Using HTTPS with Thriftly

Thriftly now includes modern HTTPS support. Rather than implementing an encryption stack that contains all the mistakes of yesterday, we decided to give Thriftly a forward-looking HTTPS stack that uses the most secure and modern standards available. To that end, Thriftly 3.0 includes support for the latest TLS protocol versions.We’ll allow connections from some older protocols, but only back to TLS v1.1. There is no SSL or TLS v1.0 support included. Throughout this document we’ll be referring to HTTPS using the acronym TLS (Transport Layer Security). This is the standard that HTTPS uses.

To use TLS in Thriftly you’ll need a signed certificate and a private key. If your private key is protected by a passphrase, you’ll need that as well. To get a certificate though, you first need a certificate signing request or CSR. Thriftly currently doesn’t generate CSRs, so you’ll need to do this externally. There are two common ways this is done: * Using OpenSSL - For instructions using this method which can be completed from the command line, click here. * Using the Certificates Snap-In for MMC - Although Microsoft has instructions for generating a CSR, we’ve found the instructions from SSL Trust are more concise. Note that as you’re following these instructions, when you get down to the private key instructions, be sure to check the box “Make private key exportable”. Once you have your certificate, you can go back into the Certificates Snap-In and export the private key.

Once you have a CSR, this needs to be submitted to a recognized Certificate Authority. There are many out there and the price to purchase a certificate varies widely [1]. Because of this, we don’t offer advice on where to get your certificate. Most signing authorities will allow you to download your certificate in multiple formats. You can complete the certificate request in the Certificates Snap-In