Hardening IntraWeb 9.0 with SSL Version 3
Posted by in Miscellaneous, tags: IntraWeb, ServerControllerIf you are using SSL with your IntraWeb Standalone applications, then you might consider allowing SSL version 3 only, as there are exploits for version 2 and below. This article describes how to limit your server to SSL version 3.
If you are transferring sensible data between your IntraWeb server and your clients web browsers, then you should think about using SSL / HTTPS to encrypt the transmitted data. Unfortunately there are SSL exploits for SSL Version 2, which simply put make SSL V2 useless (in terms of security). SSL Version 3 does not suffer from these exploits, and it’s highly recommended to use SSLV3 only.
There are efforts by Web browser vendors to accept SSLV3 connections only, but as you can not control what the user is using, you should restrict your server to SSLV3 only.
If you are using SSL/HTTPS with your IntraWeb application, then there are two cases to consider:
- IntraWeb application deployed as ISAPI dll (or DSO).
In ISAPI/DSO mode IntraWeb does not handle SSL/HTTP communication, this is the responsibility of the hosting Web server. In other words you have to read the manual of your Web server, how to make sure that SSLV3 is used only. Information for IIS is found here. - IntraWeb application deployed as standalone executable.
By default IntraWeb offers SSLV2 and SSLV3 to client web browsers. To restrict to SSL V3 you have to follow the steps at the bottom of this article.
The next version of IntraWeb will use restrict to SSLV3 by default.
Restricting an IntraWeb Standalone to SSL V3
A while ago I already blogged about how to restrict to SSL V3. Due to a change in IntraWeb 9.0, you have to apply the code a bit differently, as advised in my old post. Please add the lines marked in blue to your DPR file, as shown in the example below.
program StandAloneSSL; uses Forms, IWMain, IWHTTPServer,
InSSLOpenSSL, ServerController in 'ServerController.pas' {IWServerController: TIWServerController}, Main in 'Main.pas' {IWForm1: TIWFormModuleBase}, SecureForm in 'SecureForm.pas' {IWForm2: TIWAppForm}, NonSecureForm in 'NonSecureForm.pas' {IWForm3: TIWAppForm}; {$R *.res} begin Application.Initialize; Application.CreateForm(TformIWMain, formIWMain); if assigned(GHTTPServer) and assigned(GHTTPServer.HTTPS) then begin
GHTTPServer.HTTPS.Active := false;
TInServerIOHandlerSSLOpenSSL(GHTTPServer.HTTPS.IOHandler).SSLOptions.Method := sslvSSLv3;
GHTTPServer.HTTPS.Active := true;
end; Application.Run;end.
Entries (RSS)
Do you know why i have error like ” …port 10048 is already in use …” ? I open demo project from Intraweb demos …
Go to ServerController and set the port to some other value.
–
Grüße / Regards,
Olaf Monien
—————————
EDV-Beratung Monien
CodeGear Technology Partner
olaf@monien.net
http://www.monien.net/blog
http://www.DelphiExperts.net
—————————
Thanks a lot. But you know , it's really strange, because my port was 443 ( standard port for SSL protocol), but in error message – 10048.
However, now i have another trouble – i can not run my project in secure mode on IIS Web server.
My web application working properly in StandAlone mode ( for this mode i put libeay32.dll and ssleay32.dll in same folder, also i put cert.pem, key.pem,
root.pem from Intraweb 10 demo project).
But StandAlone only for test, my web application have to work as ISAPI dll on our server.
I put ISAPI dll in web site folder and put another files with it ( libeay32.dll, ssleay32.dll,cert.pem, key.pem,root.pem).
Then i type on remote computer address to my dll. First page opens, but in click event i use code:
WebApplication.SwitchToSecure;
When this line executing my Intraweb application hungs… I cand see my page with busy indicator .
Can you help me ? It's one of the important requirement – use security mode( transfer data through protected channel), but it doesn't work now under IIS …
Best Regards,
Eugene
SSL with IIS means, that IIS will be responsible for SSL handling. sll dlls and ports are not used by IW under IIS – SSL.
Make sure, that your IIS has the SSL certificate setup correctly and that it would display a simple static HTMl page correctly with https://….
Regards / Grüße,
Olaf Monien
——————————————
EDV-Beratung Monien
Embarcadero Technology Partner
Delphi Experts Chairman
http://www.delphiexperts.net
http://www.monien.net
Am 30.11.2009 um 15:24 schrieb Disqus:
Olaf, thanks a lot. Your hepl is always very useful.
My project is working now. Important thing – if i use IIS i have to add certificate ( that i use when i creating key.pem, root.pem, cert.pem) to my web site.
I use certificate created by myself ( with makecert from Microsoft). Of course, in this case web browser shows alert messages that my certificate was not created
in certification center. But it's only for now, when i am testing SSL in Intraweb.
And one more . Now, when my ISAPI dll use SSL , switching to secure mode takes very long time (about 1.5 – 2 minutes). Why did it happen ?
May be it happen because i use not valid certificate (created by me) ? server trying to verify it and it takes a lot of time ?
Best Regards,
Eugene
If you have many images, then SSL will be “expensive”. Images will be encrypted as well, and they won't be cachable.
–
Grüße / Regards,
Olaf Monien
—————————
EDV-Beratung Monien
CodeGear Technology Partner
olaf@monien.net
http://www.monien.net/blog
http://www.DelphiExperts.net
—————————
May be you right, but not in my case, i think. i have to explain:
– run my project ISAPI dll and press ok button -> wait for 2 min 8 sec -> app switchs to secure mode.
– crete simple project with one button and two forms, compile to ISAPI dll, run and press button -> wait for 2 min 8 sec -> app switchs to secure mode.
When i do not use SSL this timeout ( 2 min 8 sec) is absent at all.
What it can be ? May be i have to turn off ( or turn on) something on web server (IIS) ?
Best Regards,
Eugene
What happens if you start in SSL mode directly?
https://yourdomain.com/yourisapi.dll
instead of:
http://yourdomain.com/yourisapi.dll
–
Grüße / Regards,
Olaf Monien
—————————
EDV-Beratung Monien
CodeGear Technology Partner
olaf@monien.net
http://www.monien.net/blog
http://www.DelphiExperts.net
—————————
if i use https immediately (https://mydomain.com/myisapi.dll) all is ok ( for simple application – no timeout, for my project – 15 sec)
does it mean that i have to use https from first page ? Do you know why does it happen when i use non-secure mode first ?
Honestly, I have no idea what might happen there.
–
Grüße / Regards,
Olaf Monien
—————————
EDV-Beratung Monien
Embarcadero Technology Partner
olaf@monien.net
http://www.monien.net/blog
http://www.DelphiExperts.net
—————————
anyway, it's working. I think that using SSL from first page – it's not a problem.
You know, i saw to my cache directore and i was surprised : becase i found many *.tmp files in it.
These files are pictures. May be it's sounds strange but intraweb caches same files under different names !
For example, in session temp folder i have three files: JPG1E7D.tmp, JPG1E80.tmp, JPG1E82.tmp, JPG1E84.tmp.
These files are same, but have defferent name. As i undestood, Intraweb create file when page reloading.
But the very bad thing, that, as i understand, intraweb does not give old files from cache and rename it, intraweb download
this file from server again ! Traffic grows , speed low and as result intraweb application works slowly. ( particularly in SSL mode).
Does it true ? How does cache algorithm works ?
Sorry that i ask a lot of questions, but i can't find answers for these questions in documentation.
Thanks a lot for your help.
Best Regards,
Eugene
Images will ALWAYS be re-requested by the browser IF IN SSL mode. This is a security feature and not related to IntraWeb.
If you see image files in the cache folder, then you are probably using TIWImage. These are “dynamic” images, wich are kept in memory on the server side. Every page render will create a new cache file, which is used to present the actual image to the browser.
If you actually have static images, then use TIWImageFile instead. That will put much less pressure on your server.
–
Grüße / Regards,
Olaf Monien
—————————
EDV-Beratung Monien
Embarcadero Technology Partner
olaf@monien.net
http://www.monien.net/blog
http://www.DelphiExperts.net
—————————
I understood.
You know i use different types of images: images in my template, images in TIWImage and i use AdvancedImageButtons (by TMS Software).
Buttons by tms, has for different states and each state has own image. Sometimes these buttons working slowly.
Olaf, thank you for your answers. It's very important information.
I have only one question to you:
In ServiceController i can set perameter : SessionTimeout. I did not change it and save it by default ( 10 min).
When application works under Standalone server all cached files are removed when session terminated( by timeout).
But when project work under IIS , cache files are removed only when i use Terminate() , but if not (close web browser for example),
cached files are not delete from folder.
After , for example, one day of use service i can see many different folders with files in temporary cache folder. As result i have to
control this folder and delete files manually every day otherwise free space well end and server will down.
I saw in IIS configuration and it have timeout perameter only for ASP project.
Can you explain – where is my mistake ?
Best Regards,
Eugene