Hardening IntraWeb 9.0 with SSL Version 3
Posted by: in Miscellaneous, tags: IntraWeb, ServerControllerIf you are using SSL with your IntraWeb Standalone applications, then you might consider allowing SSL version 3 only, as there are exploits for version 2 and below. This article describes how to limit your server to SSL version 3.
If you are transferring sensible data between your IntraWeb server and your clients web browsers, then you should think about using SSL / HTTPS to encrypt the transmitted data. Unfortunately there are SSL exploits for SSL Version 2, which simply put make SSL V2 useless (in terms of security). SSL Version 3 does not suffer from these exploits, and it’s highly recommended to use SSLV3 only.
There are efforts by Web browser vendors to accept SSLV3 connections only, but as you can not control what the user is using, you should restrict your server to SSLV3 only.
If you are using SSL/HTTPS with your IntraWeb application, then there are two cases to consider:
- IntraWeb application deployed as ISAPI dll (or DSO).
In ISAPI/DSO mode IntraWeb does not handle SSL/HTTP communication, this is the responsibility of the hosting Web server. In other words you have to read the manual of your Web server, how to make sure that SSLV3 is used only. Information for IIS is found here. - IntraWeb application deployed as standalone executable.
By default IntraWeb offers SSLV2 and SSLV3 to client web browsers. To restrict to SSL V3 you have to follow the steps at the bottom of this article.
The next version of IntraWeb will use restrict to SSLV3 by default.
Restricting an IntraWeb Standalone to SSL V3
A while ago I already blogged about how to restrict to SSL V3. Due to a change in IntraWeb 9.0, you have to apply the code a bit differently, as advised in my old post. Please add the lines marked in blue to your DPR file, as shown in the example below.
program StandAloneSSL; uses Forms, IWMain, IWHTTPServer,
InSSLOpenSSL, ServerController in ‘ServerController.pas’ {IWServerController: TIWServerController}, Main in ‘Main.pas’ {IWForm1: TIWFormModuleBase}, SecureForm in ‘SecureForm.pas’ {IWForm2: TIWAppForm}, NonSecureForm in ‘NonSecureForm.pas’ {IWForm3: TIWAppForm}; {$R *.res} begin Application.Initialize; Application.CreateForm(TformIWMain, formIWMain); if assigned(GHTTPServer) and assigned(GHTTPServer.HTTPS) then begin
GHTTPServer.HTTPS.Active := false;
TInServerIOHandlerSSLOpenSSL(GHTTPServer.HTTPS.IOHandler).SSLOptions.Method := sslvSSLv3;
GHTTPServer.HTTPS.Active := true;
end; Application.Run;end.
Entries (RSS)
Add New Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks