2015-10-11

Pyslet goes https

After months of being too busy to sort this out I have finally moved the Pyslet website to SSL. This is a quick post to explain how I've done this.

Firstly, I've wanted to do this for a while because I want to use the above website to host a web version of the QTI migration tool but encouraging users to upload their precious assessment materials to a plain old HTTP URL should (hopefully would) have proved a challenge. I saw an advert for free SSL certificates for open source projects from GlobalSign so in a rush of enthusiasm I applied and got my certificate. There's a checklist of rules that the site must comply with to be eligible (see previous link) which I'll summarise here:

  1. OSI license: Pyslet uses the BSD 3-Clause License: check!
  2. Actively maintained: well, Pyslet is a spare-time activity but I'm going to give myself a qualified tick here.
  3. Not used for commercial purposes: the Pyslet website is just a way of hosting demos of Pyslet in action, no adverts, no 'monetization' of any kind: check!
  4. Must get an A rating with GlobalSign's SSL Checker...

That last one is not quite as easy as you might think. Here's what I did to make it happen, I'll assume you have already dome some openssl magic, applied for and received your crt file.

  • Download the intermediate certificate chain file from GlobalSign here, the default one for SHA-256 Orders was the correct one for me.

  • Put the following files into /var/www/ssl (your location may vary):

    www.pyslet.org.key
www.pyslet.org.crt
globalsign-intermediate.crt

    The first one is the key I originally created with:

    openssl genrsa -des3 -out www.pyslet.org.key.encrypted 2048
openssl req -new -key www.pyslet.org.key.encrypted -out www.pyslet.org.csr
openssl rsa -in www.pyslet.org.key.encrypted -out www.pyslet.org.key

    The second file is the certificate I got from GlobalSign themselves. The third one is the intermediate certificate I downloaded above.

  • Set permissions (as root): 
    chown -R root:root /var/www/ssl/*.key
chmod 700 /var/www/ssl/*.key
  • Add a virtual host to Apache's httpd.conf (suitable for Apache/2.2.31): 
    Listen 443

<VirtualHost *:443>
    ServerName www.pyslet.org
    SSLEngine on
    
    SSLCertificateFile /var/www/ssl/www.pyslet.org.crt
    SSLCertificateKeyFile /var/www/ssl/www.pyslet.org.key
    SSLCertificateChainFile /var/www/ssl/globalsign-intermediate.crt
    
    SSLCompression off
    SSLProtocol all -SSLv3 -SSLv2
    SSLCipherSuite AES128+EECDH:AES128+EDH    
    SSLHonorCipherOrder on
    
#   Rest of configuration goes here....

</VirtualHost>

This is a relatively simple configuration designed to get an A rating while not worrying too much about compatibility with really old browsers.

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)