Saturday, January 1, 2011

Mongrel2 and SSL

Mongrel2 supports SSL. Well, actually TLS, to be exact. To be running it you need a version with the small fix that disables the default built-in key during axTLS' SSL context initialization.

There are two steps you need to do to get your server support TLS-encrypted connections:

1) edit the config file

main = Server(
. . . [snip]

servers = [main]

settings = {
"f400bf85-4538-4f7a-8908-67e313d515c2.use_ssl": 1,
"certdir": "./certs/"

Needless to say that the plaintext will no longer work on this server entry.

2) generate the private key and obtain a certificate

This is something that is widely covered on the Net. If you want to install a self-signed cert for testing, there is a good doc that describes how to do it.

The key mongrel2-specific part here is that the private key file is named <Server-UUID>.key, and the certificate is in the file <Server-UUID>.crt

(note: a "private" key is called private for a reason. You do not want anyone except the mongrel2 to be able to read it. So, mind your permissions).

For the lazy

I've added a sample static SSL site as well to Mongrel2 Hacking In a Box repository.
It has a canned config, also a pre-generated dummy key and cert, as well as a script to regenerate them.

Happy hacking!


If you are trying with chrom(e|ium), chances are that it would not work correctly - at least it did not work for me. Seems like it is a bug in the built-in SSL library which does not want to do TLS1.0, only SSL3.0. To cure this, you need to launch the chrom(e|ium) so that it uses the system SSL library:

$ chromium-browser --use-system-ssl

Notably, it was not always that I experienced this failure - the problem did is not reproducible enough to debug it for now. If you find anything - let me know.

No comments: