Dave, Sorry it's taken me so long to get back to you on this. I've taken a quick look at this and need a little more information.
First of all, you're using one file as your key and your cert file. But the file you've supplied only contains a cert. Naturally it can't used as a key unless it contains a key. http://docs.python.org/dev/library/ssl.html#combined-key-and-certificate At this point, I'm only addressing the potential issues with Rocket. So I'm not going to address the admin-disablement thing. Currently neither Rocket nor web2py verifies that the key and cert file you supply actually match each other; Rocket just trusts that you know what you're doing. Hence why zeroing out a line does not prevent it from serving what you give it. I don't see an easy way in Python to match the two right now. I've only done a cursory look, but if you know a better way...I'm all ears. Cheers, tim On Nov 9, 11:45 pm, Dave Johnson <davejjohn...@gmail.com> wrote: > If you start up web2py with key/cert for SSL, web2py runs in SSL mode. > > In the startup message it says you can connect via http, but if you attempt > to connect via plain http, you will get a > > "Bad Request" > > in your browser. > > [d...@thinkbox web2py]$ python web2py.py -c mycert.pem -k mycert.pem -i > 192.168.1.119 -a hi > web2py Enterprise Web Framework > Created by Massimo Di Pierro, Copyright 2007-2010 > Version 1.88.2 (2010-10-29 23:04:43) > Database drivers available: SQLite3 > Starting hardcron... > please visit: > http://192.168.1.119:8000 > use "kill -SIGTERM 30522" to shutdown the web2py server > ============= > > Here are some thoughts: > > * If not running SSL and you specified a non-loopback interface for web2py > to run on, the command line "should" warn about possible disablement of > admin site? > > * Check that if you specify a cert on command line, you need to specify a > key (and vice-versa?) > -- The command line silently "fails" (although there is checking in > main.py:) > if not ssl_certificate or not ssl_private_key: > logger.info('SSL is off') > > * Do a check that private key and cert match. > > And now for the more interesting item, for some reason SSL connection still > works with the following cert private key (note:I zeroed out a line in my > private key!) > Am I missing something here...? > > [d...@thinkbox web2py]$ cat mycert.pem > -----BEGIN CERTIFICATE----- > MIIDVzCCAj+gAwIBAgIJAKXRQfLWAi/BMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV > BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg > Q29tcGFueSBMdGQwHhcNMTAxMDE2MjEyNTA1WhcNMTExMDE2MjEyNTA1WjBCMQsw > CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh > dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > 5TBJypoZfgg630Sx7olCd0PDNhx6dghffVecgW+1BkD7uAGbCaSXg7AgiwTNZJmw > VO6oiivRgaZi39XG7gy//2uxXcu7d116GkYTRxUSx845O8cCeQm0Kj/ucQ6IfheR > RTtVAUThBTKNEAtM6Mx6wGk3uHVktvh/MqTKhIvbuJmwj8BLB7w+d99tD4981Fhc > mvAYIGnf/0jOwG79LiG6DNIuQyPXnVUtf5S6pU2XaJwmUMy2kkhgowvIM33pNKLi > T0D7LjbvxlrcvfgwoH6GfCT38UX1oGyWJT45cFRiTSXBgxAHajlyM6r5YhTnFCmZ > hVjjGpXtQcQk9obCX6wI0wIDAQABo1AwTjAdBgNVHQ4EFgQULPMBvZYIXHsebZ+W > PpSjvxH2gjswHwYDVR0jBBgwFoAULPMBvZYIXHsebZ+WPpSjvxH2gjswDAYDVR0T > BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEARDXQp8o7aeoiYIsYbqHxpjRyDwDc > D0klMH86ToLY13ZSRJzk3WzXIqKnPAeae1IyZ66SH9PQU/u8vQLvvReapF1kiOnD > n6+knUad22olxLVXZ9thyB6NZco9Mh8q3jz27GtSXEQNaVwVQJ2IwsC5XUz1yKgz > ZJbeW8AdqP9PlacgowYPFMiWvOD1VzRKW5NY5TUKV3cE4JJCiWH0rx7t5GV8vuXM > xffdZpfUODI0YOxIGVJNwKf8SpMiahyvb4otFnzT3lBqPuyT2EEcqAt2MRsGI2R3 > l/lUlt4IDxsN31BEKAySfUeDPqOKo0MyA2yZ0z85Lgsm5nVJm4NBt2B7tw== > -----END CERTIFICATE----- > > [d...@thinkbox web2py]$ cat mybad.pem > -----BEGIN RSA PRIVATE KEY----- > MIIEowIBAAKCAQEA5TBJypoZfgg630Sx7olCd0PDNhx6dghffVecgW+1BkD7uAGb > CaSXg7AgiwTNZJmwVO6oiivRgaZi39XG7gy//2uxXcu7d116GkYTRxUSx845O8cC > eQm0Kj/ucQ6IfheRRTtVAUThBTKNEAtM6Mx6wGk3uHVktvh/MqTKhIvbuJmwj8BL > B7w+d99tD4981FhcmvAYIGnf/0jOwG79LiG6DNIuQyPXnVUtf5S6pU2XaJwmUMy2 > kkhgowvIM33pNKLiT0D7LjbvxlrcvfgwoH6GfCT38UX1oGyWJT45cFRiTSXBgxAH > ajlyM6r5YhTnFCmZhVjjGpXtQcQk9obCX6wI0wIDAQABAoIBAASpX8bcLYqPtkrW > Rdw5NH3ihfTyzVbbQr306z0Cvabb6YLLnZCrpV1LVs4dEeRq79g6Znkw/PjrHnW5 > DmvHHJygXyIuQ6jg4Nvp8vhuKEyiGC3sFVPK67w0QrBQAFy4M/85frgg44bMiWv7 > HtxZVGHXggehc6P5F/U6vtfFVHnDtKX93g+NPOYpXQTcO30QftSvYqjgx/2wMhOk > ItIPOOrKWEwr6Ogjum+g/2u06JgD/vPBpR5Nurs0LUL6H1K50DDOPjlKAQ1LtIJe > qRw6PB4qMJWP9qTgkiDq98jKJ0zzDDvWjGhz5DqepK8+dyZqF6/1PPJxdE5l6K3I > AqeVQdkCgYEA9LboYrJpdBScz26I5Q5nL5+iwSvYNIlRLDocjfzrkeXicfTiCzim > TCHWgVzRL0E78TASELIvioeJ7unpk7a7KiacO2Cat/CwhfUE/aKkiSJbvw/BrmRU > PY8N65fVRc2UQK51FlulCjNG4TgbMJIQxmVS3zXPhdmr7GAWbyUWNhUCgYEA78IV > KSo/TqHRRdHzIQfRUNwmGH049/9wGBbkr67NfsNnv6nS+L81NBH+Ko1eMpZELLmt > OofIvuHpFMryMBJVAr8gOv7sPJQIGIwJxMcNMz1NyJSXoq4hXwXAA2Crpi1ODyj0 > xdiOg47qRwuaYaVjILPqL73ne/vuJdOR2YxqJUcCgYEAxTjMXQ7Q8l7SalL5PTG4 > c6dCclC1tNGee/hxnvVhnXoaYCEuNED5tY3n5OY7KMx4VM+bH52btxe5ULVwLD4u > 5a+sZiZbSzdN7Qgld4ym8magboFyZOwzAFHUtDTwC4u9mcuATf6aKnhc/ZJMR37Q > yjRK793cXFGrv5tJOVY4amkCgYB61FyQ7VLnjuEuuuOrDV0/5rkhnK2d5+BehwP7 > uTsP8T3qpC8wPo0cMweadzhGBFPC8hD8Rmoi2IvXmi0/UXT55j612rneQxxurvem > *0000000000000000000000000000000000000000000000000000000000000000* > NZN/qwKBgAYFIvQswsUflJdpwgpDIcKtwhRJdXqU01v+NuJPDvv1n8/nWkpPNsq3 > x7rWUsW+hflwxAh9W+l1fnPvo2m66Ega83H4CpJ/a8l306fpBqh/jB07cLfcl2T1 > TfeiVQycQCVPlevvocnm5j2XCgT3Y0GHe6J5WiqyYCjrq6a/f55g > -----END RSA PRIVATE KEY-----
