/max protocols allowed:
The example below says the client is only willing to connect to servers that support TLS1.2 or TLS1.3
Everything else is rejected.

SciSslSocketConfiguration new
minProtocol: TLS1_2_VERSION;
        maxProtocol: TLS1_3_VERSION;
yourself.

- Seth

Wayne Johnston

unread,
Jan 13, 2020, 10:03:59 AM1/13/20
to VA Smalltalk
Seth, for purposes of specifying allowed TLS versions, would you recommend using #minProtocol: / #maxProtocol: instead of the older/cryptic #sslVersion: ?

Seth Berman

unread,
Jan 13, 2020, 1:06:34 PM1/13/20
to VA Smalltalk
Hi Wayne,

Yes, I would use #minProtocol:/#maxProtocol:.  The requirement is that you are running versions of OpenSSL >= 1.1.0.
The 1.0.x branch is now out of support, but if you are using it, then you have to use sslVersion:

- Seth

Julian Ford

unread,
Jan 15, 2020, 12:09:07 AM1/15/20
to VA Smalltalk
Thanks for the additional info, Seth!!
It is very helpful!

Julian

Seth Berman

unread,
Jan 15, 2020, 12:10:05 PM1/15/20
to VA Smalltalk
My pleasure to help!
Reply all
Reply to author
Forward
0 new messages