Cleanup SSL certificate support

Fix #208

README.rst

@@ -107,7 +107,7 @@ You need to copy init/gns3.service.systemd to /lib/systemd/system/gns3.service
 .. code:: bash
 
     sudo chown root /lib/systemd/system/gns3.service
-    sudo 
+    sudo systemctl start gns3
 
 Windows
 -------
@@ -164,3 +164,29 @@ and homebrew: http://brew.sh/.
    gns3server
 
 
+SSL
+---
+
+If you want enable SSL support on GNS3 you can generate a self signed certificate:
+
+.. code:: bash
+
+    bassh gns3server/cert_utils/create_cert.sh
+
+This command will put the files in ~/.config/gns3/ssl on Linux and  ~/.config/gns3.net/ssl on MacOSX.
+
+After you can start the server in SSL mode with:
+
+.. code:: bash
+
+    python gns3server/main.py --certfile ~/.config/gns3.net/ssl/server.cert --certkey ~/.config/gns3.net/ssl/server.key --ssl
+
+
+Or in your gns3_server.conf by adding in the Server section:
+
+.. code:: ini
+    
+    [Server]
+    certfile=/Users/noplay/.config/gns3.net/ssl/server.cert
+    certkey=/Users/noplay/.config/gns3.net/ssl/server.key
+    ssl=True

gns3server/cert_utils/create_cert.sh

@@ -17,27 +17,15 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# Bash shell script for generating self-signed certs. Run this in a folder, as it
+# Bash shell script for generating self-signed certs.
-# generates a few files. Large portions of this script were taken from the
+# The certicate is automaticaly put in your GNS3 config
-# following artcile:
-#
-# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
-#
-# Additional alterations by: Brad Landers
-# Date: 2012-01-27
-# https://gist.github.com/bradland/1690807
 
-# Script accepts a single argument, the fqdn for the cert
+if [[ "$OSTYPE" == "darwin"* ]]; then
-
+    DST_DIR="$HOME/.config/gns3.net/ssl"
-DST_DIR="$HOME/.config/GNS3Certs/"
+else
-OLD_DIR=`pwd`
+    DST_DIR="$HOME/.config/gns3/ssl"
-
-#GNS3 Server expects to find certs with the default FQDN below. If you create
-#different certs you will need to update server.py
-DOMAIN="$1"
-if [ -z "$DOMAIN" ]; then
-  DOMAIN="gns3server.localdomain.com"
 fi
+OLD_DIR=`pwd`
 
 fail_if_error() {
   [ $1 != 0 ] && {
@@ -52,48 +40,6 @@ mkdir -p $DST_DIR
 fail_if_error $?
 cd $DST_DIR
 
+SUBJ="/C=CA/ST=Alberta/O=GNS3SELF/localityName=Calgary/commonName=localhost/organizationalUnitName=GNS3Server/emailAddress=gns3cert@gns3.com"
 
-# Generate a passphrase
+openssl req -nodes -new -x509 -keyout server.key -out server.cert -subj "$SUBJ"
-export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)
-
-# Certificate details; replace items in angle brackets with your own info
-subj="
-C=CA
-ST=Alberta
-O=GNS3
-localityName=Calgary
-commonName=$DOMAIN
-organizationalUnitName=GNS3Server
-emailAddress=gns3cert@gns3.com
-"
-
-# Generate the server private key
-openssl genrsa -aes256 -out $DOMAIN.key -passout env:PASSPHRASE 2048
-fail_if_error $?
-
-#openssl rsa -outform der -in $DOMAIN.pem -out $DOMAIN.key -passin env:PASSPHRASE
-
-# Generate the CSR
-openssl req \
-    -new \
-    -batch \
-    -subj "$(echo -n "$subj" | tr "\n" "/")" \
-    -key $DOMAIN.key \
-    -out $DOMAIN.csr \
-    -passin env:PASSPHRASE
-fail_if_error $?
-cp $DOMAIN.key $DOMAIN.key.org
-fail_if_error $?
-
-# Strip the password so we don't have to type it every time we restart Apache
-openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
-fail_if_error $?
-
-# Generate the cert (good for 10 years)
-openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
-fail_if_error $?
-
-echo "${DST_DIR}${DOMAIN}.key"
-echo "${DST_DIR}${DOMAIN}.crt"
-
-cd $OLD_DIR

gns3server/server.py

@@ -163,6 +163,7 @@ class Server:
         except ssl.SSLError as e:
             log.critical("SSL error: {}".format(e))
             raise SystemExit
+        log.info("SSL is enabled")
         return ssl_context
 
     @asyncio.coroutine