[2.0] HTTPS - Certificate - SSL support

[Samuel Moreno]

We want to know if the Play Framework web server supports SSL one-way and two-way requests or this functionallity will be developed in the next releases.

Otherwise, what other options are available to accomplish this type of requests? 

Thanks...

[Guillaume Bort]

For now there is no built-in SSL support in the default play server
and I don't think we will add it. It's easier to handle it with a
reverse proxy.

> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/play-framework/-/9fSR3MMNOc8J.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to
> play-framewor...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/play-framework?hl=en.

--
Guillaume Bort

[Vik]

Will HTTPS never be supported by Play 2.0?

On Wednesday, 29 February 2012 08:55:34 UTC-8, Guillaume Bort wrote:

For now there is no built-in SSL support in the default play server
and I don't think we will add it. It's easier to handle it with a
reverse proxy.

On Wed, Feb 29, 2012 at 5:42 PM, Samuel Moreno <samu...@gmail.com> wrote:
> We want to know if the Play Framework web server supports SSL one-way
> and two-way requests or this functionallity will be developed in the next
> releases.
>
> Otherwise, what other options are available to accomplish this type of
> requests?
>
> Thanks...
>
> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/play-framework/-/9fSR3MMNOc8J.

> To post to this group, send email to play-framework@googlegroups.com.

> To unsubscribe from this group, send email to

> play-framework+unsubscribe@googlegroups.com.

> For more options, visit this group at
> http://groups.google.com/group/play-framework?hl=en.

--
Guillaume Bort

[Guillaume Bort]

Well I don't see the point of supporting it directly in the play
server. These days you usually deploy on cloud platform and SSL is
managed for you. And even if you host your application yourself on a
dedicated server you usually need a reverse proxy making the native
HTTPS support useless.

On Wed, Feb 29, 2012 at 6:17 PM, Vik <vikra...@gmail.com> wrote:
> Will HTTPS never be supported by Play 2.0?
>
>
> On Wednesday, 29 February 2012 08:55:34 UTC-8, Guillaume Bort wrote:
>>
>> For now there is no built-in SSL support in the default play server
>> and I don't think we will add it. It's easier to handle it with a
>> reverse proxy.
>>
>> On Wed, Feb 29, 2012 at 5:42 PM, Samuel Moreno <samu...@gmail.com> wrote:
>> > We want to know if the Play Framework web server supports SSL one-way
>> > and two-way requests or this functionallity will be developed in the
>> > next
>> > releases.
>> >
>> > Otherwise, what other options are available to accomplish this type of
>> > requests?
>> >
>> > Thanks...
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "play-framework" group.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msg/play-framework/-/9fSR3MMNOc8J.

>> > To post to this group, send email to play-fr...@googlegroups.com.

>> > To unsubscribe from this group, send email to

>> > play-framewor...@googlegroups.com.

>> > For more options, visit this group at
>> > http://groups.google.com/group/play-framework?hl=en.
>>
>> --
>> Guillaume Bort
>

> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/play-framework/-/xL-MreUk31IJ.
>
> To post to this group, send email to play-fr...@googlegroups.com.

> To unsubscribe from this group, send email to

> play-framewor...@googlegroups.com.

[Eishay Smith]

Even if it would, its recommended to offload cert handling to a reverse proxy (apache, nginx). They'll be faster and probably more secured as most of the industry are using and scrutinizing them. 

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/xL-MreUk31IJ.

To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.

[Michael Slinn]

First off, I think when everyone talks about SSL support, they really mean TLS support because SSL v2 and v3 are broken. Streaming (HTTP 1.1 chunked mode) is problematic for many proxies because checksums are only computed after the socket closes. This is probably worse for the websocket protocol because it is newer and is not widely supported.

So if the originating server (Play) does not provide TLS for the streaming connection, that connection cannot be made secure without deconstructing and reconstructing the stream which is problematic. I believe that not supporting secure websockets from Play means that secure websockets cannot be served from a Play app without serious hassle and limitations.

Mike

[cody]

Well...we for example have SSL also between load balancer and the app
servers, _because_ we deployed it on cloud. The need to secure the
communication "over internet" and "inside the cloud" is the same. The
cloud environment is no different than the rest of the internet
(unless you have something like Amazon VPC). It is no safer by any
means. We take the security seriously and we can't promise secured
communication to our customers and secure only one half of it in
reality.
It is not unsolvable though. If play2 does not support SSL, there will
have to be nginx on each app server, for example. But such a solution
arises some new problems...Play1's SSL support is very handy.

On Feb 29, 6:23 pm, Guillaume Bort <guillaume.b...@gmail.com> wrote:
> Well I don't see the point of supporting it directly in the play
> server. These days you usually deploy on cloud platform and SSL is
> managed for you. And even if you host your application yourself on a
> dedicated server you usually need a reverse proxy making the native
> HTTPS support useless.
>
>
>
>
>
>
>
>
>
> On Wed, Feb 29, 2012 at 6:17 PM, Vik <vikram....@gmail.com> wrote:
> > Will HTTPS never be supported by Play 2.0?
>
> > On Wednesday, 29 February 2012 08:55:34 UTC-8, Guillaume Bort wrote:
>
> >> For now there is no built-in SSL support in the default play server
> >> and I don't think we will add it. It's easier to handle it with a
> >> reverse proxy.
>

[Samuel Moreno]

We just configure the Nginx server with SSL/TLS 2-way certificate authentication, sending the user certificate and receiving into the request of "Play".

This will give us performance problems? we will continue having the sync performance of "Play"?

[Henry Story]

+1 SSL/TLS  Support would be very important for me, as I would like to add WebID authentication

     http://webid.info/spec/ which requires SSL.

As Play works on netty this should not be a problem really. Unfiltered has a very small and simple server setup

for Play to get this done. Is there a reason this would be a lot more complicated for Play?

[Henry Story]

On Wednesday, 7 March 2012 13:25:31 UTC+1, Henry Story wrote:

+1 SSL/TLS  Support would be very important for me, as I would like to add WebID authentication

     http://webid.info/spec/ which requires SSL.

As Play works on netty this should not be a problem really. Unfiltered has a very small and simple server setup

for Play to get this done. Is there a reason this would be a lot more complicated for Play?

I meant they have a very simple library to do this. Here is part of it:

    https://github.com/unfiltered/unfiltered/blob/master/netty/src/main/scala/secured.scala

Here is how I developed it for use with WebID 

   https://dvcs.w3.org/hg/read-write-web/file/d9c1f87eee55/src/main/scala/netty/server.scala

(in WebID we don't care about the CA that signs the client cert - which is what makes it so much more

useful )

[Henry Story]

I have an initial patch that seems to work for RC4 support of TLS

   https://github.com/bblfish/Play20/commit/478433fcb58953881826e534a198399dc8d4a427

it is taken mostly directly from unfiltered. I need to work on it some more because I would like to be able to

also set the Trust Manager more carefully, as I do here

https://dvcs.w3.org/hg/read-write-web/file/d9c1f87eee55/src/main/scala/netty/server.scala#l46

And of course as it stands now you no longer have non TLS support, so that should be something selectable.

But perhaps one of the developers could let me know what needs to be done there.

In any case I'll be unable to continue the work for another 18 hours.

[Henry Story]

I have opened a ticket for this:

   https://play.lighthouseapp.com/projects/82401-play-20/tickets/215-tls-https-support-in-play-20

please vote for it or contribute to it.

[Henry Story]

And it now support client certificates too. See bug report for pointers.

[Matthew Tovbin]

Henry,

Did you test you patch for securing WebSocket connections?

-Matthew 

[Henry Story]

On 30 May 2012, at 20:05, Matthew Tovbin wrote:

Henry,

Did you test you patch for securing WebSocket connections?

No, I was travelling on conferences for a month and a half or so, and so did not progress

much since my previous patch releases.

But I am just getting back to using Play 2.0 now, which the Play team enchanted with light 

weight TLS support - but not in dev mode.

Las week I added to their work with the following patches to allow client certificate 

authentication in Play in normal and dev mode

https://github.com/playframework/Play20/pull/340

Hopefully they will accept the patch. (Not sure if one can vote for patches on github)

Having secured web sockets work would be nice to have for my project too. So I hope 

I can get some time to look at that, but perhaps only in a few weeks, or early July.

Is there an issue you think that they might have?

Henry

--
You received this message because you are subscribed to the Google Groups "play-framework" group.

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/XmQsUM8q_7sJ.

To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.

Social Web Architect
http://bblfish.net/

[Matthew Tovbin]

No, I expect it to work exactly as any other TLS connection. 

I'm about to test your code and I'll update you on my progress.

-Matthew

To post to this group, send email to play-framework@googlegroups.com.
To unsubscribe from this group, send email to play-framework+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.

Social Web Architect
http://bblfish.net/

To post to this group, send email to play-framework@googlegroups.com.
To unsubscribe from this group, send email to play-framework+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.

[Henry Story]

I have updated the TLS patches and pull requests for Play 2.0

   https://github.com/playframework/Play20/pull/339

Pull Request 339 now allows you to specify a keystore from the application.conf file . You should

now be able to run Play 2.0 (once those patches have been applied ) with an X509 certificate 

signed by a well known CA. Hopefully DANE will be finished soon, allowing even self signed certificates

to work nicely when placed in DNSSEC.

I have tested this a little, but it is worth testing again, feedback is welcome.

Hopefully it can be integrated into the main Play repository soon.

Henry