These are really good libraries that got my dates and times flowing client-server full circle, with all the UI and math tools I needed.

KISS!


  // Date sanitation: limit ancient and future days and ensure start isn't beyond end
  date today = second_clock::local_time().date();
  date s = startdate;
  date e = enddate;
  if (e > today)
    e = today;    
  if (e - s > date_duration(cn_max_days_to_look_back))
    s = e - date_duration(cn_max_days_to_look_back);
  if (s > e)
    s = e;

One deep dive with haproxy and I have handed it complete control of all my certificates.

* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
* It is handling dynamic conversion of http requests to https
* It has removed the need for https on any webserver on the secured LAN
* It allows incredibly flexible load balancing via host, port, url, etc etc
* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs

Unbelievable, I’m stunned.

Here’s all I needed to get ssl labs A+ ratings:


global

    # MDM NO SSLv3!  Good ciphers!
    ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend ....

  # MDM We need to provide an HSTS header to get A+ at ssllabs!
  http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
      
  reqadd X-Forwarded-Proto:\ https

Also needed this in wordpress wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
       $_SERVER['HTTPS']='on';

When an unauthenticated user accesses a protected resource of my API server, I want to immediately redirect them to the login page.  Research has indicated that the server should send the client an HTTP 302 page with the url.  Experimentation has shown that you can successfully set cookies. The cookie can be used to hold the url to re-redirect the user back to the original request after authenticating. Nice.

Here’s the header to send from the server:


    const string cstr_HTML_302_HEADER1 = "HTTP/1.1 302 Moved Temporarily\r\nLocation: ";
    const string cstr_HTML_HEADER2 = "\r\n\r\n";
    // ....
        string cookie_header = "\r\n";
        cookie_header += "Set-Cookie: .... ";
        *response << cstr_HTML_302_HEADER1 << "/v1/login.html" << cookie_header << cstr_HTML_HEADER2;

The publicly available version of quick-http on github needs a refresh, hopefully I'll have some time soon to move a large set of new code there that uses Simple Web Server, HTTP 302 redirects, user authentication, etc.

BAH THEY DONE FUCKED UP

  • StartCom sold out and let WoSign buy them up
  • WoSign backdated certs to get them grandfathered for some dumb reason
  • Mozilla and Google and Apple caught them and dropped support for them
  • alternativeto.net/software/startssl pointed me to Let’s Encrypt – LOOKS GOOD
  • there is also https://www.sslforfree.com/ which is a layer around Let’s Encrypt (no need? we’ll see…)

The king is dead, long live the king!

  • Whoa… it uses a BOT… from EFF.  Yay!
  • Whoa… certs are only good for 90 days!  Time to automate renewal!

Let’s take this to the wiki

 

Update: add these awesome ones!

https://pocoproject.org/
https://macchina.io/docs/
http://vinniefalco.github.io/beast/beast/intro/example.html

Goal: find the fastest possible C++ https library that can score an A on the SSLLabs test. Ties broken by ease of use, then by support for websockets.

Initial results (see wiki for latest…):

LIBRARY ab

MB/sec

ab

pages/sec

SSL LABS
SCORE
EASE WS? COMMENTS
apache A 3 N need to write a module, apache remains in charge of message loop (unacceptable)
libwebsockets 7 Y
proxygen 7 only easy to build on ubuntu so hasn’t been stood up on my gentoo server yet; huge kitchen sink of helpers
Simple-Web-Server  B 10 Y websockets in a seperate compatible project; may be able to leverage asio to improve score (capped by RC4); no forward secrecy
websocketpp  uses asio, specifies a “modern” mode that only allows TSL1.2
mongoose 3 messy ton of hand-crafted portability C code scared me off
onion looks like a strong C lib
libmicrohttpd GNU c lib, not sure it supports modern algos, check score…