EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TIdCustomHTTPServer and SSLBlackbox

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#6675
Posted: 06/18/2008 20:55:43
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

I've currently got an application with a built-in web server implemented by TIdCustomHTTPServer in Indy 10 on RAD Studio 2007. I would like to secure that web server with SSL. A bit of surfing has not given me any clear answer on whether this is even possible using only Indy and it certainly looks very complicated. Can SSLBlackbox be used to solve this problem? Also, if I were able to solve the problem with SSLBlackbox, would there be any export restrictions?

Thanks,
Kevin Donn
#6677
Posted: 06/19/2008 00:48:47
by Ken Ivanov (EldoS Corp.)

SSL support can be plugged to Indy components via I/O handler classes. Please see Samples\Delphi\SSLBlackbox\Server\Indy\IOHandler10 sample for the details.
#17927
Posted: 10/18/2011 09:32:39
by Nicklas Bergfeldt (Standard support level)
Joined: 12/04/2007
Posts: 19

The sample is great, but how do I get it to allow TLS connections (and not only SSL3)?
- When I try to only enable TLS1 Chrome says "Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error."

If I enable "SSL3" and "TLS1" Chrome connects with "SSL v3.0" and says something about the server software being old because a reconnection was needed...
- Do you know anything about this?

I want to be able to create a HTTPs server that Chrome do not think is obsolete :-)
#17928
Posted: 10/18/2011 09:41:48
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Are you sure that TLS1 is enabled in your Chrome? Maybe some setting force SSL v3.0 to be established. Have you tried another browser?

BTW, we have TElHTTPSServer component that can be used to build a custom HTTP(S) server.
#17931
Posted: 10/18/2011 14:09:26
by Nicklas Bergfeldt (Standard support level)
Joined: 12/04/2007
Posts: 19

I have tried to connect to our IIS-server using the same Chrome browser and that says "TLS 1.0" and the same Chrome browser do not say anything about "old software" when connecting to our IIS-server.

Hence I'd say it's the server implementation that's faulty (the same Chrome browser works against our IIS-server).

Does it work for you?
Could you send me your demo implementation so that I may try?


Also, I have tried the demo using TElHTTPSServer ("SecureBlackbox\Samples\Delphi\HTTPBlackbox\Server\HTTPSServer") but that do not work at all:
- Browser error: "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL-protocol error."
- Application logged error in log window row 1: "SSL error: 75789, fatal: true, remote: false"
- Application logged error in log window row 2: "Connection closed: 2"
#17932
Posted: 10/19/2011 01:04:14
by Eugene Mayevski (EldoS Corp.)

Quote
Nicklas Bergfeldt wrote:
If I enable "SSL3" and "TLS1" Chrome connects with "SSL v3.0" and says something about the server software being old because a reconnection was needed...


Could you post the exact message here? My guess is that Chrome wants to see a reconnection extension, added last November (a year ago) to prevent certain SSL attack. SecureBlackbox supports this extension yet it's part of TLS 1.1, not even 1.0.

Quote
Nicklas Bergfeldt wrote:
Hence I'd say it's the server implementation that's faulty (the same Chrome browser works against our IIS-server).


Lost coin should be searched for where you've dropped it and not where the light falls on the ground. Yet it's a common mistake among our users to come to us complaining just because we are easier to reach than the person or company that must be contacted.


Sincerely yours
Eugene Mayevski
#17933
Posted: 10/19/2011 01:06:13
by Eugene Mayevski (EldoS Corp.)

Also please specify exact version of Delphi and SecureBlackbox that you are using.


Sincerely yours
Eugene Mayevski
#17934
Posted: 10/19/2011 01:32:42
by Nicklas Bergfeldt (Standard support level)
Joined: 12/04/2007
Posts: 19

I'm using Delphi 2010 and SecureBlackbox 9.0.203 and the message I got yesterday was:
Quote
Your connection to localhost is encrypted with 256-bit encryption.

The connection uses SSL 3.0.

The connection is encrytped using AES_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanisms.

The connection is not compressed.

The connection had to be retried using SSL 3.0. This typically means that the server is using very old software and may have other security issues.

The server does not support the TLS renegotiation extension.


Now, today I get this:
Quote
Your connection to localhost is encrypted with 256-bit encryption.

The connection uses TLS 1.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanisms.

The connection is not compressed.


So, I guess all is OK then... I'll contact you again if I get the previous message back.
- Thank you for always providing good support!
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 3133 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!