[Chilli] SSL on Chili

David Bird david at coova.com
Fri Nov 20 05:30:53 UTC 2009 

Indeed, the issue with hijacking SSL is that you will always get the
security violation. There is absolutely no way around this - even with
commercial certificates, you, of course, will get an SSL violation
because of the domain name mismatch. 

However, if you still want to hijack SSL (and some access controllers do
this, even with the security violation), then you can do it with chilli.
Here is how:

- Build with --with-openssl

- Run with:
      --sslkeyfile=STRING       SSL private key file in PEM format
      --sslcertfile=STRING      SSL certificate file in PEM format

David


On Thu, 2009-11-19 at 23:56 +0100, Gergely Kiss wrote:
> Ah, sorry, I've misunderstood something... It's pointless in this case
> to buy a commercial certificate, therefore solution 1 and 5 aren't
> solutions in this case.
> 
> 2009/11/19 Gergely Kiss <mail.gery at gmail.com>:
> > Yes, you are right. It seems to be a hard nut, but I still have some ideas:
> >
> > 1. Give the certificate to users and ask them to install it (not much
> > preferred for installations used by hundreds of subscribers).
> >
> > 2. Reject HTTPS requests and tell the users somehow that they must log
> > in to browse the web (can be printed on the login card). HTTP requests
> > can still be redirected to the login page.
> >
> > 3. Just tell the users, that it's normal if they see a warning before
> > logging in - it's not an elegant method, but for small networks, it
> > should be adequate.
> >
> > 4. Grant the browsing of HTTPS sites, but only with a limited
> > bandwidth and by displaying a message to the user that he/she should
> > log in to browse at full speed (it's a silly and overcomplicated
> > solution, isn't it?).
> >
> > 5. Buy a formally signed certificate and use it with Apache - and the
> > warning message will disappear.
> >
> > Could there be any other methods which can be taken in account? Maybe
> > a Joker solution?
> >
> > 2009/11/19 Wichert Akkerman <wichert at wiggy.net>:
> >> On 11/19/09 21:33 , Gergely Kiss wrote:
> >>>
> >>> Here is my idea: let's redirect all HTTPS requests to a HTTPS-enabled
> >>> Apache server which will then point the browser to the login screen
> >>> (HTTP) via the UrlRewrite module.
> >>
> >> The problem with this is SSL certs: every single https request will go to
> >> your server, which will not have a valid SSL cert for the requested page.
> >> Which means users will always get a nasty security warning.
> >>
> >> Wichert.
> >>
> >> _______________________________________________
> >> Chilli mailing list
> >> Chilli at coova.org
> >> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >>
> >
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

More information about the Chilli mailing list