Fév 172019
 

Previously we have built a HTTP server.
This time, lets build a HTTPS server.

The main difference compared to previous article is that this time, we need an object of type TIdServerIOHandlerSSLOpenSSL to provide certificates details and to handle the ssl part (client hello, server hello, etc).

Main code below.


IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := 'device.crt';
IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := 'device.key';
//IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := 'rootca.pem'; //optional since cert is signed with rootca is added to local ca authorities
IdServerIOHandlerSSLOpenSSL1.SSLOptions.Mode := sslmServer;
IdServerIOHandlerSSLOpenSSL1.SSLOptions.VerifyMode := [];
IdServerIOHandlerSSLOpenSSL1.SSLOptions.VerifyDepth := 0;
if rbtlsv12.Checked then IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
if rbtlsv11.Checked then IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_1];
if rbtlsv10.Checked then IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1];
if rbsslv3.Checked then IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvSSLv3 ];
IdServerIOHandlerSSLOpenSSL1.OnGetPassword := GetPassword; //not needed if we dont have a password on our cert

IdTCPServer1.DefaultPort := SERVER_PORT;
IdTCPServer1.IOHandler := IdServerIOHandlerSSLOpenSSL1;
IdTCPServer1.OnConnect := ServerConnect;
IdTCPServer1.OnExecute := ServerExecute;
IdTCPServer1.Active := True;

memResults.Lines.Add ('start');

Code is on github.

About the certificate part:
-generate the root ca (and add it to your client root ca’s)
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

-generate a csr (only the CN field matters and must match your local site – example : localhost or 127.0.0.1).
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr

-use the root ca to generate a client cert from a csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

  One Response to “Build a lightweigth HTTPS server : step 3”

  1. […] 1 : we will install Indy 10 in Lazarus Step 2 : we will code a lightweight http server Step 3 : we will generate a root certificate authority / use it to sign a certificate and turn our h… step 4 : we will see the difference between CN field (normally matching your web server) and SAN […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.