Native TLS Support for mORMot 2 REST or WebSockets Servers

From HTTP to HTTPS

Here is how you publish a TRestServer instance over HTTP, on port 8888, and with 16 threads for the thread pool:

    Server := TRestHttpServer.Create([RestServer], '8888', 16);

Note the new constructor, easier to use than before, if you just want the default asynchronous server.

And to publish over HTTPS, on the very same port, with a self-signed certificate:

    Server := TRestHttpServer.Create([RestServer], '8888', 16, secTLSSelfSigned);

For a mORMot client, you should also specify that you expect TLS support, and ignore the fact that this self-signed certificate is unknown by the system:

  Client := TRestHttpClientSocket.Create('127.0.0.1', '8888', Model, {https=}true);
  Client.IgnoreTlsCertificateErrors := true;

Then, at least with OpenSSL, you could serve TLS 1.3 content from now on, with a safe cipher negotiation by default (which could be tuned if needed).
Nice and easy!

Give Me the Keys

And if you generated your own public/private keys pair, you could specify it:

    Server := TRestHttpServer.Create([RestServer], '8888', 16, secTLS,
      HTTPSERVER_DEFAULT_OPTIONS, 'mycert.pem', 'mypriv.pem', 'privpassw');

And don't forget to keep your private key... private.

Keys Rule

Where do those certificates come from? Do I need to read endless and complex OpenSSL command line samples, and mess with files and passwords?
Our framework make it easy. You can now use the new mORMot 2 high-level cryptography interfaces to generate the keys you want in simple pascal code.

Here is how the framework generates the self-signed server certificate on OpenSSL, or use a pre-computed one for SChannel:

procedure InitNetTlsContextSelfSignedServer(var TLS: TNetTlsContext;
  Algo: TCryptAsymAlgo);
var
  cert: ICryptCert;
  certfile, keyfile: TFileName;
  keypass: RawUtf8;
begin
  certfile := TemporaryFileName;
  if CryptCertAlgoOpenSsl[Algo] = nil then
  begin
    FileFromString(PrivKeyCertPfx, certfile); // use pre-computed key
    keypass := 'pass';
  end
  else
  begin
    keyfile := TemporaryFileName;
    keypass := CardinalToHexLower(Random32);
    cert := CryptCertAlgoOpenSsl[Algo].
              Generate(CU_TLS_SERVER, '127.0.0.1', {authority=}nil, 3650);
    cert.SaveToFile(certfile, cccCertOnly, '', ccfPem);
    cert.SaveToFile(keyfile, cccPrivateKeyOnly, keypass, ccfPem);
    //writeln(BinToSource('PRIVKEY_PFX', '',
    //  cert.Save(cccCertWithPrivateKey, 'pass', ccfBinary)));
  end;
  InitNetTlsContext(TLS, {server=}true, certfile, keyfile, keypass);
end;

As you can see, the ICryptCert interface is very simple to use, and hide all the complexity of X509 and OpenSSL. We provided nil as authority, but you could specify a ICryptCert instance to sign your certificate, if needed.
Under comments in the above source, you can see how to export the keys pair as PKCS#12 certificate, ready to be used for SChannel.

TLS Everywhere

Offering TLS as part of your software solution could be a game-changer for serious business, even over a corporate network, with self-signed certificates. It would help your IT and management people trust your mORMot / pascal solution in an heterogeneous and complex mesh of services. Modern object pascal is still on track for the next decades!

Feedback is welcome on our forum, as usual.

Synopse Open Source