I've scoured the various Howto's and have found some things related to using Zope and SSL in various ways, but I still can't quite figure out the answer to a really basic question (please be patient--I'm a real Zope newbie). Can Zope itself be configured (without TOO much pain) to use SSL directly, i.e., a provide a secure (https:) connection not using Apache as an intermediary? I've already got Apache working with SSL, so I've got all the certificates, keys, etc., and it's "just" a matter of getting Zope to talk security itself, directly. I'm also curious why this isn't built-in to Zope, i.e., why it isn't (or doesn't seem to be) important to the core DC folks? Thanks. -- Cheers! Chris Ryland Em Software, Inc. www.emsoftware.com
I've scoured the various Howto's and have found some things related to using Zope and SSL in various ways, but I still can't quite figure out the answer to a really basic question (please be patient--I'm a real Zope newbie).
Can Zope itself be configured (without TOO much pain) to use SSL directly, i.e., a provide a secure (https:) connection not using Apache as an intermediary?
There is an SSLified version of ZServer: http://www.post1.com/home/ngps/zope/zssl/ Only problem: This gives you SSL-only. If you want both https: and plain http: from the same server, you will either have to use Apache or two ZServers and ZEO.
I've already got Apache working with SSL, so I've got all the certificates, keys, etc., and it's "just" a matter of getting Zope to talk security itself, directly.
I'm also curious why this isn't built-in to Zope, i.e., why it isn't (or doesn't seem to be) important to the core DC folks?
When I asked that question a while ago, the answer was something like "it is so hard to do this right, and Apache does it very well anyway" ... P.S.: As far as I know, Python 2.1 socket code now has in-built https support. Shouldn't it be easy to use this from ZServer? Joachim
On Sat, May 26, 2001 at 07:14:46PM +0200, Joachim Werner wrote:
There is an SSLified version of ZServer: http://www.post1.com/home/ngps/zope/zssl/
Only problem: This gives you SSL-only. If you want both https: and plain http: from the same server, you will either have to use Apache or two ZServers and ZEO.
Nope, single instance of Zope gives you both and then some: z2s.py -D -X -w 8080 -y 8443 -W 8081 -Y 8444 The above (using the latest snapshot) gives you a http server on 8080, a https server on 8443, a WebDAV-source-port server (for broken WebDAV clients) on 8081, and a WebDAV-source-port-over-https server on 8444. You also get xmlrpc-over-https with the https server on 8443. There is also a product called SSLAbsoluteURL (or something like that) which gives you yet more flexibility in configuring your Zope pages for http or https. I haven't tested it myself. (Once upon a time, M2Crypto also had an encrypting monitor for Zope. Haven't updated that coz I have no use for it.)
P.S.: As far as I know, Python 2.1 socket code now has in-built https support. Shouldn't it be easy to use this from ZServer?
The SSL support in Python 2.1 doesn't do servers. Cheers. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps Quidquid latine dictum sit, altum viditur.
Only problem: This gives you SSL-only. If you want both https: and plain http: from the same server, you will either have to use Apache or two ZServers and ZEO.
Nope, single instance of Zope gives you both [...]
Sorry, I didn't know that yet.
The above (using the latest snapshot) gives you a http server on 8080, a https server on 8443, a WebDAV-source-port server (for broken WebDAV clients) on 8081, and a WebDAV-source-port-over-https server on 8444.
Cool. But this was not the case in the earlier versions, right?
You also get xmlrpc-over-https with the https server on 8443. The SSL support in Python 2.1 doesn't do servers.
Ok. That is a major restriction ;-) Joachim
Ng Pheng Siong <ngps@post1.com> writes:
On Sat, May 26, 2001 at 07:14:46PM +0200, Joachim Werner wrote:
There is an SSLified version of ZServer: http://www.post1.com/home/ngps/zope/zssl/
Only problem: This gives you SSL-only. If you want both https: and plain http: from the same server, you will either have to use Apache or two ZServers and ZEO.
Nope, single instance of Zope gives you both and then some:
z2s.py -D -X -w 8080 -y 8443 -W 8081 -Y 8444
The above (using the latest snapshot) gives you a http server on 8080, a https server on 8443, a WebDAV-source-port server (for broken WebDAV clients) on 8081, and a WebDAV-source-port-over-https server on 8444.
In the README to the ZSSL version of 2001-02-01, I found the following: Beware browsers with broken HTTP/1.1 - they drive ZServerSSL to 100% CPU utilisation: An example is Netscape Communicator 4.72 on my FreeBSD boxen. Is this still an issue? --- Alastair
Alastair Burt wrote:
In the README to the ZSSL version of 2001-02-01, I found the following:
Beware browsers with broken HTTP/1.1 - they drive ZServerSSL to 100% CPU utilisation: An example is Netscape Communicator 4.72 on my FreeBSD boxen.
Is this still an issue?
I also read that and wondered the same. The curious part is 'How is it broken'? On SourceForge my Netscape 4.72 works fine in SSL and they claim that IE is broken but Netscape will work fine. http://sourceforge.net/account/login.php for reference. -- Tim Cook, President - FreePM,Inc. http://www.FreePM.com Office: (731) 884-4126 ONLINE DEMO: http://www.freepm.org:8080/FreePM
On Mon, May 28, 2001 at 05:49:48AM -0500, Tim Cook wrote:
I also read that and wondered the same. The curious part is 'How is it broken'? On SourceForge my Netscape 4.72 works fine in SSL and they claim that IE is broken but Netscape will work fine.
Possibly I misspoke in the README - the bug that caused the CPU to spin was equally likely to have been in ZServer's HTTP/1.1 support, instead of the browser's. Anyways, the problem appears to have been fixed. BTW I just had a silly typo affecting WebDAV-source-port-over-https in the latest z2s.py pointed out to me. Argh! -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps Quidquid latine dictum sit, altum viditur.
On Mon, May 28, 2001 at 10:58:35AM +0200, Alastair Burt wrote:
In the README to the ZSSL version of 2001-02-01, I found the following:
Beware browsers with broken HTTP/1.1 - they drive ZServerSSL to 100% CPU utilisation: An example is Netscape Communicator 4.72 on my FreeBSD boxen.
Is this still an issue?
AFAIK, no longer. I posted a fix soon after the above version was released. The fix was on my website but disappeared after my recent website reorg. Sorry. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps Quidquid latine dictum sit, altum viditur.
Ng Pheng Siong <ngps@post1.com> writes:
On Mon, May 28, 2001 at 10:58:35AM +0200, Alastair Burt wrote:
In the README to the ZSSL version of 2001-02-01, I found the following:
Beware browsers with broken HTTP/1.1 - they drive ZServerSSL to 100% CPU utilisation: An example is Netscape Communicator 4.72 on my FreeBSD boxen.
Is this still an issue?
AFAIK, no longer. I posted a fix soon after the above version was released.
Good to hear.
The fix was on my website but disappeared after my recent website reorg.
But the later versions have the fix incorporated? --- Alastair
On Mon, May 28, 2001 at 06:23:03PM +0200, Alastair Burt wrote:
The fix was on my website but disappeared after my recent website reorg.
But the later versions have the fix incorporated?
Sorry to be so unclear in my communication, but, yes, the fix is incorporated in current versions. (Modulo packaging error on my part, which has happened once or twice already. ;-) -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps Quidquid latine dictum sit, altum viditur.
participants (5)
-
Alastair Burt -
Chris Ryland -
Joachim Werner -
Ng Pheng Siong -
Tim Cook