Hardening your IntraWeb server
Posted by in Miscellaneous, tags: .net, IntraWeb, ServerControllerA customer of our’s recently got a security audit of his IntraWeb application. The only relevant thing they found was that IntraWeb’s HTTPS mode allows SSL 1.0/2.0 connections. For SSL 1.0/2.0 there are exploits, which may affect the security of the systems using that.
By default HTTPS enabled IntraWeb servers accept any SSL client
version from 1.0. To allow SSL 3.0 only with your HTTPS
enabled IntraWeb application, just add the following lines of code to your
ServerController’s OnCreate event:
Note: This only applies to IntraWeb StandAlone applications. If
you are using IIS or any other Web server (ISAPI, DSO or .NET assembly mode),
then please see the manual of your Web server how to set the available SSL
modes. HTTPS is not available with IntraWeb evaluation versions.
uses
IWInit, IWGlobal,
IWHTTPServer;
procedure
TIWServerController.IWServerControllerBaseCreate(Sender:
TObject);
begin
if assigned(GHTTPServer) and
assigned(GHTTPServer.HTTPS) then begin
GHTTPServer.HTTPS.Active := false;
TInServerIOHandlerSSLOpenSSL(GHTTPServer.HTTPS.IOHandler).
SSLOptions.Method :=
sslvSSLv3;
GHTTPServer.HTTPS.Active := true;
end;
end;
Entries (RSS)