Add SSL support to rawsocket subsystem

[VinnyOG]

Hello!

I am building a small network for little devices to talk to each other. I love your project so far but it needs SSL support to be used in a production environment. When will you implement this?

Thanks!
Pawel

[davidchappelle]

@VinnyOG We currently do not have a use case for SSL which is why it is currently not supported. However, in taking a look at the existing code in src/bonefish/rawsocket/, I think it should be fairly simple to add 'ssl_listener.{hpp,cpp}based onboost::asio::ssl`. This listener could be used in conjunction with the existing rawsocket server. The following examples should make this a fairly straightforward task:

http://www.boost.org/doc/libs/1_40_0/doc/html/boost_asio/example/ssl/server.cpp
https://github.com/AdamMagaluk/asio-ssl-mutual-auth

[VinnyOG]

@davidchappelle Thanks for the reply!
My thoughts exactly,
If I were to make a sound implementation would you guys be open to a pull request?

[davidchappelle]

We would definitely be open to a pull request. It doesn't look like you will but, If you run into any fundamental changes to the existing API we should discuss. Also, please try and stick with the coding style that is currently is use. Hopefully that is fairly clear from the existing code :)

[davidchappelle]

@VinnyOG Just out of curiosity, which WAMP client are you using?

[VinnyOG]

No worries, I'll stick to the convention the best I can.
I'm using autobahn|cpp for Linux clients and MDWamp for iOS.
I'll keep you posted on progress :)

[DZabavchik]

@VinnyOG, have you tried putting server behind SSL reverse proxy? Like AWS ELB, NGinx, HA

[VinnyOG]

@DZabavchik I like having applications more self contained so I didn't even consider that. Is it a common setup in the production environments you've worked in? I also think it would be much nicer to implement SSL as its own thing here than jump through extra hoops to get it working via an external program.

[DZabavchik]

Correct. It is always more secure and faster not to have application server deal with encryption. Especially when you can delegate it to a machine with hardware assisted cryptography (HSM module). You save a lot of CPU cycles on application server when it doesn't have to deal with asymmetric cryptography. Try it out, if you use AWS it takes 3 minutes to setup Elastic Load Balancer. (For websockets do not setup HTTPS -> HTTP, instead configure as SSL/TLS 443 -> TCP 8080 (or whatever port your application is listening on). Another advantage is that you don't have to run as root, because you don't have to use ports < 1024

[davidchappelle]

Another option is to just deploy your own nginx instance:

https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-termination/

[VinnyOG]

The project I'm working on is small scale proof-of-concept that will be used between my family, friends and me which is why I'm avoiding paying for more services than I need (AWS is awesome- but on a student budget it adds up over the course of the year). The standard open-source nginx does not support the stream directive which I would need for the SSL proxy- otherwise I would be using it :)
I'm currently looking into HAProxy and I'm liking it and it seems to do what I need it to do so I may end up using it. For a small application the thought of having embedded SSL support is still very attractive.
Thanks for the suggestions!