View New Content

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

4

Neocodex Technology Blog

Archive

SSL Implementation on Neocodex

Posted by ShadowLink64, in Neocodex, Store, Programming 17 December 2012 · 999 views

As mentioned in this news post, Neocodex now uses Secure Sockets Layer (SSL) to protect our users from eavesdropping attacks that may occur from using unfamiliar/insecure networks.

But how did we get it all set up?

Modern-day SSL essentially offers two benefits to the end user:

Security: Encrypts the traffic between client and server so that a third-party cannot eavesdrop on the data.
Trust: Lets the end user know that the identity of the organization using SSL has been verified.

It is possible to implement the former without the latter using self-signed certificates, but we wanted both of these benefits. Because of this, we needed to be issued a certificate from a reputable Certificate Authority (CA) who could verify our identity.

First we needed to generate a private key on our server (*.key file), and then create a Certificate Signing Request (CSR) using that key. This request is then provided to the CA, and once our identity has been verified, a certificate is provided to us in the form of a *.crt file. Our identity was verified using our domain and IP information, as well as having a valid e-mail address associated with our domain. Many CAs go a step further in their background check, but we simply wanted basic assurance for our users instead of nothing at all.

So now, here's where things get a bit technical. We now needed to give our web server enough knowledge so that if anyone wants to connect to us using SSL (by having https:// in their URL bar), it can take care of all of that for us. The things we needed to provide to our web server are:

Neocodex's private key (*.key), and neocodex's certificate from the CA (*.crt) combined into one file with extension *.pem
The Certificate Authority's own certificate (ca.crt) -- you can find this publicly available on their website.

In lighttpd, this can be done with the following code (inside lighttpd.conf):

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/path/to/ca.crt"
ssl.pemfile = "/path/to/neocodex.pem"
}

Now, some complications arise when you want to enable SSL on multiple domains. We run a separate site that we sell Neocash from, and so we generated a *.pem file for that domain as well. But, we need to tell lighttpd to use the correct pem file for each domain. This technique is called Server Name Identification, and is implemented in lighttpd the following way:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/path/to/ca.crt"
ssl.pemfile = "/path/to/neocodex.pem"

$HTTP["host"] =~ "neocodex.us" {
ssl.pemfile = "/path/to/neocodex.pem"
ssl.ca-file = "/path/to/ca.crt"
}

$HTTP["host"] =~ "otherdomain.com" {
ssl.pemfile = "/path/to/otherdomain.pem"
ssl.ca-file = "/path/to/ca.crt"
}
}

Notice that we reference neocodex.pem twice -- we have to give lighttpd a default pem file to use if neither of these domains are requested, so we use neocodex's certificate if all else fails.

And that's it! After restarting lighttpd, any requests made to https://www.neocodex.us/* are encrypted using a 256-bit algorithm.