« Vote for DevCon 2006 sessions
ECO Code Camp »
15 08 2006

Hardening your IntraWeb server

Posted by: in Miscellaneous, tags: , ,

A customer of our’s recently got a security audit of his IntraWeb application. The only relevant thing they found was that IntraWeb’s HTTPS mode allows SSL 1.0/2.0 connections. For SSL 1.0/2.0 there are exploits, which may affect the security of the systems using that.

By default HTTPS enabled IntraWeb servers accept any SSL client
version from 1.0. To allow SSL 3.0 only with your HTTPS
enabled IntraWeb application, just add the following lines of code to your
ServerController’s OnCreate event:

Note: This only applies to IntraWeb StandAlone applications. If
you are using IIS or any other Web server (ISAPI, DSO or .NET assembly mode),
then please see the manual of your Web server how to set the available SSL
modes. HTTPS is not available with IntraWeb evaluation versions.

uses
  IWInit, IWGlobal,
IWHTTPServer;

procedure
TIWServerController.IWServerControllerBaseCreate(Sender:
TObject);
begin
  if assigned(GHTTPServer) and
assigned(GHTTPServer.HTTPS) then begin
   
GHTTPServer.HTTPS.Active := false;
   
TInServerIOHandlerSSLOpenSSL(GHTTPServer.HTTPS.IOHandler).
     
SSLOptions.Method :=
sslvSSLv3;
    GHTTPServer.HTTPS.Active := true;
 
end;
end;

 

This entry was posted on Tuesday, August 15th, 2006 at 0:00 and is filed under Miscellaneous.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus
CodeGear Technology Partner