Thread: Setting up SSL

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0

    Setting up SSL


    Hi, I've been experimenting with Apache Axis2 in a C++ program (on Ubuntu) and I use it to consume a .NET WebService over HTTP, originating from a Microsoft IIS 7.0 Webserver.

    Now I'm trying to make the connection secure using HTTPS (and thus, SSL).

    There's a tutorial available (but I can't post the url because I'm new I see), but I'm still confused about what I can/can't do with my current setup.

    Question 1: The server already issues a self-signed certificate. Is this important/useful in any way? Or does it defeat the purpose of trying to secure the connection altogether (because it is self-signed?).

    Question 2: Given that certificate, how should I continue my attempt at securing my connection?

    As far as I understand, I need 3 certificates in total:
    1. one Master certificate (generated by a Certificate Authority)
    2. one server certificate (signed by using CA's Master certificate)
    3. multiple client certificates (signed by using CA's Master certificate)

    Thus I assume that the owner of the server must have a CA somewhere which signed the server certificate, and if I can find/locate this CA, I hope to use it to sign my client certificates. The server is physically located in the company.

    I don't know if any of this makes sense, suggestions are welcome. Thanks!
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Location
    Central New Jersey
    Posts
    207
    Rep Power
    21
    Dazzled - re: Question 1 - I don't think it's pointless to accept a self-signed certificate, as it's up to clients/browsers as to how they would handle this (i believe firefox throws up a warning at every page of a self-signed website, but safari and other browsers will only warn you once and allow you to download content if the user by-passes warning).

    re: Question 2 - The certificates on the client side are what you get directly from the Cert Authorities (DigiCert, ComSign, etc) to validate the info the server sends you. If you're dealing with a self-signed cert, you're not using the CA-signed certificates. If you use the CA-signed certificates, they get chained:

    ComSign certifies Google
    Google certifies DazzledServer
    DazzledServer certificate is what is read by client.

    You would check that ComSign checks out with what you have in your list, and then you can trust DazzledServer's certificate.

    I hope THAT made sense. : )

    Ask more and I'll try to fill the rest in.
    Last edited by astroboy71; April 25th, 2011 at 03:48 PM.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Posts
    2
    Rep Power
    0
    Originally Posted by astroboy71
    Dazzled - re: Question 1 - I don't think it's pointless to accept a self-signed certificate, as it's up to clients/browsers as to how they would handle this (i believe firefox throws up a warning at every page of a self-signed website, but safari and other browsers will only warn you once and allow you to download content if the user by-passes warning).

    re: Question 2 - The certificates on the client side are what you get directly from the Cert Authorities (DigiCert, ComSign, etc) to validate the info the server sends you. If you're dealing with a self-signed cert, you're not using the CA-signed certificates. If you use the CA-signed certificates, they get chained:

    ComSign certifies Google
    Google certifies DazzledServer
    DazzledServer certificate is what is read by client.

    You would check that ComSign checks out with what you have in your list, and then you can trust DazzledServer's certificate.

    I hope THAT made sense. : )

    Ask more and I'll try to fill the rest in.
    Hi, sorry for the late reaction, but that was an extremely helpful reply. I now accept the self-signed cert and am able to communicate using HTTPS. Also had to recompile AXIS2 to be able to use OpenSSL. It seems to work, and WireShark agrees, too.

IMN logo majestic logo threadwatch logo seochat tools logo