SSL Security and Xojo Cloud

  1. 9 months ago

    Greg O

    17 Mar 2017 Xojo Inc Somewhere near Raleigh, NC

    Hey everyone. I wanted to bring up a topic that some of you have asked us from time to time about security on Xojo Cloud.

    Yesterday we applied patches to all of your servers to take care of many of the warnings and errors reported by the SSL Certificate verifiers that are used around the web. The one that we did not fix yesterday has to do with the SSLv3 protocol. The reason is that we haven't done this yet is that the ConnectionType property of SSLSocket and all of its derivatives (HTTPSecureSocket, SMTPSecureSocket, POP3SecureSocket) in Xojo framework prior to 2014r3 defaulted to using SSLv3. Flipping this switch without notice could silently break your sites.

    So here's what we're going to do. We've decided that SSLv3 support is deprecated for Xojo Cloud as of now and the servers will be updated on August 1st, 2017 such that they will stop accepting SSLv3 connections altogether. If you have any client applications which interface with your web apps on Xojo Cloud, please update them so that they use at least TLSv1.

  2. Tomas J

    17 Mar 2017 Pre-Release Testers, Xojo Pro Europe (Germany)

    good move

  3. Tony B

    26 Mar 2017 Pre-Release Testers, Xojo Pro Sydney, Australia

    Excellent Greg. very timely and good.

    Regards,
    Tony Barry

  4. Steve K

    28 Mar 2017 Pre-Release Testers, Xojo Pro Topeka, KS

    Is there a way to go ahead and force this on one of our Xojocloud servers so we can test third party software that will be accessing our server?

  5. Jeff H

    is not verified 28 Mar 2017 Pre-Release Testers, Xojo Pro

    Going along with what Steve is asking, is there a property that gets the connection type that the client is using so we would know an application that is hitting an app needs to be upgraded?

    Self.security.connectiontype is a property to set on the application, but I have not found anything in WebRequest or WebSession that provides the information I'm looking for.

  6. 8 months ago

    Greg O

    11 Apr 2017 Xojo Inc Somewhere near Raleigh, NC

    Ok, so here's what we've done...

    First of all, we tested both the Classic Framework HTTPSecureSocket with a ConnectionType of TLSv1, 1.1 and 1.2 and a Xojo.Net.HTTPSocket against a Xojo Cloud server which has been set up with the new security protocols. All of these scenarios worked just fine.

    If you want to test this yourself. you can access that same Xojo Cloud server using the following URL:

    https://ssltest.xojo.com/ssltest.txt

    If you get a good connection, you'll get the string "Yea, it worked!"

  7. Greg O

    11 Apr 2017 Xojo Inc Somewhere near Raleigh, NC

    @Jeff H Going along with what Steve is asking, is there a property that gets the connection type that the client is using so we would know an application that is hitting an app needs to be upgraded?

    Self.security.connectiontype is a property to set on the application, but I have not found anything in WebRequest or WebSession that provides the information I'm looking for.

    No, you can't tell how the client connected from within the web app.

  8. Tony B

    11 Apr 2017 Pre-Release Testers, Xojo Pro Sydney, Australia

    Thanks Greg. Much appreciated.

    Regards,
    Tony Barry
    Sydney

  9. 6 days ago

    Amy B

    Dec 12 Pre-Release Testers, Xojo Pro Marietta, Georgia, USA.

    Spotted this post - incredibly helpful! I was having a time of it trying to send a user account update email from a compiled app via SMTP and couldn't figure out why the same app on a different hosting account worked but did not work on Xojo Cloud.

    Count this as today's "Now I Get It" moment (so far).

or Sign Up to reply!