如何使用SSL加密

d_yang

常在公网上跑，必须要加SSL.
没有证书，去找StartSSL.com.

Openerp的6.1似乎没有考虑这个，patch上。
打开wsgi/core.py
serve方法：

<br /><br />&nbsp; &nbsp; try:<br />&nbsp; &nbsp; &nbsp; &nbsp; import werkzeug.serving<br />&nbsp; &nbsp; &nbsp; &nbsp; if config&#91;&#039;proxy_mode&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from werkzeug.contrib.fixers import ProxyFix<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; app = ProxyFix(application)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; suffix = &#039; (in proxy mode)&#039;<br />&nbsp; &nbsp; &nbsp; &nbsp; else:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; app = application<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; suffix = &#039;&#039;<br />&nbsp; &nbsp; &nbsp; &nbsp; if config.has_ssl and config&#91;&#039;secure_pkey_file&#039;] and config&#91;&#039;secure_cert_file&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx = {}<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from OpenSSL import SSL<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx = SSL.Context(SSL.SSLv23_METHOD)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx.use_privatekey_file(config&#91;&#039;secure_pkey_file&#039;])<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx.use_certificate_file(config&#91;&#039;secure_cert_file&#039;])<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; httpd = werkzeug.serving.make_server(interface, port, app, threaded=True, ssl_context=ctx)<br />&nbsp; &nbsp; &nbsp; &nbsp; else:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; httpd = werkzeug.serving.make_server(interface, port, app, threaded=True)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.info(&#039;HTTP service (werkzeug) running on %s:%s%s&#039;, interface, port, suffix)<br />&nbsp; &nbsp; except ImportError:<br />&nbsp; &nbsp; &nbsp; &nbsp; import wsgiref.simple_server<br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.warning(&#039;Werkzeug module unavailable, falling back to wsgiref.&#039;)<br />&nbsp; &nbsp; &nbsp; &nbsp; if config&#91;&#039;proxy_mode&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; _logger.warning(&#039;Werkzeug module unavailable, not using proxy mode.&#039;)<br />&nbsp; &nbsp; &nbsp; &nbsp; httpd = wsgiref.simple_server.make_server(interface, port, application)<br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.info(&#039;HTTP service (wsgiref) running on %s:%s&#039;, interface, port)<br /><br />

（需要Openssl的支持）

启动服务时，别忘记加上 --cert-file， --pkey-file两个参数。

over.

ccdos

强人

wangbuke

谢谢楼主贡献～

补充下：StartSSL.com 提供单域名为期一年的SSL证书服务。下面提供一个自己制作SSL证书方法：

$ openssl genrsa 1024 > server.key    生成密钥
$ openssl req -new -key server.key > server.csr  生成csr证书
$ openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt  生成crt证书，期限10年

自己生成的证书是未经各大机构签名，部署上去浏览器会提示证书无效，可以不管直接忽略。当然安全性可没有打折，还是SSL 1024  位加密。

d_yang

StartSSL 可以续签的。不过，revoke需要钱。。。


[quote author=wangbuke link=topic=4335.msg11875#msg11875 date=1346395837]
谢谢楼主贡献～

补充下：StartSSL.com 提供单域名为期一年的SSL证书服务。下面提供一个自己制作SSL证书方法：

$ openssl genrsa 1024 > server.key    生成密钥
$ openssl req -new -key server.key > server.csr  生成csr证书
$ openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt  生成crt证书，期限10年

自己生成的证书是未经各大机构签名，部署上去浏览器会提示证书无效，可以不管直接忽略。当然安全性可没有打折，还是SSL 1024  位加密。
[/quote]