HTTPS.SYS怎樣使用HTTPS
參考了MORMOT的官方文檔:http://blog.synopse.info/post/2013/09/04/HTTPS-communication-in-mORMot
HTTPS.SYS同時支持HTTP和HTTPS。
HTTP由於不需要SSL證書,使用非常簡單,這里只對使用HTTPS作說明。
你僅僅需要做的:就是將SSL證書綁定到您將要使用的HTTPS連接端口。
你不需要任何額外的SSL庫被安裝或部署在客戶端或服務器。所有的SSL通信在操作系統底層已經做好了。
怎樣將SSL證書綁定到要使用的HTTPS連接端口?
首先,必須確保您的證書已在Windows證書存儲庫中安裝/導入。還要注意,必須將其安裝到本地機器存儲區,而不是當前用戶。
可以使用Windows 自帶的 netsh 命令行工具。
NETSH工具如何使用?
NETSH.EXE操作SSL
程序位置:c:\windows\syswow64\netsh.exe
查看當前端口配置
netsh http show sslcert
將 SSL 證書綁定至端口號
URL預訂
運行 windows命令行工具(cmd.exe) 使用管理員權限並執行下面的命令:
netsh http add urlacl url=http://+:2001/tms/business/ user=%USERDOMAIN%\%USERNAME%
where %USERDOMAIN% and %USERNAME% are the domain and name of the user under which your server will run. For testing purposes, you can just give access to any user:
netsh http add urlacl url=http://+:2001/tms/business/ user=Everyone
Note that if the language of your Windows is not English, you must need to change "Everyone" by the name of the group that represents all users in Windows. Or, alternatively, provide the ssdl of the "everyone" group (or any other group you want to give permission to, for example replace "WD" by "NS" to provide access to network service.
netsh http add urlacl url=http://*:2001/tms/business/ sddl=D:(A;;GA;;;WD)
Server Certificate Configuration (binding to a port)
Run windows command line tool (cmd.exe) under administrative rights and use a command like this:
netsh http add sslcert ipport=0.0.0.0:2002 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
The above command will bind the proper certificate to port 2002. There are three parameters in the command above that you need to change for your own usage:
ipport: You must use the port number you use for HTTPS connections. In the example, it was 2002. The IP can still be 0.0.0.0 which means any IP.
certhash: You must provide the thumbprint of the certificate you want to use for your server. You can check the thumbprint by using Microsoft Management Console.
appid: This can be any arbitrary GUID. You just need to generate one and input it here. You can even use the GUID generator in Delphi code editor (while editing code, just press Shift+Ctrl+G, Delphi will generate a GUID for you). The GUID must be enclosed by brackets.
刪除端口號的 SSL 證書
Netsh http delete sslcert ipport=0.0.0.0:8005
一旦您在上面的命令中注冊了證書,您的服務器就被配置成使用安全連接。
如果您沒有證書,還可以生成一個自簽名證書以供測試之用。那你需要makecert.exe或OPENSSL.EXE工具,
可當你安裝微軟Visual Studio或Windows SDK。生成自簽名證書超出了本文檔的范圍,但以下鏈接可能有助於完成此類任務。