You are not logged in Log in Join
You are here: Home » Members » Ioan's Zope Documents » Zope and SSL
Log in
Name

Password

 
Link icon Forgot your password?
Print

Zope and SSL

Created by . Last modified on 2003/08/07.

Run your Zope server with SSL support.

Compile Zope under unix

extract Zope-xxx-src.tgz
read ./doc/INSTALL.txt
python wo_pcgi.py
provide a username to run ZServer as (add argument -u username in ./start script).
set sticky bit for ./var if you run server as root
be sure you set rwx for ./var to group and others
set owner of ./var/Data.fs ro be your username (chown username Data.fs)


M2Crypto

You need to download and install M2Crypto from http://www.post1.com/home/ngps/m2/
then you need OpenSSL binary package from http://www.post1.com/home/ngps/m2/openssl-0.9.6-win32.zip
Copy OpenSSL binary package somewhere in your path.

I know this procedure is working on Windows NT & 2K.
For Linux just try, because I didn't.
I test it with Zope 2.5.1b2 (binary release, python 2.1, win32-x86).

Install M2Crypto

After you extracted M2Crypto somewhere,
you must copy m2crypto-XX-snapYY\M2Crypto folder on your zope python library folder :
I mean to copy it into ...Zope...\lib\python\

then find
m2crypto-XX-snapYY\win\pyX\_m2crypto.py
and m2crypto-XX-snapYY\win\pyX\_m2cryptoc.dll
and copy both files into Zope->M2Crypto folder
(use the right version of m2crypto according to your python version)

Install ZServerSSL :
copy from m2crypto-XX-snapYY\demo\zope\ everything to Zope root instalation (replace files if any);
that means z2s.py will be copied on same folder as z2.py.

you must edit file ...your_zope.../ZServer/__init__.py
and replace
from medusa import max_sockets, asyncore

with
from medusa.test import max_sockets
from medusa import asyncore


NonSSL server start from z2.py - this is the original Zope file.
ZServerSSL start from z2s.py; edit z2s.py and change
HTTP_PORT=80
HTTPS_PORT=443
FTP_PORT=21
Edit start.bat or start.sh to run z2s.py instead of z2.py

Generate certificates

You may
  • Use a self signed cerificate
    Issued to: ZopeServer01
    Issued by: ZopeServer01
    Valid from today to today+1



  • Create your certificate authority, then certify your server
    Issued to: ZopeServer01
    Issued by: John Doe (Global Certificate Authority)
    Valid from today to today+1



  • Use a company to certify your server
    Issued to: ZopeServer01
    Issued by: VeriSign Trust Network
    Valid from today to today+1

To generate these certificates you must create some .bat (or .cmd or Unix shell scripts) files with openssl commands.
What we need is server.pem which contains server's private key,servers's certificate and server's request to certificate,
then ca.pem which hold certificate authority (no private key, no request, just the result-the certificate self signed).

Copy server.pem and ca.pem on Zope root instalation (where is z2.py).

OpenSSL help : http://www.openssl.org/docs/apps/openssl.html


Self signed cerificate

@Echo off
echo Gen server key
openssl genrsa -des3 > server.key

echo Gen cert request
openssl req -config server.cnf -new -key server.key > server.csr

echo Make self signed certificate
openssl req -config server.cnf -x509 -key server.key -in server.csr > server.crt

echo Build for Zope ->server.pem and ca.pem
copy server.crt + server.key + server.csr server.pem
copy server.csr ca.pem

Your certificate authority

@echo off
echo Gen ca key
echo the results are in ./ca/ folder
openssl genrsa -rand rand_file -des3 > ca/ca.key

echo Gen ca certificate sign request (csr)
echo Name your certificate authority appropriately (e.g., Global Authority)
echo and enter the appropriate names.
openssl req -config ca.cnf -new -key ca/ca.key > ca/ca.csr

echo Sign ca certificate
openssl req -config ca.cnf -days 90 -x509 -key ca/ca.key -in ca/ca.csr > ca/ca.crt

echo ***********************************

echo Gen server key
openssl genrsa -rand rand_file -des3 > server.key

echo Gen server certificate sign request (csr)
echo Name your certificate authority appropriately (e.g., EBRSWEB01)
echo and enter the appropriate names.
openssl req -config server.cnf -new -key server.key > server.csr

echo Sign server certificate request
openssl ca -config ca.cnf -days 60 -notext -in server.csr -cert ca/ca.crt -keyfile ca/ca.key > server.crt

echo Build for Zope ->server.pem and ca.pem
copy server.crt + server.key + server.csr server.pem
copy ca\ca.crt ca.pem
This is the best thing you can do.
(I'm using this on my Intranet.)
You generate once your ca.crt, then you send it by e-mail to your parteners.
Never send your ca.key because is the private key you use to sign certificates.

All parteners will install certificate ca.crt and every server signed by you
with this ca key will be a trusted server; the web page will start without to warn about secure/unsecure and so on ...

Just install ca.crt and is enough.

Certify your server with a certified company

I think (I didn't tested yet) you must generate server.key,
server sign request - server.csr, then upload both files by web to that company.


Finally you'll need ca.cnf , server.cnf and clean.bat :

clean.bat

rem Use it to clean and initialize
del *.old
del *.pem
del *.csr
del *.key
del *.crt
del .rnd
echo #Nimic > index.txt
rem echo 01 > serial
You need the file serial to contain some numbers.
So you may uncomment rem echo 01 > serial at first run of clean.bat

ca.cnf

# This is a tipically configuration;
#What is really important is bold,
#the rest is common declarations.
#
#
#
#
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE		= .rnd

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= .		# Where everything is kept
certs		= $dir		# Where the issued certs are kept
crl_dir		= $dir		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir		# default place for new certs.

certificate	= $dir/cacert.pem 	   # The CA certificate
serial		= $dir/serial 		   # The current serial number
crl		= $dir/crl.pem 		   # The current CRL
private_key	= $dir/cakey.pem   # The private key
RANDFILE	= $dir/private.rnd # private random number file

#x509_extensions	= x509v3_extensions	# The extentions to add to the cert
x509_extensions	= usr_cert
default_days	= 30			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= supplied
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 1024
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= RO
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Bucuresti

localityName			= Locality Name (eg, city)
localityName_default		= Bucuresti

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Blue Com

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= IT Internet Department

commonName			= Common Name (eg, your website's domain name)
commonName_default		= Coman Ioan (Global Certificate Authority)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_default		= [email protected]
emailAddress_max		= 64

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 8
challengePassword_max		= 20

[ x509v3_extensions ]

# under ASN.1, the 0 bit would be encoded as 80
nsCertType			= 0x40

#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType




         [ usr_cert ]

         # These extensions are added when 'ca' signs a request.

         # This goes against PKIX guidelines but some CAs do it and some software
         # requires this to avoid interpreting an end user certificate as a CA.

         basicConstraints=CA:FALSE

         # Here are some examples of the usage of nsCertType. If it is omitted
         # the certificate can be used for anything *except* object signing.

         # This is OK for an SSL server.
         nsCertType                    = server

         # For an object signing certificate this would be used.
         # nsCertType = objsign

         # For normal client use this is typical
         # nsCertType = client, email

         # and for everything including object signing:
         # nsCertType = client, email, objsign

         # This is typical in keyUsage for a client certificate.
         # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

         # This will be displayed in Netscape's comment listbox.
         nsComment                       = "OpenSSL Generated Certificate"

         # PKIX recommendations harmless if included in all certificates.
         subjectKeyIdentifier=hash
         authorityKeyIdentifier=keyid,issuer:always

         # This stuff is for subjectAltName and issuerAltname.
         # Import the email address.
         # subjectAltName=email:copy

         # Copy subject details
         # issuerAltName=issuer:copy

         #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
         #nsBaseUrl
         #nsRevocationUrl
         #nsRenewalUrl
         #nsCaPolicyUrl
         #nsSslServerName

server.cnf

the same text except :

         [ req_distinguished_name ]
         countryName                     	= Country Name (2 letter code)
         countryName_default             	= RO
         countryName_min                 	= 2
         countryName_max                 	= 2

         stateOrProvinceName             	= State or Province Name (full name)
         stateOrProvinceName_default		= Bucuresti

         localityName                    	= Locality Name (eg, city)
         localityName_default            	= Bucuresti

         0.organizationName              	= Organization Name (eg, company)
         0.organizationName_default      	= Blue Com

         # we can do this but it is not needed normally :-)
         #1.organizationName             	= Second Organization Name (eg, company)
         #1.organizationName_default		= Blue Com Romania

         organizationalUnitName          	= Organizational Unit Name (eg, section)
         organizationalUnitName_default		= IT Internet Department

         commonName                      	= Common Name (eg, YOUR name)
         commonName_default              	= ebrsweb01
         commonName_max                  	= 64

         emailAddress                    	= Email Address
         emailAddress_default            	= [email protected]
         emailAddress_max                	= 40
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)