# HTTPS configuration

These Liberator configuration items define how Liberator handles HTTPS connections with clients.

The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet, and offers a greater level of protection than standard HTTP transmission. Web pages and other standard HTTP traffic can be sent over HTTPS.

Liberator can run as an HTTPS web server like most commonly available web servers. When it’s configured to use HTTPS, all RTTP data is sent over an HTTPS connection too, which means your streaming data and trade transactions are secure. Liberator supports standard SSL server-side certificates to authenticate the server to the client. The certificates must be generated and signed by a certificate authority.

 Liberator’s supplied with a built-in HTTPS Config blade (see Built-in blades) that you activate to enable HTTPS connections. For details on how to do this and how to change the blade’s configuration, see How can I…​ Configure how Liberator handles HTTPS connections.
 You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for HTTPS and direct secure connections.

`add-virtual-host` specifies a virtual host that Liberator will serve.

Virtual hosts allow a single Liberator to serve separate (independent) websites.

`add-virtual-host` provides a simple method for defining virtual hosts within Liberator, but it does require the Liberator to have a separate IP address for each host.

Liberator versions 6.1 and above support virtual hosting using Server Name Indication (SNI), which allows a single IP address to serve a group of domain names, providing a separate SSL certificate for each name. If you want Liberator to serve multiple websites securely, we recommend that you do this using SNI rather than `add-virtual-host`. For more about SNI, see the Wikipedia page at https://en.wikipedia.org/wiki/Server_Name_Indication.

You can use `add-virtual-host` to configure the following aspects of a virtual host:

When a client connects to Liberator through an IP address or hostname that’s identified by the addr option of an `add-virtual-host` configuration item, Liberator applies the option settings of the `add-virtual-host` to that particular connection.

 Each virtual host is defined by the IP address the client connects to, and not by HTTP 1.1’s name-based virtual host facility.

Syntax:

(Click on an option to see its description in the table below.)

```add-virtual-host
name               [string]
https-certificate  [string]
https-privatekey   [string]
wwwroot            [string]
end-virtual-host```

The options for `add-virtual-host` are:

Name Type Default Description

`addr`

string

[none]

The local IP address or hostname of this virtual host.

`https-certificate`

string

Value of https-certificate

The filename and directory path of the SSL (secure sockets layer) certificate used for HTTPS connections to this virtual host. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the certificate filename and path defined in the global configuration item https-certificate.

`https-passwordfile`

string

The filename and directory path of the file containing the SSL certificate passphrase used for HTTPS connections to this virtual host. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the password filename and path defined in the global configuration item https-passwordfile.

`https-privatekey`

string

Value of https-privatekey

The filename and directory path of the SSL (secure sockets layer) private key used for HTTPS connections to this virtual host. The file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This option overrides for this virtual host the private key filename and path defined in the global configuration item https-privatekey.

`name`

string

A name for this virtual host.

`wwwroot`

string

Value of http-wwwroot

The root directory of the Liberator’s HTML files for this virtual host. The directory path can contain the parameter `%r`, which is replaced at run time by the root directory (application-root) under which the Liberator runs.

This option overrides for this virtual host the root directory defined in the global configuration item http-wwwroot.

## https-certificate

`https-certificate` specifies the filename and directory path of the SSL (secure sockets layer) certificate used for HTTPS connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This item is overidden for specific virtual host connections by the https-certificate option of the add-virtual-host that defines the virtual host.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `https-certificate` setting. See Configuration macros and items. The certificate filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pem This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `https-certificate <PEM-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the certificate is the same as the private key’s default filename (default for https-privatekey) because both the certificate and the private key can be contained in the same file.

## https-cipher-list

`https-cipher-list` specifes a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its HTTPS connections. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the `cipherlist` argument of the OpenSSL `ciphers` tool; for details see the OpenSSL ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL function `SSL_CTX_set_cipher_list()`; this function uses the control string to set up the list of available SSL ciphers.

Syntax: `https-cipher-list <cipher>:<cipher>:<cipher>…​`

Type: string

Default value: `DEFAULT` (The default list of OpenSSL ciphers. This may vary according to the version of OpenSSL built into Liberator.)

Example:

`https-cipher-list HIGH:MEDIUM`

## https-disable-renegotiation

`https-disable-renegotiation` when set to `TRUE`, prevents clients from renegotiating their HTTPS connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: `https-disable-renegotiation <boolean>`

Type: boolean

Default value: `FALSE` (client renegotiation is allowed)

## https-enable

`https-enable` switches on support for HTTPS connections when set to `TRUE`.

Syntax: `https-enable <boolean>`

Type: boolean

Default value: `FALSE` (HTTPS connections not supported)

## https-interface

`https-interface` specifies the network interfaces to listen on for HTTPS connection requests.

 In the Caplin Platform Deployment Framework, a configuration macro `LIBERATOR${THIS_LEG}_HTTPINTERFACE` is used to specify Liberator’s `https-interface`. See Configuration macros and items and How can I …​ Configure how Liberator handles HTTPS connections. Syntax: `https-interface <space-separated-list-of-interface-ip-addresses>` Type: array of strings Default value: [all available network interfaces] ## https-passwordfile `https-passwordfile` specifies the filename and directory path of the file containing the SSL certificate passphrase used for HTTPS connections. The directory path is optional and can be in relative or absolute format. This item is overidden for specific virtual host connections by the https-passwordfile option of the add-virtual-host that defines the virtual host.  In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `https-passwordfile` setting. See Configuration macros and items. The password filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pwd file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory. Syntax: `https-passwordfile <password-filename-and-path>` Type: string Default value: `rttpd.https.pass` ## https-port `https-port` specifies the network port that Liberator listens on for HTTPS connection requests.  In the Caplin Platform Deployment Framework, a configuration macro `LIBERATOR${THIS_LEG}_HTTPSPORT` is used to specify Liberator’s `https-port`. See Configuration macros and items and How can I …​ Configure how Liberator handles HTTPS connections.

Syntax: `https-port <network-port>`

Type: integer

Default value: `4443`

## https-privatekey

`https-privatekey` specifies the filename and directory path of the SSL (secure sockets layer) private key used for HTTPS connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

This item is overidden for specific virtual host connections by the https-privatekey option of the add-virtual-host that defines the virtual host.

 In the Caplin Platform Deployment Framework, a configuration macro `SSLCERT_PATH` is used to specify the directory path in the Liberator’s `https-privatekey` setting. See Configuration macros and items. The key filename and path set up by default in the Liberator supplied with the Framework is /global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.key file that’s automatically copied to /global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.

Syntax: `https-privatekey <private-key-filename-and-path>`

Type: string

Default value: `cert.pem`

The default filename for the private key is the same as the certificate’s default filename (default for https-certificate) because both the certificate and the private key can be contained in the same file.

## https-ssl-options

`https-ssl-options` changes the protocols supported by the OpenSSL library packaged with Liberator. Use `https-ssl-options` to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

Syntax: `https-ssl-options <options>`

Type: string

Default value: `SSL_OP_NO_SSLv2`

Values accepted:

VALUE MEANING

`SSL_OP_ALL`

Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website.

`SSL_OP_NO_SSLv2`

Disable support for SSL 2

`SSL_OP_NO_SSLv3`

Disable support for SSL 3

`SSL_OP_NO_TLSv1`

Disable support for TLS 1

`SSL_OP_NO_TLSv1_1`

Disable support for TLS 1.1

`SSL_OP_NO_TLSv1_2`

Disable support for TLS 1.2

You can combine multiple values using the bitwise `|` operator. The example below disables support for SSLv2 and SSLv3, ensuring all connections are protected by at least TLSv1:

`https-ssl-options SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3`