+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: SSLOptions CipherList and TLS (/thread-1526.html)
SSLOptions CipherList and TLS - Craig Burke - 02-05-2020
Hi there,
To start off, I know nothing about SSL or TLS. We have a couple of clients that have requested to add SSL to our Webserver app. The clients are providing access to documents for their customers and will have no control over browser usage.
I am using XE7, IW 14.2.12 and I am trying to run the StandAloneSSL demo.
Downloaded the OpenSSL dll's 1.02q and placed them in the folder with the freshly compiled StandAloneSSL.exe.
With all browsers I am getting the error, this test was with Firefox :
Error code: SSL_ERROR_UNSUPPORTED_VERSION
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.
TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.
The question is what should I assign to the CipherList and or SSLVersions?
TIA,
Craig
RE: SSLOptions CipherList and TLS - rlebeau - 02-06-2020
(02-05-2020, 04:45 PM)Craig Burke Wrote: Downloaded the OpenSSL dll's 1.02q
Why not the latest - 1.0.2.u?
(02-05-2020, 04:45 PM)Craig Burke Wrote: The question is what should I assign to the CipherList and or SSLVersions?
Leave the CipherList blank to use the DLL's default ciphers.
Set the SSLVersions to [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] (or whatever the IntraWeb equivalent is). IntraWeb uses Indy, and by default Indy enables only sslvTLSv1 (TLS 1.0).
RE: SSLOptions CipherList and TLS - jeroen.rottink - 02-06-2020
Hi Craig,
The demo is quite old and configured for using SSLv3.
Open ServerController and change the property IWServerController.SSLOptions.SSLVersion to TLSv12. This is also the default for new created projects.
The eventhandler IWServerControllerBaseAfterCreateIOHandler can also be removed. Not needed. I am not even sure if it gets called.
After that the browser will still give you an error on validating the self-signed certificate. Create your own with one of many instructions on the internet.
Indy and Intraweb are not a problem to create a secure tls 1.2 connection between your application and the browser.
RE: SSLOptions CipherList and TLS - Craig Burke - 02-06-2020
(02-06-2020, 10:35 AM)jeroen.rottink Wrote: Hi Craig,Thanks Jeroen I will check it out!
The demo is quite old and configured for using SSLv3.
Open ServerController and change the property IWServerController.SSLOptions.SSLVersion to TLSv12. This is also the default for new created projects.
The eventhandler IWServerControllerBaseAfterCreateIOHandler can also be removed. Not needed. I am not even sure if it gets called.
After that the browser will still give you an error on validating the self-signed certificate. Create your own with one of many instructions on the internet.
Indy and Intraweb are not a problem to create a secure tls 1.2 connection between your application and the browser.
- Craig
(02-06-2020, 01:01 AM)rlebeau Wrote:Hi Remy,(02-05-2020, 04:45 PM)Craig Burke Wrote: Downloaded the OpenSSL dll's 1.02q
Why not the latest - 1.0.2.u?
(02-05-2020, 04:45 PM)Craig Burke Wrote: The question is what should I assign to the CipherList and or SSLVersions?
Leave the CipherList blank to use the DLL's default ciphers.
Set the SSLVersions to [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] (or whatever the IntraWeb equivalent is). IntraWeb uses Indy, and by default Indy enables only sslvTLSv1 (TLS 1.0).
Ok, downloaded and using 1.0.2.u.
Any issues with allowing the client to define the CipherList via an .ini file?
Thanks,
-Craig
RE: SSLOptions CipherList and TLS - rlebeau - 02-07-2020
(02-06-2020, 06:44 PM)Craig Burke Wrote: Any issues with allowing the client to define the CipherList via an .ini file?
No, not if the user knows how to define ciphers properly and securely.
RE: SSLOptions CipherList and TLS - Craig Burke - 02-07-2020
(02-07-2020, 01:16 AM)rlebeau Wrote:Thanks Remy!(02-06-2020, 06:44 PM)Craig Burke Wrote: Any issues with allowing the client to define the CipherList via an .ini file?
No, not if the user knows how to define ciphers properly and securely.