From 5d8e6734c305844098157454667c36244737dddf Mon Sep 17 00:00:00 2001 From: Arthur Britto Date: Sun, 20 Jan 2013 14:42:08 -0800 Subject: [PATCH] Split websocket ssl settings for public and private. --- rippled-example.cfg | 15 +++++++++++++++ src/cpp/ripple/Config.cpp | 5 +++++ src/cpp/ripple/Config.h | 1 + src/cpp/ripple/WSDoor.cpp | 2 +- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/rippled-example.cfg b/rippled-example.cfg index 9c3f12a86..9b60178d7 100644 --- a/rippled-example.cfg +++ b/rippled-example.cfg @@ -157,6 +157,16 @@ # this option will go away and the peer_ip will accept websocket client # connections. # +# [websocket_public_secure] +# 0 or 1. +# 0: Provide ws service for websocket_public_ip/websocket_public_port. +# 1: Provide wss service for websocket_public_ip/websocket_public_port. [default] +# +# Browser pages like the Ripple client will not be able to connect to a secure +# websocket connection if a self-signed certificate is used. As the Ripple +# reference client currently shares secrets with its server, this should be +# enabled. +# # [websocket_ip]: # IP address or domain to bind to allow trusted ADMIN connections from backend # applications. @@ -167,6 +177,11 @@ # [websocket_port]: # Port to bind to allow trusted ADMIN connections from backend applications. # +# [websocket_secure] +# 0 or 1. +# 0: Provide ws service for websocket_ip/websocket_port. [default] +# 1: Provide wss service for websocket_ip/websocket_port. +# # [websocket_ssl_key]: # Specify the filename holding the SSL key in PEM format. # diff --git a/src/cpp/ripple/Config.cpp b/src/cpp/ripple/Config.cpp index 66625cd26..e0215c302 100644 --- a/src/cpp/ripple/Config.cpp +++ b/src/cpp/ripple/Config.cpp @@ -49,6 +49,7 @@ #define SECTION_VALIDATION_SEED "validation_seed" #define SECTION_WEBSOCKET_PUBLIC_IP "websocket_public_ip" #define SECTION_WEBSOCKET_PUBLIC_PORT "websocket_public_port" +#define SECTION_WEBSOCKET_PUBLIC_SECURE "websocket_public_secure" #define SECTION_WEBSOCKET_IP "websocket_ip" #define SECTION_WEBSOCKET_PORT "websocket_port" #define SECTION_WEBSOCKET_SECURE "websocket_secure" @@ -177,6 +178,7 @@ Config::Config() RPC_PORT = 5001; WEBSOCKET_PORT = SYSTEM_WEBSOCKET_PORT; WEBSOCKET_PUBLIC_PORT = SYSTEM_WEBSOCKET_PUBLIC_PORT; + WEBSOCKET_PUBLIC_SECURE = true; WEBSOCKET_SECURE = false; NUMBER_CONNECTIONS = 30; @@ -334,6 +336,9 @@ void Config::load() if (sectionSingleB(secConfig, SECTION_WEBSOCKET_SECURE, strTemp)) WEBSOCKET_SECURE = boost::lexical_cast(strTemp); + if (sectionSingleB(secConfig, SECTION_WEBSOCKET_PUBLIC_SECURE, strTemp)) + WEBSOCKET_PUBLIC_SECURE = boost::lexical_cast(strTemp); + sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_CERT, WEBSOCKET_SSL_CERT); sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_CHAIN, WEBSOCKET_SSL_CHAIN); sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_KEY, WEBSOCKET_SSL_KEY); diff --git a/src/cpp/ripple/Config.h b/src/cpp/ripple/Config.h index e67200fb8..1bc8e54d1 100644 --- a/src/cpp/ripple/Config.h +++ b/src/cpp/ripple/Config.h @@ -101,6 +101,7 @@ public: // Websocket networking parameters std::string WEBSOCKET_PUBLIC_IP; // XXX Going away. Merge with the inbound peer connction. int WEBSOCKET_PUBLIC_PORT; + bool WEBSOCKET_PUBLIC_SECURE; std::string WEBSOCKET_IP; int WEBSOCKET_PORT; diff --git a/src/cpp/ripple/WSDoor.cpp b/src/cpp/ripple/WSDoor.cpp index 1075c5996..961ec3f3c 100644 --- a/src/cpp/ripple/WSDoor.cpp +++ b/src/cpp/ripple/WSDoor.cpp @@ -59,7 +59,7 @@ void WSDoor::startListening() SSL_CTX_set_tmp_dh_callback(mCtx->native_handle(), handleTmpDh); - if (theConfig.WEBSOCKET_SECURE) + if (mPublic ? theConfig.WEBSOCKET_PUBLIC_SECURE : theConfig.WEBSOCKET_SECURE) { // Construct a single handler for all requests. websocketpp::server_tls::handler::ptr handler(new WSServerHandler(mCtx, mPublic));