Fix 1148 add native node https support #1202
Conversation
|
The patch is "compatible". I mean, when not changing anything, the EPL runs in non-SSL mode as before as requested by John. |
|
Looks good to me, needs further testing , good job:) |
|
Yep. Everything works with https:// ->>> except the Timeslider. Can you test that, please ? It now returns a BLANK page. Perhaps we are close to find the reason now.... Timeslider mega problem see #1077 |
|
Just thinking how we handle passphrases? |
|
"key" : "c:\temp\wiki\etherpad-lite\ep.key", as a path doesnt work |
|
Generating the keys with puttygen doesn't work, can we document the correct steps in puttygen to generate good to use ssl keys? |
|
You need useful debug messages if a user puts in a bad path/key is not good enough |
|
ok, will do so ! |
|
I can't test timeslider until we have good docs on how to deploy so this one is back at ya @Wikinaut, let me know once you are good for me to continue |
|
PuttyGen and OpenSSl are not 100% compatible for generating server keys. This is a well known problem and has nothing to do with the present patch. Give me time... to document |
|
@johnyma22 you wrote I can't test timeslider until we have good docs... As mentioned 1000 times, p l e a s e visit your own pad http://beta.primarypad.com/p/test/timeslider where you will certainly notice, that it does not work as expected. |
|
@johnyma22 OpenSSH under Linux cannot read ppk files generated by PuTTY under Windows.... Use these instructions to generate and sign server keys, one of the best descriptions on the webCreating Certificate Authorities and self-signed SSL certificateshttp://web.archive.org/web/20110704035103/http://www.tc.umn.edu/~brams006/selfsign.html I just contacted the author for his expressed permission to re-use his description. |
|
@johnyma22 > You need useful debug messages if a user puts in a bad path/key Not my task, SSL works now for me, and I presented the fine basic code in my pull request; the fine tuning of error messages can be done by others, respectfully stated(*). Running an APACHE2 with wrong keys, you will find also strange misleading error messages - which nobody of the Apache foundation has fixed in the last 20 years. (*) I am not yet in a position to being able to supply a perfect code for error conditions like the one you have encountered (lack of knowledge, sorry). If you can add some error robustness to the crypto.js calls, I will very much appreciate this. |
|
@Wikinaut As mentioned 1000 times you still haven't provided steps to replicate the bug. You just keep providing a URL that we know is broken. Plus this has nothing to do with this pull request so let's keep things on topic. |
|
@Wikinaut okay bump me when docs are ready :) thanks. |
|
Also RE useful debug this wont be merged until it's clear to users how to set this up, even if the debug help is provided in a wiki "how to setup native SSL support" or whatever you create that would be okay enough to see it merged. It's really important that people can get past any barriers that SSL may introduce :) Cheers |
|
@johnyma22 Regarding this
.... isn't that an issue to be reported to the people responsible for "fs.readFileSync( filename )", which apparently does ignore the operation-system specific path separators? I thought, that filenames and paths are handled transparently for the user, system independently. Will investigate, why it isn't. |
|
@johnyma22
John, SSL is web standard. Every admin knows. Why should we duplicate information which is available on the net, especially as it is NOT EPL default, as requested by you. Honestly, to explain here in the EPL context, how SSL works and how keys to be generated goes beyond the scope of my work and litters the EPL pages with unneeded information. But to please you, I will set up a new "ether" wiki page |
|
How to configure nginx or varnish is available on the net too, but it is usefull collect all relative configuration in the wiki. I think it is the same case. Often, features are not used because the newbie user not found good documentation. And this is a pity. 👍 new wiki page! |
|
openssl.exe is available by default in Windows? |
|
The wiki page needs a big warning saying "DO NOT COPY/PASTE THESE STEPS AS IT WONT WORK" |
|
@Wikinaut Works great and timeslider is fine -- Good job :) Once my final concerns have been addressed this will be good to merge. Today or tomorrow I expect |
|
I just want to add this here:
I inspected the connection and the generated page code. The problem stems from the fact that ep_tables fetches via http these resources I my view this currently should not prevent you to pull my current patch. (updated) |
|
As consequence from the previous comment, a secure EPL set up demands that also all required resources and frameworks come via https. |
Also saw that with ep_sketchspace; (was using EPL behind stunnel/nginx-combo to have "working" SSL) |
I could fix the problem !Solution is: use protocol-independent urls "//" everywhereMediaWiki has went to this in the last year, and all urls have been replaced by "//". The procedure is explained for example explained here http://stackoverflow.com/a/550164 "Is it valid to replace http:// with // in a script src=“http://…”?" [updated] |
|
A good trick to solve this problem is let the navigator choose proper protocol. For example, to load jquery from google CDN you can use: <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>In SSL conection the navigator go to https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js or a standar conection to http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js |
|
mid-air collision ! |
|
we are sincronized @Wikinaut :) |
|
@joker-x thanks. I also found this, and documented it, and added as a proof of concept my recent fork of ep_tables where I successfully applied the protocol independent url method. ty |
|
[updated] |
|
using these protocol independent urls we can remove a few javascript check protocol lines :D |
|
I was right - but wrong with my proof of concept, because the yahoo server does not deliver content when requested via https:// . ImportantOf course keep in mind, that the protocol-independent url only works, if the resource servers actually deliver their contents over http:// and also over https:// , |
|
I can now officially confirm, that "it" works. "it" means: when copying and unzipping http://yuilibrary.com/downloads/yui2/yui_2.9.0.zip to a server which delivers the stuff via https: (I used a non-Node server, running Apache), the protocol independent urls in my ep_tables fork https://github.com/Wikinaut/ep_tables/commit/c65c05924cbac89aa06e7ccbd2f92e76e2708a43 do work, and the ep_tables plugin in my SSL-EPL does work. |
|
/me is confused why we need yui, am I missing something? |
|
@johnyma22 we do NOT need it. ep_tables needs it and loads it. I discovered the "break out SSL" when having ep_tables activated. Now everything is clear and safe. Let me know if you need more details (I wanted to be short) I installed locally you ONLY for the final test. |
|
I installed yui locally only for my test. Everything is clear. You can "pull" |
…-support Fix 1148 add native node https support
|
may be a small step for epl but a giant leap for mankind. Very kind. ty |
Fix for issue #1148.