Closed stewartoallen closed 8 years ago
stewartoallen
commented
8 years ago TLS/HTTPS support is required when either chilipeppr.com is framed in a secure site or an SPJS server needs to be reached from a secure site. My workaround has been to run stunnel in front of SPJS (fine on mac/linux), but this is a huge challenge for Windows users. Integrating native https support alleviates this problem and allows for SPJS to be the only app required.
chilipeppr
commented
8 years ago This is a spectacular pull request. Wow! I can't wait to test it out. We all thank you graciously. On Apr 20, 2016 2:29 PM, "Stewart Allen" notifications@github.com wrote:
TLS/HTTPS support is required when either chilipeppr.com is framed in a secure site or an SPJS server needs to be reached from a secure site. My workaround has been to run stunnel in front of SPJS (fine on mac/linux), but this is a huge challenge for Windows users. Integrating native https support alleviates this problem and allows for SPJS to be the only app required.
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/chilipeppr/serial-port-json-server/pull/9#issuecomment-212547036
ghost
commented
8 years ago Yay now i'll feel less queezy about the shell access too (;
stewartoallen
commented
8 years ago I was going to get fancy and have it generate it's own self-signed certs. lmk if you think that's a good cmd-line option for the future.
ghost
commented
8 years ago Integrate some letsencrypt.org (; On 20 Apr 2016 20:46, "Stewart Allen" notifications@github.com wrote:
I was going to get fancy and have it generate it's own self-signed certs. lmk if you think that's a good cmd-line option for the future.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/chilipeppr/serial-port-json-server/pull/9#issuecomment-212554976
stewartoallen
commented
8 years ago sure! at least that's a great link to add in the docs. cert/key gen has always been problematic for end users.
raykholo
commented
8 years ago I must be dreaming. Phenomenal.
mikejac
commented
8 years ago Security is a bitch! :-)
1) If possible, the HTTPS-server should be forced to accept only TLS v. 1.2 and up. Previous versions are not considered safe anymore.
2) The certificate on SPJS. The sample-cert provided will only work if CP connects to 'localhost'. If you connect by ip-address it will not work.
Haven't tried, but my guess is that Chrome will tell you that the sample-cert is "dangerous" (self-signed)?
IMHO, only "real" certs are good enough - we don't want to get used to simply accepting "dangerous" certificates.
So I'll second Peter's idea of integrating letsencrypt.org certs into SPJS. Certficates from letsencrypt.org only have lifespan of 3 months. Onto studying how their scripts work and recreate that functionality into SPJS...
/michael
mikejac
commented
8 years ago This seems to be a place to start (letsencrypt + ACME Protocol + go):
https://github.com/riobard/go-acme
/michael
ghost
commented
8 years ago The fact that they are auto scriptable makes it a big win... Let spjs do the lifting for the user On 21 Apr 2016 16:58, "Michael Jacobsen" notifications@github.com wrote:
This seems to be a place to start (letsencrypt + ACME Protocol + go):
https://github.com/riobard/go-acme
/michael
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/chilipeppr/serial-port-json-server/pull/9#issuecomment-212959706
stewartoallen
commented
8 years ago I suspect that a lot of these installations are on local networks. Real certificates may not apply. I know that that applies to my use case and that of my local maker space. As long as the security details are documented, I firmly believe these choices should be in the hands of the users. For me, the driver is being able to reach SPJS from within a secure frame inside Onshape in order to drive a network attached mill. My workaround has been to put stunnel in front of SPJS. This is one less shim in the connectivity layer. I guess my appeal is to not let the perfect get in the way of the good: add the scriptable bits and other integration later. It works now if you have a cert/key, and that's good enough to be helpful to a lot of folks.
chilipeppr
commented
8 years ago My goal too is simply to have HTTPS so I can load a secure websocket so we can do WebRTC and other items that require SSL. Not having a wss:// websocket connection has been a problem. Since 99% of folks run SPJS on a local network I don't think we need real certificates, however it is annoying to have to tell the browser to trust the certificate each time. So, real certs would be nice.
On Sat, Apr 23, 2016 at 6:11 PM, Stewart Allen notifications@github.com wrote:
I suspect that a lot of these installations are on local networks. Real certificates may not apply. I know that that applies to my use case and that of my local maker space. As long as the security details are documented, I firmly believe these choices should be in the hands of the users. For me, the driver is being able to reach SPJS from within a secure frame inside Onshape in order to drive a network attached mill. My workaround has been to put stunnel in front of SPJS. This is one less shim in the connectivity layer. I guess my appeal is to not let the perfect get in the way of the good: add the scriptable bits and other integration later. It works now if you have a cert/key, and that's good enough to be helpful to a lot of folks.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/chilipeppr/serial-port-json-server/pull/9#issuecomment-213862082
add implicit https support when a valid tls certificate and key are supplied add sample cert and key files that can simply be renamed for local testing