Back Midas Rome Roody Rootana
  Midas DAQ System  Not logged in ELOG logo
Entry  22 Nov 2018, Konstantin Olchanski, Info, status of self-signed https certificates 
    Reply  30 Nov 2018, Stefan Ritt, Info, status of self-signed https certificates 
       Reply  03 Dec 2018, Konstantin Olchanski, Info, status of self-signed https certificates 
          Reply  10 Jun 2019, Konstantin Olchanski, Info, status of self-signed https certificates 
             Reply  13 Jan 2020, Konstantin Olchanski, Info, status of self-signed https certificates 
Message ID: 1410     Entry time: 22 Nov 2018     Reply to this: 1411
Author: Konstantin Olchanski 
Topic: Info 
Subject: status of self-signed https certificates 
I just happened to check the current situation with self-signed https certificates as implemented in mhttpd.

(To remember, the powers-that-be are pushing for universal use of https for all web access. The https
implementation in mhttpd at the moment can only generate self-signed certificates, so...)

plain unencrypted http:
- both google chrome and firefox say "connection not secure", but connect without any fuss.
- apple safari does not say anything

https with self-signed certificate:
- google chrome goes through an "are you sure?" page, "red not secure" status in toolbar
- firefox does the same thing, requires adding a security exception, but still shows "not secure" status in toolbar
- apple safari goes through a sequence of "are you sure?" pages, asks for the user password to add the self-signed certificate to 
the macos key store, then marks the connection as "secure" (good)

So clearly powers-that-be do not want us to use self-signed certificates for https. (And frown on use of unencrypted
http even for localhost connections). Properly signed certificates can be obtained from letsencrypt almost
automatically, but of course mhttpd needs to know how to use them and how to do handle their automatic renewals.

I plan to update the mongoose web server library inside mhttpd and with luck I will straighten some of this certificate business at 
the same time.

In the mean time, we continue to recommend that mhttpd should be used behind a password protected https proxy (i.e. apache 
httpd, etc).

K.O.
ELOG V3.1.4-2e1708b5