# Gavin Andresen # 2010-09-15 15:16:41 # https://bitcointalk.org/index.php?topic=978.msg12880#msg12880 Implementation was easy, once I figure out how boost::asio::ssl::stream worked... @p{par} Anyway, I've created a git branch for anybody who's willing to help test: @p{brk} @s{(link)} @p{par} Documentation for what I done did: @p{par} Communicating with the Bitcoin JSON-RPC interface over SSL (https) @p{par} By default, bitcoin allows JSON-RPC commands to be sent to @p{brk} @s{(link)}, and accepts connections only from the local @p{brk} host. @p{par} It can be configured to allow https connections from other hosts; @p{brk} three things must be setup for this to work properly: @p{par} 1. You must setup a server certificate and private key. A self-signed @p{brk} certificate will work, you don't need a certificate signed by Verisign @p{brk} or another certificate authority. @p{par} By default, bitcoin looks for the server's private key file in a @p{brk} "server.pem" in the bitcoin data directory (e.g. ~/.bitcoin/server.pem @p{brk} on unix), and the server certificate file in "server.cert". To @p{brk} generate them using the openssl command-line program, run: @p{par} cd ~/.bitcoin @p{brk} openssl genrsa -out server.pem 2048 @p{brk} openssl req -new -x509 -nodes -sha1 -days 3650 -key server.pem @s{gt} server.cert @p{par} You should NOT enter a passphrase. @p{par} 2. Specify the IP addresses of clients that are allowed to connect using @p{brk} "rpcallowip" configuration file options. @p{par} Edit the bitcoin.conf file (in the bitcoin data directory), and add a @p{brk} line for each IP address allowed to connect: @p{brk} rpcallowip=10.11.13.15 @p{brk} rpcallowip=10.11.13.16 @p{brk} You may also allow connections from any IP address in a subnet using *: @p{brk} rpcallowip=192.168.1.* @p{brk} rpcallowip=10.1.*.* @p{brk} You can also specify 'rpcallowip=*' to allow all IP addresses. @p{par} Connections from the local host (127.0.0.1) are always allowed. @p{par} 3. You must tell bitcoin to use ssl using the "rpcssl" configuration file option. @p{par} Edit the bitcoin.conf file, and add: @p{brk} rpcssl=true @p{par} Restart bitcoin or bitcoind to make these changes take effect. You @p{brk} can test bitcoin's ssl functionality using the openssl s_client command: @p{par} openssl s_client -connect localhost:8332 @p{par} The connection should be successful and you should see the server's @p{brk} certificate details. If you press return twice, you should get a @p{brk} 'HTTP/1.0 401 Authorization Required' response. @p{par} @p{brk} Client setup @p{par} Once the server is accepting https connections, to be secure you should @p{brk} make sure the client is actually connecting to the bitcoin server and @p{brk} not an attacker trying to hijack the connection. @p{par} If you can, you should copy the server.cert certificate chain file to @p{brk} the client machine and use it to validate the OpenSSL connection. @p{brk} For example, in php you would call stream_context_create() with @p{brk} the 'verify_peer' and 'ca_file' options and then call @p{brk} stream_context_set_default(). @p{par} If you can't validate using the server certificate, you should connect @p{brk} to the server using its IP address instead of its host name. @p{par} @p{brk} All HTTPS-JSON-RPC-related bitcoin.conf options: @p{par} rpcport : default: 8332 Listen for connections on this port @p{brk} rpcuser : user for HTTP BASIC authentication @p{brk} rpcpassword : password for HTTP BASIC authentication @p{brk} rpcssl : Not set by default, if set bitcoin will only accept SSL @p{brk} connections @p{brk} rpcallowip : Allow a client at this IP address to connect @p{brk} (may be specified multiple times) @p{brk} rpcsslciphers: default "TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!AH:!3DES:@STRENGTH" @p{brk} (see the openSSL documentation for syntax) @p{brk} rpcsslcertificatechainfile : default "server.cert" @p{brk} rpcsslprivatekeyfile : default "server.pem" @p{par}