diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c31fb72bd2c7d2a7e5dcf5b7a8154601af1bab2c..1cbb13a3c7870a0b66c3b5bb1c51b2c317411952 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -129,7 +129,7 @@ class ApplicationController < ActionController::Base
       when 502
         raise BadGateway, msg
       else
-        raise ServerError, "Request to #{http.uri.to_s} failed with unexpected status #{status}: #{http.response} ; could be a problem with our version of eventmachine not supporting IPv6"
+        raise ServerError, "Request to #{http.uri.to_s} failed with unexpected status #{status}: #{http.response} ; could be a problem with our version of eventmachine not supporting IPv6, or TLS problems"
     end
   end
 
diff --git a/app/controllers/jobs_controller.rb b/app/controllers/jobs_controller.rb
index 1d2e4c77db27520803be723564095b337cfd3ab9..663fc79a152e098f994ffd82a31c4f24f51ca632 100644
--- a/app/controllers/jobs_controller.rb
+++ b/app/controllers/jobs_controller.rb
@@ -78,12 +78,14 @@ class JobsController < ApplicationController
       )+"/internal/oarapi/jobs/#{params[:id]}.json",
       :out
     )
+    options=tls_options_for(url, :out)
     http = EM::HttpRequest.new(url).delete(
       :timeout => 5,
       :head => {
         'X-Remote-Ident' => @credentials[:cn],
         'Accept' => media_type(:json)
-      }
+      },
+      :tls => options
     )
 
     continue_if!(http, :is => [200,202,204,404])
@@ -122,6 +124,7 @@ class JobsController < ApplicationController
     url = uri_to(
       site_path(params[:site_id])+"/internal/oarapi/jobs.json", :out
     )
+    options=tls_options_for(url, :out)
     http = EM::HttpRequest.new(url).post(
       :timeout => 20,
       :body => job_to_send.to_json,
@@ -129,7 +132,8 @@ class JobsController < ApplicationController
         'X-Remote-Ident' => @credentials[:cn],
         'Content-Type' => media_type(:json),
         'Accept' => media_type(:json)
-      }
+      },
+      :tls => options
     )
     continue_if!(http, :is => [201,202])
 
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 88e4bf87d7eefa60a70867f893bdfcbb0bb01cd6..564ae15b4033064ccb715061c9717cdc0d00e910 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -26,6 +26,10 @@ module ApplicationHelper
     Grid5000::Router.uri_to(request, path, in_or_out, relative_or_absolute)
   end
 
+  def tls_options_for(url, in_or_out = :in)
+    Grid5000::Router.tls_options_for(url, in_or_out)
+  end
+
   def repository
     @repository ||= Grid5000::Repository.new(
       File.expand_path(
diff --git a/config/defaults.yml b/config/defaults.yml
index 940109b3eacb772be46c32d4913e4b91e4eeb311..d405c9094ea1318d71ff450d2246ab13626bde5c 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -28,7 +28,10 @@ defaults: &defaults
 development:
   <<: *defaults
   base_uri_in: http://localhost:8000
-  base_uri_out: http://localhost:8000
+  base_uri_out: https://127.0.0.1:8443
+  uri_out_private_key_file: /etc/ssl/certs/clientkey_nopass.pem
+  uri_out_cert_chain_file: /etc/ssl/certs/clientcert.pem
+  uri_out_verify_peer: false
   notifications_uri: https://localhost:3443/sid/notifications
   reference_repository_path: ~/reference-repository
   smtp_host: localhost
diff --git a/debian/changelog b/debian/changelog
index 76f9a56e62778d8586ebd3cb0f65fb6af35b8f85..38df184bc00b633deea79cb8b1070a9860339bb2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+g5k-api (4.0.2-1) jessie; urgency=low
+
+  * 3863f5b Merge pull request #39 from grid5000/bug8030-rebased-add-job-noop
+  * e407526 Add noop jobs in test database and update existing tests
+  * e664b28 Merge pull request #43 from grid5000/deprecate_should
+  * a1944ec Make sure .should syntax does not come back
+  * f6c842d Migrate specs from deprecated .should syntax
+  * 2fd3084 Merge pull request #42 from grid5000/bugs/#8542
+  * 3f24950 Use X_FORWARDED_HOST only for base_uri(:in)
+  * 7d94b4e Merge pull request #41 from grid5000/bugs/#8542
+  * 8a994fb Overide protocol for servers:port when routing
+  * 5b21807 Update webui dev environment
+  * aa68065 Make reference to exhibit relative
+  * 9391686 Merge pull request #40 from grid5000/bugs/#8536
+  * 17515ed Compute absolute urls using X-Forwarded-Host
+
+ -- David Margery <david.margery@inria.fr>  Tue, 26 Sep 2017 07:41:30 +0000
+
 g5k-api (4.0.1-1) jessie; urgency=low
 
   * 339f949 Merge pull request #37 from grid5000/bug#8489_API_ROOT_PATH
diff --git a/lib/grid5000/router.rb b/lib/grid5000/router.rb
index 18590badcb56e88b0c3138876151da472ffc1ba3..9290ec530df51d132c6cce32f6ef9634cf46afe4 100644
--- a/lib/grid5000/router.rb
+++ b/lib/grid5000/router.rb
@@ -94,6 +94,18 @@ module Grid5000
           Rails.my_config("base_uri_#{in_or_out}".to_sym)
         end
       end
+
+      def tls_options_for(url, in_or_out = :in)
+        tls_options={}
+        [:cert_chain_file, :private_key_file, :verify_peer, :fail_if_no_peer_cert,
+         :cipher_list, :ecdh_curve, :dhparam, :ssl_version].each do |tls_param|
+          config_key=("uri_#{in_or_out.to_s}_"+tls_param.to_s).to_sym
+          if Rails.my_config(config_key)
+            tls_options[tls_param]=Rails.my_config(config_key)
+          end
+        end
+        tls_options
+      end
     end
   end
 end
diff --git a/lib/grid5000/version.rb b/lib/grid5000/version.rb
index 9429572333d45f914025abb62e0e6c74f499e344..9c20d07e1dad88e794a01e3f9a21afe1f03f5d24 100644
--- a/lib/grid5000/version.rb
+++ b/lib/grid5000/version.rb
@@ -13,5 +13,5 @@
 # limitations under the License. 
 
 module Grid5000
-  VERSION = "4.0.1"
+  VERSION = "4.0.2"
 end
diff --git a/puppet/development/modules/apache/manifests/init.pp b/puppet/development/modules/apache/manifests/init.pp
index 34ce9deb7439c0b2f42eaeec2a0c226be3760c0b..cb0d24c353401ffe9a5f890499d5294a5f770e9c 100644
--- a/puppet/development/modules/apache/manifests/init.pp
+++ b/puppet/development/modules/apache/manifests/init.pp
@@ -36,12 +36,71 @@ class apache {
   file {
     '/vagrant/lib/tasks/tunneling.rake':
       mode    => '0644',
-      owner   => root,
-      group   => root,
+      owner   => vagrant,
+      group   => vagrant,
       content => template('apache/tunneling.rake.erb'),
   }
   
-  exec {
+  file { "/etc/ssl/secret":
+    ensure => present,
+    content => "authority_pass\n",
+    mode => '0600', owner => root, group => root,
+  }
+
+  file { "/etc/ssl/certs/ca.srl":
+    ensure => present,
+    content => "01\n",
+    mode => '0644', owner => root, group => root,
+  }
+
+  exec { "Generate certificate authority":
+    command => "/usr/bin/openssl req -new -x509 -days 3650 -keyform PEM -keyout /etc/ssl/private/cakey.pem -outform PEM -out /etc/ssl/certs/ca.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=vagrant/emailAddress=support-staff@lists.grid5000.fr\"",
+    user => root, group => root,
+		require => File["/etc/ssl/secret"],
+    creates => "/etc/ssl/private/cakey.pem",
+  }
+
+  exec { "Create client key and csr":
+    user => root, group => root,
+    command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/certs/clientkey.pem -out /etc/ssl/clientcsr.pem  -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=client/emailAddress=support-staff@lists.grid5000.fr\" -passout file:/etc/ssl/secret",
+    creates => "/etc/ssl/clientcsr.pem",
+  }
+
+  exec { "Sign client csr":
+    user => root, group => root,
+    require => [Exec["Create client key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]],
+    command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/clientcsr.pem -outform PEM -out /etc/ssl/certs/clientcert.pem  -extensions usr_cert -passin file:/etc/ssl/secret",
+    creates => "/etc/ssl/certs/clientcert.pem",
+  }
+
+  exec { "Remove client key password":
+    user => root, group => root,
+		require => Exec["Sign client csr"],
+		command => "/usr/bin/openssl rsa -in /etc/ssl/certs/clientkey.pem -out /etc/ssl/certs/clientkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''",
+		creates => "/etc/ssl/certs/clientkey_nopass.pem"
+  }
+
+  exec { "Create server key and csr":
+    user => root, group => root,
+    command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/private/serverkey.pem -out /etc/ssl/servercsr.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=server/emailAddress=support-staff@lists.grid5000.fr\"",
+    creates => ["/etc/ssl/servercsr.pem","/etc/ssl/private/serverkey.pem"]
+  }
+
+  exec { "Sign server csr":
+    user => root, group => root,
+    require => [Exec["Create server key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]],
+    command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/servercsr.pem -outform PEM -out /etc/ssl/certs/servercert.pem -passin file:/etc/ssl/secret",
+    creates => "/etc/ssl/certs/servercert.pem",
+  }
+
+	exec { "Remove server key password":
+    user => root, group => root,
+		require => Exec["Sign server csr"],
+		command => "/usr/bin/openssl rsa -in /etc/ssl/private/serverkey.pem -out /etc/ssl/certs/serverkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''",
+		creates => "/etc/ssl/certs/serverkey_nopass.pem"
+  }
+
+	exec {
     "enable site api-proxy-dev":
       command => "/usr/sbin/a2ensite api-proxy-dev",
       unless => "/usr/bin/test -f /etc/apache2/sites-enabled/api-proxy-dev.conf",
@@ -95,6 +154,13 @@ class apache {
       require => Package["apache2"];
   }
 
+  exec{ "enable apache ssl module":
+	  command => "/usr/sbin/a2enmod ssl ",
+    notify => Service["apache2"],
+    creates => "/etc/apache2/mods-enabled/ssl.load",
+    require => Package["apache2-dev"];
+  }
+
   exec {
     "enable module deflate configuration":
       command => "/usr/sbin/a2enconf deflate",
diff --git a/puppet/development/modules/apache/templates/api-proxy-dev.erb b/puppet/development/modules/apache/templates/api-proxy-dev.erb
index cafb0724b354b9506696236098925b183bc07a15..0f9777be46a6f151fc46a48b362dd0a47705cd04 100644
--- a/puppet/development/modules/apache/templates/api-proxy-dev.erb
+++ b/puppet/development/modules/apache/templates/api-proxy-dev.erb
@@ -5,6 +5,41 @@
 <% oardbsite = scope.lookupvar('oardbsite') -%>
 <% developer = scope.lookupvar('developer') -%>
 
+
+Listen 8443
+
+<VirtualHost *:8443>
+  TimeOut 300
+  ServerName <%= @fqdn %>
+  ServerAlias server api.grid5000.fr
+  DocumentRoot /vagrant/public
+
+	CustomLog /var/log/apache2/api-proxy-dev-ssl.log "%v %h %l %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
+  ErrorLog syslog:local1
+
+  # Set up SSL proxy engine
+  SSLEngine On
+  SSLProtocol all
+  SSLCipherSuite HIGH:MEDIUM
+  SSLCertificateFile /etc/ssl/certs/servercert.pem
+  SSLCertificateKeyFile /etc/ssl/certs/serverkey_nopass.pem
+
+  # Enable SSL client certificates verification
+  SSLCACertificateFile /etc/ssl/certs/ca.pem
+  SSLVerifyClient require
+  # the client certificate should be signed by the first CA (ca.grid5000.fr)
+  SSLVerifyDepth 1
+
+  <Location />
+    Require all granted
+    require ssl
+
+    ProxyPass http://127.0.0.1:8080/ retry=1
+  </Location>
+
+</VirtualHost>
+
+
 Listen 8080
 
 <VirtualHost *:8080>
diff --git a/spec/lib/grid5000/router_spec.rb b/spec/lib/grid5000/router_spec.rb
index 096b69ab29743745e2b30d2149ca42e8b92d0dee..9c5ddaf9c187f2309cdc5c88100352ce7f3af5c6 100644
--- a/spec/lib/grid5000/router_spec.rb
+++ b/spec/lib/grid5000/router_spec.rb
@@ -220,5 +220,11 @@ describe Grid5000::Router do
     request = double(Rack::MockRequest, :env => {})
     expect(Grid5000::Router.uri_to(request, "/sites/rennes/internal/oarapi/jobs/374172.json", :out)).to eq  "http://api-out.local/sid/sites/rennes/internal/oarapi/jobs/374172.json"
   end	
-	
+
+  it "should take into account tls options" do
+    Api::Application::CONFIG["uri_out_verify_peer"] = true
+    Api::Application::CONFIG["uri_out_private_key_file"] = "/etc/ssl/certs/private/api.out.local.pem"
+    expect(tls_options_for("https://api-out.local/", :out)).to include ({private_key_file: "/etc/ssl/certs/private/api.out.local.pem"} )
+    expect(tls_options_for("https://api-out.local/", :out)).to include ({verify_peer: true} )
+  end
 end