Implementing TLS in the Rocket Web-Framework in macOS.
<img src="/resources/img/blog/coding/2020-01-02/rocketTLS.png" alt="Rocket Logo intersecting prettycons' certificate from Favicon" style="max-width:500px; display: table; margin:auto;"> <p>Recently I have been a new web application in Rust. The application is being developed from a security first perspective using Rocket as the web framework.</p> <p>In the process of development, I released that it was becoming crucial for me to implement HTTPS in local development, as browsers such as Firefox and Chrome are adding restrictions to non-TLS connections.</p> <p>With this in mind the following article details how to add a local, self-signed certificate to your Rocket web application on macOS.</p></br> <h3>Preparing Rocket</h3> <p>First you need to ensure that your project is ready to be handling a TLS connection. In order to do this, open your ‘Cargo.toml’ file and add the following:</p> <pre>rocket = { verison="0.4.2", features=["tls"] }</pre></br> <p>Then you are ready to start creating and importing the certificate and private key into the application.</p></br> <h3>Creating a Self-Signed Certificate</h3> <p>Before proceeding further, ensure that you have XCode tools installed in your environment. If you are unsure, you can run the following command to determine if it is:</p> <pre>xcode-select -p 1>/dev/null; if [ $? -eq 0 ]; then echo "Installed"; else echo "Not Installed"; fi </pre><br> <p>Then, once you have the necessary tools installed, run the following to generate a new private key:</p> <pre>openssl genrsa -out server.key 2048</pre></br> <p>Then we need to create the certificate, which we can do by using the following:</p> <pre>openssl req -new -x509 -key server.key -out server.cert -days 365 </pre><br> <p>Once you enter this command you will be prompted to add a few identifying details to add to the certificate. Since we are only generating this for local use, all we need to add is the Common Name (eg, fully qualified host name). Ensure that you enter “localhost” for this value.</br> This first takes in the private key created in the previous command and outputs a public certificate for use in the application. It also sets the expiry date of the certificate for a year from creation (365 days).</p></br> <h3>Converting to PEM</h3> <p>Next we need to convert the ‘server.cert’ and ‘server.key’ files into Rocket’s requested format, PEM files.</p> <p>Firstly, we will need to use macOS’ inbuilt keychain to convert the existing certificate, and to do this we will need to import the certificate:</p> <pre>security import ~/Desktop/server.cert -t cert -f openssl</pre></br> <p>Then we need to export it into the PEM format:</p> <pre>security find-certificate -c ‘localhost’ -p > cert.pem</pre></br> <p>Converting the key is much easier, simply run: </p> <pre>openssl rsa -in server.key -text > key.pem</pre></br> <h3>Adding to Rocket</h3> <p>Then we need to add the newly generated PEM files to our ‘Rocket.toml’, located at the root of the project. Do not add these files to your project, or if you are like me and absolutely must have everything in a single place for development purposes, make sure you add the files to your ‘.gitignore’.</p> <p>Your ‘Rocket.toml’ file should look something like this:</p> <pre> [global.tls] certs = "/path/to/cert.pem" key = "/path/to/key.pem" </pre></br> <p>Once that’s complete you can launch your Rocket application and navigate to your localhost address in your preferred browser and you will likely need to add an exception for the certificate as seen in the below screenshot from Firefox.</p> <img src="/resources/img/blog/coding/2020-01-02/add_exception.png" alt="Screenshot from Firefox showing how to add an exception to a certificate" style="max-width:500px; display: table; margin:auto;"><br> <p>Note: If you are using Chrome, you made need to enable the ‘allow-insecure-localhost’ flag, which can be found at: <a href="chrome://flags/#allow-insecure-localhost">chrome://flags/#allow-insecure-localhost</a></p> <p>Once that is done you should have successfully enabled HTTPS in your local Rocket application. Thanks for reading! If you have any issues, feel free to send me a tweet <a href="https://twitter.com/jakemsctt">@jakemsctt</a> (note the missing ‘o’ in scott) and I will try to help you out. </p>