You are not logged in.
- Topics: Active | Unanswered
#1 2023-02-09 17:01:48
How to convert the SSL configuration file in NGINX mode to ...
How to convert the SSL configuration file in NGINX mode to the mORMot2-master\ex\ThirdPartyDemos\tbo\05-WebMustache?
NGINX SSL LIKE
www.domainname.com.crt
www.domainname.com.key
server {
listen 50808;
server_name www.domainname.com;
ssl on;
ssl_certificate ./www.domainname.com.crt;
ssl_certificate_key ./www.domainname.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
index index.html index.htm index.php;
error_page 405 =200 $uri;
location / {
add_header Access-Control-Allow-Origin *;
}
}
Offline
#2 2023-02-09 17:48:37
Re: How to convert the SSL configuration file in NGINX mode to ...
You need to use OpenSSL to have full access to the mORMot server TLS layer.
Our SChannel/Windows APi layer is very limited.. because SChannel is more limited and more complex than OpenSSL for our purpose.
Then you can specify the needed parameters in the TNetTlsContext you supply to the mORMot HTTP server.
For instance, if you really need TLS1.0 and TLS1.1 - but they are unsafe and should be avoided - you can set AllowDeprecatedTls := true.
With a recent OpenSSL, you will have TLS 1.2 and TLS 1.3 available for mORMot.
Or you can change the certificate depending on the server/host name set during TLS negociation via OnAcceptServerName.
See TOpenSslNetTls.SetupCtx() for how the OpenSSL TLS context is initialized from TNetTlsContext fields.
You can even do a lot more than NGINX, like calling some code callback to validate each certificate if needed...
Offline