Hi

Anybody care to explain how the new EWB with SSL will operate ?

Assuming I have multiple domains:
http://www.abc.com
http://www.xyz.com


1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc  

2. A lot of talk of STunnel here....is that still required after EWB 3 is out ?

3. Is it SSL certificate per website or SSL per IP Address ?

4. To understand better ..could that be illustrated in a real life scenario with particular reference to an EWB Web App running under SSL

5. Any recommendations for buying "SSL cert" for use with multiple (different) domains ?

Thanks

Kamran

kamran wrote:

> Any recommendations for buying "SSL cert" for use with multiple (different) domains ?

I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates.

It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available. With those two things, anyone can add support. And if the server doesn't support http (only SSL/TLS), then the first part is easy to do anyway. I have a little service that takes an HTTP request and redirects the browser to https, unless it is a /.well-known request. This allows people to use the easy default for their browser entry, and end up on the https service.

The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point.

But I am happy to assist Tim in any way with Let's Encrypt code. I have a basic system that works for this - not particularly pretty but viable for such integrating, and am aware of a pure Delphi solution too (ICS library based).

--

Matthew Jones

On 4/13/2018 9:01 AM, kamran wrote:
> Anybody care to explain how the new EWB with SSL will operate ?

Tim is only one at this point that would know full details but SSL/TLS
is pretty generic in terms of operation.

Certificate side of things is generally independent of any specific
implementation so here's an attempt to answer some of these

> 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc

If you want Certificate Authority signed cert then yes you need to
obtain one cert per host(s) or domain if going for wildcard.

Let's Encrypt is free and Matthew mentioned it. Otherwise you have to buy.

You can self-sign if you fully control all clients as well but
considering how cheap or free certs are i'd use let's encrypt or comodo
(thru k software for example).

> 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ?

Likely not if EWB has native TLS support. however the overall operation
would be same as with stunnel - you provide certs to allow comms encryption.

> 3. Is it SSL certificate per website or SSL per IP Address ?

Certificate can not be assigned to IP at all. Only to dns names/domains.
You can do either cert with single host (or multiple hosts if CA
supports subject alternaitve name - most do) or wildcard per domain
(*.abc.com for example) for unlimited hosts for same domain.

> 4. To understand better ..could that be illustrated in a real life scenario with particular reference to an EWB Web App running under SSL

Can you clarify ? EWB would not be any different that any other TCP
based server using certs (from apache to sql).


> 5. Any recommendations for buying "SSL cert" for use with multiple (different) domains ?

Let's Encrypt (https://letsencrypt.org/)  is totally free but you really
want to automate the renewal since these are 90 day certs. And they now
issue wildcard as well.

Otherwise we have used k software and like them - they resell Comodo for
$20/year/cert (http://ksoftware.net/ssl_certs.html)

Raul

On 4/13/2018 9:59 AM, Matthew Jones wrote:
> I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates.

No doubt you can use LE certs - they are regular certs.

however if you mean automate requests and auto renewal ....

> It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available.

It's not hard but it's not trivial either to add ACME protocol support.

Dev doing it manually using 3rd party client likely is easiest in the
beginning.

We looked into it for a bit but for now doing it partially manually
since number of cert we require is small.


> The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point.

That would be nice. TLS SNI is only way to really achieve this AFAIK
(server on same port/ip for all domains).

Raul

Raul wrote:

> > It isn't hard to allow support - you have to permit http traffic to /.well-known, and you have to update with the new certificates when they are available.
>
> It's not hard but it's not trivial either to add ACME protocol support.
>
> Dev doing it manually using 3rd party client likely is easiest in the beginning.

That's why I suggested the specifics I did - the server just has to do two things - allow HTTP access to a .well-known directory, and update a certificate when it sees a new one appear. The rest can be done using whatever tool someone wants to put in place then. I have such tooling from open source and a single thread object I include in my servers. Perhaps I should document it... If this is of interest, let me know.

--

Matthew Jones

On 4/14/2018 5:51 AM, Matthew Jones wrote:
> That's why I suggested the specifics I did - the server just has to do two things - allow HTTP access to a .well-known directory, and update a certificate when it sees a new one appear. The rest can be done using whatever tool someone wants to put in place then. I have such tooling from open source and a single thread object I include in my servers. Perhaps I should document it... If this is of interest, let me know.

That would be fantastic - would love to see what you've done to make it
more automated and then maybe can contribute something back

Every time i do the semi-manual process we use - which is approx every
90 days - i'm thinking of improving it but it takes like 10 min and
there are always other more pressing matters ....

Raul

<< 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc  >>

Yes, unless you get a wildcard certificate.

<< 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? >>

No.

<< 3. Is it SSL certificate per website or SSL per IP Address ? >>

It is per-domain.

With EWB 3, you'll simply purchase the cert, install it into Windows using the cert provider's instructions, and then select it for use in the EWB 3 web server settings.

Tim Young
Elevate Software
www.elevatesoft.com

Matthew,

<< I cannot answer for Tim and EWB, but I hope very much that even if it doesn't support it directly, that EWB 3 will allow operation with Let's Encrypt, which provides free SSL certificates. >>

Nope, at least not for a while.  I've got a list a mile long with EWB, and I'm months out on any new features that aren't already on the list.

<< The server would probably have to support multiple certificates to allow different domains to be used - that isn't easy from what I understand, but is quite possible. Just got to intercept at the early point instead of the easy point. >>

EWB 3's web server does *not* support multi-tenancy.  Remember, it's a *free* web server that we're providing for convenience along with EWB so that deployment is simple and easy for small to medium installations.  If you're using more than one domain, then you'll need to set up 3 different named servers with different settings.

<< But I am happy to assist Tim in any way with Let's Encrypt code. I have a basic system that works for this - not particularly pretty but viable for such integrating, and am aware of a pure Delphi solution too (ICS library based). >>

It's never the code that's an issue - it's the amount of time needed to document and support it.  I'm trying to keep things as simple as possible, and becoming the primary support point for cert acquisition/expiration, etc. issues is not something that I'm interested in dealing with at this time.

Tim Young
Elevate Software
www.elevatesoft.com

Hi  *thanks* to everyone:

For clarifying SSL with EWB.

Cheers

Kamran

Tim Young [Elevate Software] wrote:


<< 1. Would we still need to purchase a SSL certificate for *each* of the different domains from Geosign,Comodo etc  >>

Yes, unless you get a wildcard certificate.

<< 2. A lot of talk of STunnel here....is that still required after EWB 3 is out ? >>

No.

<< 3. Is it SSL certificate per website or SSL per IP Address ? >>

It is per-domain.

With EWB 3, you'll simply purchase the cert, install it into Windows using the cert provider's instructions, and then select it for use in the EWB 3 web server settings.

Tim Young
Elevate Software
www.elevatesoft.com

Tim Young [Elevate Software] wrote:

>  I'm trying to keep things as simple as possible

Which is indeed fair enough. There are just two things to do to allow "third party" certificate updates, and both are probably easy if you do nothing.

1. Allow http access to /.well-known/ path and those underneath. If you are not doing anything on the http port, that's sorted.

2. Allow some way to reload the certificate. At worst, that's restarting the service. At best, spotting that a new certificate file has appeared and adopting it at a convenient moment (determining convenient is the hard part!). The intermediate is allowing some way for the service to be told to adopt without a full shut down.

With those two facilities, which as I say can be done without explicit support if necessary, a third party solution can be used.

I shall look into a way to get my solution out as a demo. It isn't pretty, but it has worked on my machines for some years now, and has been reliable.

--

Matthew Jones