Pyslet goes https

After months of being too busy to sort this out I have finally moved the Pyslet website to SSL. This is a quick post to explain how I've done this.

Firstly, I've wanted to do this for a while because I want to use the above website to host a web version of the QTI migration tool but encouraging users to upload their precious assessment materials to a plain old HTTP URL should (hopefully would) have proved a challenge. I saw an advert for free SSL certificates for open source projects from GlobalSign so in a rush of enthusiasm I applied and got my certificate. There's a checklist of rules that the site must comply with to be eligible (see previous link) which I'll summarise here:

1. OSI license: Pyslet uses the BSD 3-Clause License: check!
2. Actively maintained: well, Pyslet is a spare-time activity but I'm going to give myself a qualified tick here.
3. Not used for commercial purposes: the Pyslet website is just a way of hosting demos of Pyslet in action, no adverts, no 'monetization' of any kind: check!
4. Must get an A rating with GlobalSign's SSL Checker...

That last one is not quite as easy as you might think. Here's what I did to make it happen, I'll assume you have already dome some openssl magic, applied for and received your crt file.

• Download the intermediate certificate chain file from GlobalSign here, the default one for SHA-256 Orders was the correct one for me.

• Put the following files into /var/www/ssl (your location may vary):

  www.pyslet.org.key
  www.pyslet.org.crt
  globalsign-intermediate.crt

  The first one is the key I originally created with:

  openssl genrsa -des3 -out www.pyslet.org.key.encrypted 2048
  openssl req -new -key www.pyslet.org.key.encrypted -out www.pyslet.org.csr
  openssl rsa -in www.pyslet.org.key.encrypted -out www.pyslet.org.key

  The second file is the certificate I got from GlobalSign themselves. The third one is the intermediate certificate I downloaded above.

• Set permissions (as root):

  chown -R root:root /var/www/ssl/*.key
  chmod 700 /var/www/ssl/*.key

• Add a virtual host to Apache's httpd.conf (suitable for Apache/2.2.31):

  Listen 443
  
  <VirtualHost *:443>
      ServerName www.pyslet.org
      SSLEngine on
      
      SSLCertificateFile /var/www/ssl/www.pyslet.org.crt
      SSLCertificateKeyFile /var/www/ssl/www.pyslet.org.key
      SSLCertificateChainFile /var/www/ssl/globalsign-intermediate.crt
      
      SSLCompression off
      SSLProtocol all -SSLv3 -SSLv2
      SSLCipherSuite AES128+EECDH:AES128+EDH    
      SSLHonorCipherOrder on
      
  #   Rest of configuration goes here....
  
  </VirtualHost>

This is a relatively simple configuration designed to get an A rating while not worrying too much about compatibility with really old browsers.

Visual C++ Redistributable Licensing: I'm just not seeing it

As part of putting together the latest builds of the QTI Migration tool I have had to repackage the updated tool into a new installer.

The migration tool is written in python and uses the py2exe tool to convert the Python script into a set of binaries that can be distributed to other Windows systems as a ready-to-run application without requiring Python (and various other packages, including wxPython: used for the GUI) to be installed first.

The output of py2exe is a folder containing the executable and all its supporting files ready to package up.  Originally this was all done by Pierre, my co-chair of the QTI working group.  I'm happy to report that updating the installation scripts went fine and I've been able to create a new Windows Installer using InnoSetup.

There is a recipe for using py2exe with wxPython published on pythonlibrary.org called "A py2exe tutorial".  However, I did have one problem with this recipe - I too had trouble with MSVCP90.dll but I needed the help of stackoverflow (thread: py2exe fails to generate an executable) to actually get the build going. Once done, I was concerned with the warning messages about the need to have a license to redistribute the DLL in my installer.  I found another blog post on distributing python apps for the windows platform which spelt out my options.  As I don't personally own a Visual Studio license it seems like I need to use the redistributable package which can be downloaded from Microsoft.

Unfortunately, when I download this file the license in the resulting installer does not appear compatible with packaging it into my installer for distribution with my tool.

Several people on the net seem to suggest that the DLL is off-limits but the 'redistributable' does exactly what it says on the tin.  Indeed, if you don't run the package it isn't clear what license you signed up to by downloading it but once you run the installer it clearly says that "You may make one backup copy of the software.  You may use it only to reinstall the software." and that you may not "publish the software for others to copy".  So I've played safe and am crossing my fingers that my users will have already installed these wretched DLLs on their system before they try the migration tool.

Previous versions of the migration tool installer were built by Pierre and he did have a Visual Studio license so could do the build and redistribute the software.

My experience and the time I wasted trying to find an answer to this question eventually turned up one discussion thread in which the complex issues that the team within Microsoft faces are exposed: see VC++ 2005 redistributable.  Although this thread is a little old now the replies from Nikola Dudar are helpful in providing deeper insight into the issue and the conflict that having a chargeable development platform creates.  On one hand Microsoft would like it to be easy for people to create software for their platform but they also have a paid-for development tool chain in Visual Studio.  The existence of Visual Studio Express edition (a free lightweight development environment) appears to be suitable only for personal hobbyists and not for anyone wanting to build software for redistribution.  There are lots of replies to the above article but if you search down for "release team" there is a reply that emphasises the difficulty of finding the balance between paid and express editions and a link to a blog post relating to the creation of the free to download redistributable packages.  I like these types of forum discussions as they show that even 'evil empires' like Microsoft are full of ordinary people just trying to do their jobs.