Opened 22 months ago

Last modified 12 months ago

#2160 accepted enhancement

HTTPS Console enabled by default

Reported by: zzz Owned by: zzz
Priority: minor Milestone: 0.9.39
Component: apps/console Version: 0.9.33
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

Browsers are going to start complaining soon.

Subtickets

Change History (12)

comment:1 Changed 22 months ago by zzz

Milestone: undecided0.9.34
Owner: changed from str4d to zzz
Status: newaccepted

comment:2 Changed 22 months ago by zzz

Changed the SSL cert cname from "[random string].console.i2p.net" to "localhost" in d604e9f76ad4655c1fca64dd72bd5571da4d155e
Added IP addresses to SSL cert SAN in 90f517d3562eef69ca63e8e4007cd7562d11e3e9
Both to be 0.9.33-8

comment:3 Changed 22 months ago by zzz

Cc: str4d added

This is going to be really ugly. As bad as the browser complaints are about HTTP, they are even worse about a selfsigned HTTPS cert.

IE shows the whole address bar in red, with "certificate error", and says "install this certificate in the Trusted Root Certification Authorities store". It claims CertMgr? is a CLI tool to do that https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/certmgr but it only pops up a GUI. This SO article https://stackoverflow.com/questions/13165665/how-do-you-use-certmgr-to-add-a-certificate-to-trusted-publishers-in-excel says use certutil which seems like it would work. Of course you need admin privs for either.

Some startup wizard may be required to let users choose HTTP or HTTPS and explain the browser warnings that will result from either choice. Would also be a good place to let them choose their browser. See #1473

We can start the SSL console by default but actually using it as the default - including redirecting HTTP to HTTPS, may be problematic without a wizard. Especially on Windows.

I will continue working on the underlying support for .34 but not clear we can roll this out completely.

Need comments and participation by @str4d please.

comment:4 Changed 22 months ago by zzz

Added redirect to HTTPS if available. Changed preferred console link to HTTPS if available. In 85c4c530691c26759d82792f3c87c190d9b8a4f7 0.9.33-8.

This is all I'm doing for .34. This will only have effect if an HTTPS console is already running, which is not the default.

To actually start an HTTPS console by default, we only need to change clients.config (for new installs) or do some default-changing in RCR for existing installs. That will have to await the wizard, str4d participation, or both.

comment:5 Changed 22 months ago by Reportage

To make it easier to transition to an https console, adding a UI configuration option to toggle the setting would be helpful, perhaps via an entry on /configclients.

comment:6 Changed 22 months ago by zzz

For the record, for now, if you have routerconsole.advanced=true already, you can edit items on /configclients, you would change

net.i2p.router.web.RouterConsoleRunner? 7657 ::1,127.0.0.1 ./webapps/

to

net.i2p.router.web.RouterConsoleRunner? 7657 ::1,127.0.0.1 -s 7667 ::1,127.0.0.1 ./webapps/

and restart.

If you don't have routerconsole.advanced set, you would edit ~/.i2p/clients.config to make the same change, and restart.

I may also post this info on zzz.i2p to get wider testing.

As for adding a config option to make it easier? Maybe, but probably not.

comment:7 Changed 22 months ago by zzz

Milestone: 0.9.340.9.35

re: Windows (comment 3)

Playing with Windows certmgr. Added the selfsigned cert to the "Trusted Root Certificate Authorities" for "Current User" via the certmgr gui. Not sure if that required some admin privs or not but it's only for "current user". After that, and restarting IE, the address bar isn't red any more.

I also added a policy extension to our certs, but still can't get the "Issuer Statement" box to be enabled. Perhaps because it's a CA and CA's shouldn't have policy extensions, or maybe I encoded something wrong, but certtool -i is happy with it.

The problem with putting our cert in the trust store is we retain the password for it and store it in the config file. So if that leaks then anybody can spoof a website. It would be mcuh more secure if we did the selfsigned CA, then signed the (non-CA) console cert, then threw out the CA password and stored only the console cert password for Jetty. Jetty would have to serve up both certs in the chain. This would be significant added complexity. For now, it doesn't seem like a good idea to add our cert to certmgr.

comment:8 Changed 20 months ago by zzz

Cc: str4d removed

Having trouble with forms in the SSL console, getting nonce errors, which means the session cookies are getting lost. Not sure why and may not be fixed in time for 35.

comment:9 Changed 18 months ago by zzz

Milestone: 0.9.350.9.36

Pushing out, still having nonce/session errors.

comment:11 Changed 16 months ago by zzz

Milestone: 0.9.360.9.37

comment:12 Changed 12 months ago by zzz

Milestone: 0.9.370.9.39

Cookie issues may be related to this: https://github.com/eclipse/jetty.project/issues/3173
Have to check for any remaining http links that are getting redirected and invalidating nonces along the way.

Note: See TracTickets for help on using tickets.