Manual:Hotspot HTTPS example: Difference between revisions
No edit summary |
No edit summary |
||
Line 89: | Line 89: | ||
{{Note | By using self signed certificate, SSL redirect warnings will still be present. As part of SSL protocol, cause hotspot captive portal will be seen as Man-in-the-Middle by SSL.}} | {{Note | By using self signed certificate, SSL redirect warnings will still be present. As part of SSL protocol, cause hotspot captive portal will be seen as Man-in-the-Middle by SSL.}} | ||
==Certificate authority== | ==Trusted Certificate authority== | ||
To use HTTPs login without displaying SSL warning on client browser, requires use of | To use HTTPs login without displaying SSL warning on client browser, requires use of | ||
Trusted CA signed certificate. Certificate import procedure is the same as described in previous example. | Trusted CA signed certificate. Certificate import procedure is the same as described in previous example. | ||
{{Note | Such HTTPS site like google, facebook, etc that use SSL HSTS will still be showing ssl error and will completely refuse to continue. In such case end user should try to access different site.}} | |||
<pre> | |||
/ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0 | |||
</pre> | |||
==Hotspot HTTPs login== | ==Hotspot HTTPs login== |
Revision as of 08:09, 29 August 2016
Summary
Using Hotspot server without enabled HTTPs login, may result in fail to redirect a client to the Hotspot authentication page if the requested page uses HTTPS protocol. To avoid such scenario, the “HTTPS login” should be enabled.
Hotspot HTTPs login provides:
- Extra security using SSL key encryption.
- Ability to redirect clients from HTTPS URLs.
This page contains information how to use SSL certificate to enable HTTPS login on Hotspot server. It is possible to use trusted certification authority (CA) signed certificate as well as no cost, self-signed certificate.
Self-signed certificates
Self-signed certificates can be made with no costs, and without public CA involvement. There are multiple free tools available for creating such certificates. The following examples will show how to use OpenSSL on linux machine, and RouterOS CLI to generate and sign your own certificates.
RouterOS example:
First we need to make our own CA who will sign the cerificates
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign sign ca-template name=myCa
Now create a certificate for Hotspot
/certificate add name=server-template common-name=server sign server-template ca=myCa name=server
Make server certificate trusted
set [find name=server] trusted=yes
OpenSSL example:
Here is OpenSSL example, to generate free self-signed certificate. First create a privat key
openssl genrsa -des3 -out Hotspot.key 1024
Generate certificate signing request
openssl req -new -key Hotspot.key -out Hotspot.csr
Sign created certificate signing request
openssl x509 -req -days 365 -in Hotspot.csr -signkey Hotspot.key -out Hotspot.crt
Import certificates:
Now you need to upload and import created key and certificate (CRT file) to the router
/certificate> import file-name=Hotspot.crt passphrase: **** certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
and the key
/certificate> import file-name=Hotspot.key passphrase: **** certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
Certificates are ready for use in Hotspot login.
Note: By using self signed certificate, SSL redirect warnings will still be present. As part of SSL protocol, cause hotspot captive portal will be seen as Man-in-the-Middle by SSL.
Trusted Certificate authority
To use HTTPs login without displaying SSL warning on client browser, requires use of Trusted CA signed certificate. Certificate import procedure is the same as described in previous example.
Note: Such HTTPS site like google, facebook, etc that use SSL HSTS will still be showing ssl error and will completely refuse to continue. In such case end user should try to access different site.
/ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0
Hotspot HTTPs login
When you have successfully imported certificate and private key on the router, first you need to enable ssl service and add the name of the certificate in /ip service:
/ip service set www-ssl certificate=client.crt_0 disabled=no
Next step is to enable HTTPs login on your Hotspot.
/ip hotspot profile set hsprof1 login-by=https ssl-certificate=client.crt_0
Now all HTTPs requests from unauthorised clients will be redirected to your Hotspot login page.
Note: Such HTTPS sites as google, facebook, etc that use SSL HSTS will still be showing ssl error, and will completely refuse to continue. In such case the end user should try to access different sites.